Confirming that yum-cron is configured properly on a CentOS 7 server

security yum centos7

Is there any way to test whether yum-cron is configured properly? I need to confirm that it will automatically install security patches and that it will email me when it does so.

I have a CentOS 7 web server with yum-cron installed. It's been running for a few months and I haven't received any emails, nor do I see any updates in /var/log/yum.log. I think this is because there haven't actually been any security updates affecting me. When I run yum --security list updates I get the message No packages needed for security, and I don't see any recent critical patches affecting me in centos-announce.

My /etc/yum/yum-cron.conf looks something like the following, with a real email address instead of [email protected]:

[commands]
update_cmd = security
update_messages = yes
download_updates = yes
apply_updates = yes

[emitters]
emit_via = stdio,email

[email]
email_from = root@localhost
email_to = root,[email protected]
email_host = localhost

Your test looks right, but AFAICT the problem is that the main CentOS repositories unfortunately don't come with the required information to support security-only updates the way RHEL does. Please refer to this discussion for the details:

https://www.centos.org/forums/viewtopic.php?f=47&t=51300

On CentOS it looks like you can only really use yum-cron for automatic full upgrades as in:

update_cmd = default

otherwise you only get security upgrades from any external repositories you happen to use (like e.g. EPEL).

On our own CentOS 7 servers we use that default combined with download and notify-only rules, which we then manually act on.

As a workaround you could probably maintain a local yum repository with only the security updates and automatically apply full upgrades from there. It would still require manual maintenance of that security repository, but then at least all your servers could auto upgrade from there.


You should be able to see if the job is running by the cron log.

grep yum.cron /var/log/cron | tail -10

If you see output here you can then verify.

tail -10 /var/log/yum.log

Related

Ansible group_vars variable precedence (group_vars override other group_vars)
Gitlab: Extremely high memory consumption by ruby "bundle" process
How to remove 'update-alternatives' links on Linux
Windows 10 ssh disable password authentication?
ECR cross-account pull permissions
How to setup a central repository on a Windows 2008 server
SVN client authentication error
Second Level Subdomain DNS Wildcard
Check public DNS health and RFC compliance
Looking for an open source email archiving application [closed]
VirtualBox - use in small office and backing up
Is there a web-based log-tailing application? [closed]