Automatically check for Security Updates on CentOS or Scientific Linux?

Question

We have machines running RedHat-based distros such as CentOS or Scientific Linux. We want the systems to automatically notify us if there are any known vulnerabilities to the installed packages. FreeBSD does this with the ports-mgmt/portaudit port.

RedHat provides yum-plugin-security, which can check for vulnerabilities by their Bugzilla ID, CVE ID or advisory ID. In addition, Fedora recently started to support yum-plugin-security. I believe this was added in Fedora 16.

Scientific Linux 6 did not support yum-plugin-security as of late 2011. It does ship with /etc/cron.daily/yum-autoupdate, which updates RPMs daily. I don't think this handles Security Updates only, however.

CentOS does not support yum-plugin-security.

I monitor the CentOS and Scientific Linux mailinglists for updates, but this is tedious and I want something which can be automated.

For those of us who maintain CentOS and SL systems, are there any tools which can:

1. Automatically (Progamatically, via cron) inform us if there are known vulnerabilities with my current RPMs.
2. Optionally, automatically install the minimum upgrade required to address a security vulnerability, which would probably be yum update-minimal --security on the commandline?

I have considered using yum-plugin-changelog to print out the changelog for each package, and then parse the output for certain strings. Are there any tools which do this already?

Answer 1

If you absolutely want to use yum security plugin, there is a way to do this, although a little elaborate. But once you have it setup, it's all automated.

The only requirement is that you will need to have at-least one subscription to RHN. Which is a good investment IMO, but lets stick to the point.

1. Once you have the subscription, you can use mrepo, or reposync, to setup an in house Yum repo, that mirrors CentOS repos. (or you could just use rsync).
2. Then use the script attached to this mailing list post, to periodically connect to your RHN subscription, to download security packages info. Now you have two options.
   1. Extract just the package names from the generated "updateinfo.xml" file. And use that information to "search" your servers for Rpms needing security or other updates, using puppet or cfengine, or ssh-in-a-for-loop. This is simpler, gives you everything you want, but you can't use yum security.
   2. The other option is to use the modifyrepo command as shown here, to inject updateinfo.xml into repomd.xml. Before doing this, you will have to modify the perl script to change the Rpm MD5 sums inside the xml, from the RHN to Centos sums. And you will have to make sure if CentOS repos actually have all Rpms mentioned in updateinfo.xml, as they are behind RHN sometimes. But that's fine, you can ignore the updates CentOS hasn't caught up with, as there is little you can do about it, short of building them from SRPMs.

With option 2, you can install yum security plugin on all clients, and it will work.

Edit: This also works for Redhat RHEL 5 and 6 machines. And is simpler than using a heavy weight solution like Spacewalk or Pulp.

Answer 2

Scientific Linux can now list security updates from the commandline. Furthermore I can update a system to only apply security updates, which is better then the default ("Just update everything! Including bugfixes which you don't care about and which introduce regressions."

I have tested this on both Scientific Linux 6.1 and a 6.4. I'm not sure when this was officially announced, but I'll post more when I find out.

Here are some examples.

List a summary of security updates:

[root@node1 ~]# yum updateinfo
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
Updates Information Summary: available
    4 Security notice(s)
        1 important Security notice(s)
        3 moderate Security notice(s)
    2 Bugfix notice(s)
updateinfo summary done

root@node1 ~]# yum list-sec
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
SLSA-2013:1459-1 moderate/Sec.  gnupg2-2.0.14-6.el6_4.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-devel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-firmware-2.6.32-358.23.2.el6.noarch
SLSA-2013:1436-1 moderate/Sec.  kernel-headers-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1457-1 moderate/Sec.  libgcrypt-1.4.5-11.el6_4.x86_64
SLSA-2013:1270-1 important/Sec. polkit-0.96-5.el6_4.x86_64
SLBA-2013:1486-1 bugfix         selinux-policy-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix         selinux-policy-3.7.19-195.el6_4.18.noarch
SLBA-2013:1486-1 bugfix         selinux-policy-targeted-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix         selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
updateinfo list done

List by CVE:

[root@node2 ~]# yum list-sec cves
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
 * epel: mirrors.kernel.org
 * sl6x: ftp.scientificlinux.org
 * sl6x-security: ftp.scientificlinux.org
7404 packages excluded due to repository priority protections
 CVE-2012-6085 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
 CVE-2013-4351 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
 CVE-2013-4402 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
 CVE-2013-4162 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
 CVE-2013-4299 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
 CVE-2013-4162 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
 CVE-2013-4299 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
 CVE-2013-4242 moderate/Sec. libgcrypt-1.4.5-11.el6_4.x86_64
updateinfo list done

And then I can apply the minimal set of changes required to

[root@node1 ~]# yum update-minimal --security

Or, just patch everything:

[root@node1 ~]# yum --quiet --security check-update

gnutls.x86_64                                      2.8.5-14.el6_5                                     sl-security
libtasn1.x86_64                                    2.3-6.el6_5                                        sl-security
[root@node1 ~]# yum --quiet --security update

=================================================================================================================
 Package                 Arch                  Version                          Repository                  Size
=================================================================================================================
Updating:
 gnutls                  x86_64                2.8.5-14.el6_5                   sl-security                345 k
 libtasn1                x86_64                2.3-6.el6_5                      sl-security                237 k

Transaction Summary
=================================================================================================================
Upgrade       2 Package(s)

Is this ok [y/N]: Y
[root@node1 ~]#

If I try this same command on a CentOS6 box, I don't get any results. I know for a fact that some of the '137 packages available' contain security fixes, because I received the errata notices yesterday via the CentOS mailinglists.

[root@node1 ~]# yum --security check-update 
Loaded plugins: downloadonly, fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: mirrors.usc.edu
 * epel: mirrors.kernel.org
 * extras: mirror.web-ster.com
 * updates: mirrors.kernel.org
Limiting package lists to security relevant ones
No packages needed for security; 137 packages available
[root@node1 ~]#

Answer 3

I had the same problem. I took a stab at creating some Python code to pull together Yum Updates and advisories from the steve-meier Errata site mentioned above (I filter it based on installed packages).

In case it helps, here is the source: https://github.com/wied03/centos-package-cron

Answer 4

Scientific Linux (at least 6.2 and 6.3; I don't have any 6.1 systems left) not only supports yum-plugin-security but the configuration file for for yum-autoupdate, /etc/sysconfig/yum-autoupdate, allows you enable only the installation of security updates.

# USE_YUMSEC
#   This switches from using yum update to using yum-plugin-security
#     true  - run 'yum --security' update rather than 'yum update'
#     false - defaults to traditional behavior running 'yum update' (default)
#   + anything other than true defaults to false
#USE_YUMSEC="false"
USE_YUMSEC="true"

Answer 5

Since you have CFEngine, you could apply changes to groups of systems at time based on the security updates posted at: http://twitter.com/#!/CentOS_Announce

I'm not the biggest server security engineer out there... but I tend to find that I only care about a few packages when it comes to security. Anything that's public-facing (ssl, ssh, apache) or has a major exploit gets priority. Everything else gets evaluated quarterly. I don't want these things upgraded automatically because updated packages can potentially break other items on a production system.

Answer 6

You can also try generate_updateinfo project. It is a python script which processes errata.latest.xml file compiled by CEFS project and generates updateinfo.xml file with security updates metadata. You can then inject it to your local CentOS 6 (7) update repository. It is pretty straightforward to integrate it with custom/local repositories created by createrepo command:

• mirror repository with reposync command
• create local repository with createrepo command
• download and generate updateinfo.xml file with generate_updateinfo.py script
• inject generated security updates metadata to your local repository with modifyrepo command

Answer 7

For Centos 6, Centos 7 and Centos 8 the easiest way is to use Steve Meier's Updateinfo: a yum repository with CentOS Errata information.

It's a ready yum repo served and updated by the author of the CEFS project.

It is a paid service but as of now it costs only a mere $3 per month for an unlimited number of servers (but using a mirror for a big fleet is recommended).

Note that it's the same thing as you can do yourself according to dsmsk80's answer. But don't you prefer to support the enthusiast who made this solution possible instead? :)

Answer 8

On CentOS you can use

yum list updates

instead of yum-plugin-security, or maybe you want to try this script scanning based on CentOS security news feeds: LVPS.

Answer 9

On CentOS6, you can use the yum-security plugin:

yum install yum-security

Check with:

yum --security check-update

This command returns code 0 if no security updates are available.

In combination with yum-cron, you can get an email only on available security updates by modifying file /etc/sysconfig/yum-cron:

YUM_PARAMETER="--security"