22

We have machines running RedHat-based distros such as CentOS or Scientific Linux. We want the systems to automatically notify us if there are any known vulnerabilities to the installed packages. FreeBSD does this with the ports-mgmt/portaudit port.

RedHat provides yum-plugin-security, which can check for vulnerabilities by their Bugzilla ID, CVE ID or advisory ID. In addition, Fedora recently started to support yum-plugin-security. I believe this was added in Fedora 16.

Scientific Linux 6 did not support yum-plugin-security as of late 2011. It does ship with /etc/cron.daily/yum-autoupdate, which updates RPMs daily. I don't think this handles Security Updates only, however.

CentOS does not support yum-plugin-security.

I monitor the CentOS and Scientific Linux mailinglists for updates, but this is tedious and I want something which can be automated.

For those of us who maintain CentOS and SL systems, are there any tools which can:

  1. Automatically (Progamatically, via cron) inform us if there are known vulnerabilities with my current RPMs.
  2. Optionally, automatically install the minimum upgrade required to address a security vulnerability, which would probably be yum update-minimal --security on the commandline?

I have considered using yum-plugin-changelog to print out the changelog for each package, and then parse the output for certain strings. Are there any tools which do this already?

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
  • Do you have any configuration management system in place? Puppet? CFEngine? – ewwhite Mar 14 '12 at 22:36
  • Yes, I have Cfengine. I'm thinking about Puppet. – Stefan Lasiewski Mar 14 '12 at 22:39
  • 2
    yum-updatesd used to do something similar (notify about new updates, and mention if any were security updates) - but I don't believe it is in the CentOS 6 (or EPEL) repos. You might be able to adapt the scripts on the [CentOS Wiki](http://wiki.centos.org/YumCheckOrInstallUpdates) fairly easily though. – cyberx86 Mar 14 '12 at 23:18

9 Answers9

9

If you absolutely want to use yum security plugin, there is a way to do this, although a little elaborate. But once you have it setup, it's all automated.

The only requirement is that you will need to have at-least one subscription to RHN. Which is a good investment IMO, but lets stick to the point.

  1. Once you have the subscription, you can use mrepo, or reposync, to setup an in house Yum repo, that mirrors CentOS repos. (or you could just use rsync).
  2. Then use the script attached to this mailing list post, to periodically connect to your RHN subscription, to download security packages info. Now you have two options.
    1. Extract just the package names from the generated "updateinfo.xml" file. And use that information to "search" your servers for Rpms needing security or other updates, using puppet or cfengine, or ssh-in-a-for-loop. This is simpler, gives you everything you want, but you can't use yum security.
    2. The other option is to use the modifyrepo command as shown here, to inject updateinfo.xml into repomd.xml. Before doing this, you will have to modify the perl script to change the Rpm MD5 sums inside the xml, from the RHN to Centos sums. And you will have to make sure if CentOS repos actually have all Rpms mentioned in updateinfo.xml, as they are behind RHN sometimes. But that's fine, you can ignore the updates CentOS hasn't caught up with, as there is little you can do about it, short of building them from SRPMs.

With option 2, you can install yum security plugin on all clients, and it will work.

Edit: This also works for Redhat RHEL 5 and 6 machines. And is simpler than using a heavy weight solution like Spacewalk or Pulp.

Not Now
  • 3,532
  • 17
  • 18
  • While this answer is informative it does not provide the best solutions as of 2020. For a very easy to use, although paid (just $3/month though), solution please see [my answer](https://serverfault.com/a/1037206/190032). For a free one, but requiring some work, see [dsmsk80's answer](https://serverfault.com/a/837440/190032). – Greg Dubicki Oct 10 '20 at 17:52
6

Scientific Linux can now list security updates from the commandline. Furthermore I can update a system to only apply security updates, which is better then the default ("Just update everything! Including bugfixes which you don't care about and which introduce regressions."

I have tested this on both Scientific Linux 6.1 and a 6.4. I'm not sure when this was officially announced, but I'll post more when I find out.

Here are some examples.

List a summary of security updates:

[root@node1 ~]# yum updateinfo
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
Updates Information Summary: available
    4 Security notice(s)
        1 important Security notice(s)
        3 moderate Security notice(s)
    2 Bugfix notice(s)
updateinfo summary done

root@node1 ~]# yum list-sec
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
SLSA-2013:1459-1 moderate/Sec.  gnupg2-2.0.14-6.el6_4.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-devel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-firmware-2.6.32-358.23.2.el6.noarch
SLSA-2013:1436-1 moderate/Sec.  kernel-headers-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1457-1 moderate/Sec.  libgcrypt-1.4.5-11.el6_4.x86_64
SLSA-2013:1270-1 important/Sec. polkit-0.96-5.el6_4.x86_64
SLBA-2013:1486-1 bugfix         selinux-policy-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix         selinux-policy-3.7.19-195.el6_4.18.noarch
SLBA-2013:1486-1 bugfix         selinux-policy-targeted-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix         selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
updateinfo list done

List by CVE:

[root@node2 ~]# yum list-sec cves
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
 * epel: mirrors.kernel.org
 * sl6x: ftp.scientificlinux.org
 * sl6x-security: ftp.scientificlinux.org
7404 packages excluded due to repository priority protections
 CVE-2012-6085 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
 CVE-2013-4351 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
 CVE-2013-4402 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
 CVE-2013-4162 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
 CVE-2013-4299 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
 CVE-2013-4162 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
 CVE-2013-4299 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
 CVE-2013-4242 moderate/Sec. libgcrypt-1.4.5-11.el6_4.x86_64
updateinfo list done

And then I can apply the minimal set of changes required to

[root@node1 ~]# yum update-minimal --security

Or, just patch everything:

[root@node1 ~]# yum --quiet --security check-update

gnutls.x86_64                                      2.8.5-14.el6_5                                     sl-security
libtasn1.x86_64                                    2.3-6.el6_5                                        sl-security
[root@node1 ~]# yum --quiet --security update

=================================================================================================================
 Package                 Arch                  Version                          Repository                  Size
=================================================================================================================
Updating:
 gnutls                  x86_64                2.8.5-14.el6_5                   sl-security                345 k
 libtasn1                x86_64                2.3-6.el6_5                      sl-security                237 k

Transaction Summary
=================================================================================================================
Upgrade       2 Package(s)

Is this ok [y/N]: Y
[root@node1 ~]#

If I try this same command on a CentOS6 box, I don't get any results. I know for a fact that some of the '137 packages available' contain security fixes, because I received the errata notices yesterday via the CentOS mailinglists.

[root@node1 ~]# yum --security check-update 
Loaded plugins: downloadonly, fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: mirrors.usc.edu
 * epel: mirrors.kernel.org
 * extras: mirror.web-ster.com
 * updates: mirrors.kernel.org
Limiting package lists to security relevant ones
No packages needed for security; 137 packages available
[root@node1 ~]#
Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
5

I had the same problem. I took a stab at creating some Python code to pull together Yum Updates and advisories from the steve-meier Errata site mentioned above (I filter it based on installed packages).

In case it helps, here is the source: https://github.com/wied03/centos-package-cron

Brady Wied
  • 51
  • 1
  • 1
2

Scientific Linux (at least 6.2 and 6.3; I don't have any 6.1 systems left) not only supports yum-plugin-security but the configuration file for for yum-autoupdate, /etc/sysconfig/yum-autoupdate, allows you enable only the installation of security updates.

# USE_YUMSEC
#   This switches from using yum update to using yum-plugin-security
#     true  - run 'yum --security' update rather than 'yum update'
#     false - defaults to traditional behavior running 'yum update' (default)
#   + anything other than true defaults to false
#USE_YUMSEC="false"
USE_YUMSEC="true"
Joshua Hoblitt
  • 665
  • 4
  • 11
1

Since you have CFEngine, you could apply changes to groups of systems at time based on the security updates posted at: http://twitter.com/#!/CentOS_Announce

I'm not the biggest server security engineer out there... but I tend to find that I only care about a few packages when it comes to security. Anything that's public-facing (ssl, ssh, apache) or has a major exploit gets priority. Everything else gets evaluated quarterly. I don't want these things upgraded automatically because updated packages can potentially break other items on a production system.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • 1
    The twitter feed mentioned above is bad advice IMO in 2017+. It hasn't received any updates since Oct. 10, 2012. – slm Jan 23 '17 at 03:50
1

You can also try generate_updateinfo project. It is a python script which processes errata.latest.xml file compiled by CEFS project and generates updateinfo.xml file with security updates metadata. You can then inject it to your local CentOS 6 (7) update repository. It is pretty straightforward to integrate it with custom/local repositories created by createrepo command:

  • mirror repository with reposync command
  • create local repository with createrepo command
  • download and generate updateinfo.xml file with generate_updateinfo.py script
  • inject generated security updates metadata to your local repository with modifyrepo command
dsmsk80
  • 5,757
  • 17
  • 22
0

For Centos 6, Centos 7 and Centos 8 the easiest way is to use Steve Meier's Updateinfo: a yum repository with CentOS Errata information.

It's a ready yum repo served and updated by the author of the CEFS project.

It is a paid service but as of now it costs only a mere $3 per month for an unlimited number of servers (but using a mirror for a big fleet is recommended).


Note that it's the same thing as you can do yourself according to dsmsk80's answer. But don't you prefer to support the enthusiast who made this solution possible instead? :)

Greg Dubicki
  • 1,191
  • 1
  • 14
  • 30
0

On CentOS you can use

yum list updates

instead of yum-plugin-security, or maybe you want to try this script scanning based on CentOS security news feeds: LVPS.

Bill the Lizard
  • 352
  • 1
  • 7
  • 15
-1

On CentOS6, you can use the yum-security plugin:

yum install yum-security

Check with:

yum --security check-update

This command returns code 0 if no security updates are available.

In combination with yum-cron, you can get an email only on available security updates by modifying file /etc/sysconfig/yum-cron:

YUM_PARAMETER="--security"
Bertl
  • 175
  • 4
  • 1
    The Yum security plugin doesn't work for me on CentOS6. It does work on RHEL and Scientific Linux, however. – Stefan Lasiewski Jun 02 '14 at 05:50
  • What does it mean "it doesn't work". It's part of CentOS6-Base and is installed on many installations here. yum-plugin-security.noarch 1.1.30-17.el6_5 @updates – Bertl Jun 04 '14 at 05:42
  • 1
    What I mean is that when I run `yum --security check-update`, the command returns with `No packages needed for security; 137 packages available`. I know for a fact that some of the available updates contain security fixes. The updates are available in the CentOS 'base' repository, but they are not marked as security fixes. CentOS does not currently provide a yum repository for the security patches, unlike Red Hat, Scientific Linux and EPEL. – Stefan Lasiewski Jun 04 '14 at 17:38
  • 1
    If it works for you, can you show how it works? – Stefan Lasiewski Jun 04 '14 at 17:39
  • You might be right. Tested on an older CentOS6 VM with 400 pending updates. yum --security check-updates shows nada. The EPEL repo seems to hold security info, but the CentOS update repos do not. – Bertl Jun 06 '14 at 05:41
  • 1
    See this thread about the issue: http://lists.centos.org/pipermail/centos-devel/2012-August/008675.html – Bertl Jun 06 '14 at 05:48
  • Here is what you requested. Pending security update for EPEL package: $ yum list-sec Loaded plugins: downloadonly, fastestmirror, priorities, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: ftp.plusline.de * epel: mirrors.n-ix.net * extras: centos.copahost.com * updates: ftp.plusline.de 92 packages excluded due to repository priority protections FEDORA-EPEL-2014-1391 bugfix ssldump-0.9-0.9.b3.el6.x86_64 updateinfo list done – Bertl Jun 06 '14 at 05:52
  • Yes, in my experience EPEL works well. Just not CentOS6. I believe this is because CentOS6 does not maintain a security repo. With the agreement between CentOS & Red Hat, I wonder if that will change for the better. The security repo is a selling point for RHEL. – Stefan Lasiewski Jun 06 '14 at 15:39
  • Bert: It DOES not work on CentOS, CentOS reporting 0 security updates is not to be relied on. Ever. – Florian Heigl May 02 '15 at 18:36
  • 1
    Yes I'm finding this out that yum --security check-update" doesn't work on Centos since Centos repos do not flag updates as security updates like RHEL does. – Chris F Jan 19 '17 at 15:07