Automatically check for Security Updates on CentOS or Scientific Linux?
Solution 1:
If you absolutely want to use yum security plugin, there is a way to do this, although a little elaborate. But once you have it setup, it's all automated.
The only requirement is that you will need to have at-least one subscription to RHN. Which is a good investment IMO, but lets stick to the point.
- Once you have the subscription, you can use mrepo, or reposync, to setup an in house Yum repo, that mirrors CentOS repos. (or you could just use rsync).
- Then use the script attached to this mailing list post, to periodically connect to your RHN subscription, to download security packages info. Now you have two options.
- Extract just the package names from the generated "updateinfo.xml" file. And use that information to "search" your servers for Rpms needing security or other updates, using puppet or cfengine, or ssh-in-a-for-loop. This is simpler, gives you everything you want, but you can't use
yum security. - The other option is to use the
modifyrepocommand as shown here, to injectupdateinfo.xmlintorepomd.xml. Before doing this, you will have to modify the perl script to change the Rpm MD5 sums inside the xml, from the RHN to Centos sums. And you will have to make sure if CentOS repos actually have all Rpms mentioned inupdateinfo.xml, as they are behind RHN sometimes. But that's fine, you can ignore the updates CentOS hasn't caught up with, as there is little you can do about it, short of building them from SRPMs.
- Extract just the package names from the generated "updateinfo.xml" file. And use that information to "search" your servers for Rpms needing security or other updates, using puppet or cfengine, or ssh-in-a-for-loop. This is simpler, gives you everything you want, but you can't use
With option 2, you can install yum security plugin on all clients, and it will work.
Edit: This also works for Redhat RHEL 5 and 6 machines. And is simpler than using a heavy weight solution like Spacewalk or Pulp.
Solution 2:
Scientific Linux can now list security updates from the commandline. Furthermore I can update a system to only apply security updates, which is better then the default ("Just update everything! Including bugfixes which you don't care about and which introduce regressions."
I have tested this on both Scientific Linux 6.1 and a 6.4. I'm not sure when this was officially announced, but I'll post more when I find out.
Here are some examples.
List a summary of security updates:
[root@node1 ~]# yum updateinfo
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
Updates Information Summary: available
4 Security notice(s)
1 important Security notice(s)
3 moderate Security notice(s)
2 Bugfix notice(s)
updateinfo summary done
root@node1 ~]# yum list-sec
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
SLSA-2013:1459-1 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
SLSA-2013:1436-1 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec. kernel-devel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
SLSA-2013:1436-1 moderate/Sec. kernel-headers-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1457-1 moderate/Sec. libgcrypt-1.4.5-11.el6_4.x86_64
SLSA-2013:1270-1 important/Sec. polkit-0.96-5.el6_4.x86_64
SLBA-2013:1486-1 bugfix selinux-policy-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix selinux-policy-3.7.19-195.el6_4.18.noarch
SLBA-2013:1486-1 bugfix selinux-policy-targeted-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
updateinfo list done
List by CVE:
[root@node2 ~]# yum list-sec cves
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
* epel: mirrors.kernel.org
* sl6x: ftp.scientificlinux.org
* sl6x-security: ftp.scientificlinux.org
7404 packages excluded due to repository priority protections
CVE-2012-6085 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
CVE-2013-4351 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
CVE-2013-4402 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
CVE-2013-4162 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
CVE-2013-4299 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
CVE-2013-4162 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
CVE-2013-4299 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
CVE-2013-4242 moderate/Sec. libgcrypt-1.4.5-11.el6_4.x86_64
updateinfo list done
And then I can apply the minimal set of changes required to
[root@node1 ~]# yum update-minimal --security
Or, just patch everything:
[root@node1 ~]# yum --quiet --security check-update
gnutls.x86_64 2.8.5-14.el6_5 sl-security
libtasn1.x86_64 2.3-6.el6_5 sl-security
[root@node1 ~]# yum --quiet --security update
=================================================================================================================
Package Arch Version Repository Size
=================================================================================================================
Updating:
gnutls x86_64 2.8.5-14.el6_5 sl-security 345 k
libtasn1 x86_64 2.3-6.el6_5 sl-security 237 k
Transaction Summary
=================================================================================================================
Upgrade 2 Package(s)
Is this ok [y/N]: Y
[root@node1 ~]#
If I try this same command on a CentOS6 box, I don't get any results. I know for a fact that some of the '137 packages available' contain security fixes, because I received the errata notices yesterday via the CentOS mailinglists.
[root@node1 ~]# yum --security check-update
Loaded plugins: downloadonly, fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirrors.usc.edu
* epel: mirrors.kernel.org
* extras: mirror.web-ster.com
* updates: mirrors.kernel.org
Limiting package lists to security relevant ones
No packages needed for security; 137 packages available
[root@node1 ~]#
Solution 3:
I had the same problem. I took a stab at creating some Python code to pull together Yum Updates and advisories from the steve-meier Errata site mentioned above (I filter it based on installed packages).
In case it helps, here is the source: https://github.com/wied03/centos-package-cron
Solution 4:
Scientific Linux (at least 6.2 and 6.3; I don't have any 6.1 systems left) not only supports yum-plugin-security but the configuration file for for yum-autoupdate, /etc/sysconfig/yum-autoupdate, allows you enable only the installation of security updates.
# USE_YUMSEC
# This switches from using yum update to using yum-plugin-security
# true - run 'yum --security' update rather than 'yum update'
# false - defaults to traditional behavior running 'yum update' (default)
# + anything other than true defaults to false
#USE_YUMSEC="false"
USE_YUMSEC="true"