Automatically check for Security Updates on CentOS or Scientific Linux?

Solution 1:

If you absolutely want to use yum security plugin, there is a way to do this, although a little elaborate. But once you have it setup, it's all automated.

The only requirement is that you will need to have at-least one subscription to RHN. Which is a good investment IMO, but lets stick to the point.

  1. Once you have the subscription, you can use mrepo, or reposync, to setup an in house Yum repo, that mirrors CentOS repos. (or you could just use rsync).
  2. Then use the script attached to this mailing list post, to periodically connect to your RHN subscription, to download security packages info. Now you have two options.
    1. Extract just the package names from the generated "updateinfo.xml" file. And use that information to "search" your servers for Rpms needing security or other updates, using puppet or cfengine, or ssh-in-a-for-loop. This is simpler, gives you everything you want, but you can't use yum security.
    2. The other option is to use the modifyrepo command as shown here, to inject updateinfo.xml into repomd.xml. Before doing this, you will have to modify the perl script to change the Rpm MD5 sums inside the xml, from the RHN to Centos sums. And you will have to make sure if CentOS repos actually have all Rpms mentioned in updateinfo.xml, as they are behind RHN sometimes. But that's fine, you can ignore the updates CentOS hasn't caught up with, as there is little you can do about it, short of building them from SRPMs.

With option 2, you can install yum security plugin on all clients, and it will work.

Edit: This also works for Redhat RHEL 5 and 6 machines. And is simpler than using a heavy weight solution like Spacewalk or Pulp.

Solution 2:

Scientific Linux can now list security updates from the commandline. Furthermore I can update a system to only apply security updates, which is better then the default ("Just update everything! Including bugfixes which you don't care about and which introduce regressions."

I have tested this on both Scientific Linux 6.1 and a 6.4. I'm not sure when this was officially announced, but I'll post more when I find out.

Here are some examples.

List a summary of security updates:

[root@node1 ~]# yum updateinfo
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
Updates Information Summary: available
    4 Security notice(s)
        1 important Security notice(s)
        3 moderate Security notice(s)
    2 Bugfix notice(s)
updateinfo summary done

root@node1 ~]# yum list-sec
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
SLSA-2013:1459-1 moderate/Sec.  gnupg2-2.0.14-6.el6_4.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-devel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-firmware-2.6.32-358.23.2.el6.noarch
SLSA-2013:1436-1 moderate/Sec.  kernel-headers-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1457-1 moderate/Sec.  libgcrypt-1.4.5-11.el6_4.x86_64
SLSA-2013:1270-1 important/Sec. polkit-0.96-5.el6_4.x86_64
SLBA-2013:1486-1 bugfix         selinux-policy-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix         selinux-policy-3.7.19-195.el6_4.18.noarch
SLBA-2013:1486-1 bugfix         selinux-policy-targeted-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix         selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
updateinfo list done

List by CVE:

[root@node2 ~]# yum list-sec cves
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
 * epel:
 * sl6x:
 * sl6x-security:
7404 packages excluded due to repository priority protections
 CVE-2012-6085 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
 CVE-2013-4351 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
 CVE-2013-4402 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
 CVE-2013-4162 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
 CVE-2013-4299 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
 CVE-2013-4162 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
 CVE-2013-4299 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
 CVE-2013-4242 moderate/Sec. libgcrypt-1.4.5-11.el6_4.x86_64
updateinfo list done

And then I can apply the minimal set of changes required to

[root@node1 ~]# yum update-minimal --security

Or, just patch everything:

[root@node1 ~]# yum --quiet --security check-update

gnutls.x86_64                                      2.8.5-14.el6_5                                     sl-security
libtasn1.x86_64                                    2.3-6.el6_5                                        sl-security
[root@node1 ~]# yum --quiet --security update

 Package                 Arch                  Version                          Repository                  Size
 gnutls                  x86_64                2.8.5-14.el6_5                   sl-security                345 k
 libtasn1                x86_64                2.3-6.el6_5                      sl-security                237 k

Transaction Summary
Upgrade       2 Package(s)

Is this ok [y/N]: Y
[root@node1 ~]#

If I try this same command on a CentOS6 box, I don't get any results. I know for a fact that some of the '137 packages available' contain security fixes, because I received the errata notices yesterday via the CentOS mailinglists.

[root@node1 ~]# yum --security check-update 
Loaded plugins: downloadonly, fastestmirror, security
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Limiting package lists to security relevant ones
No packages needed for security; 137 packages available
[root@node1 ~]#

Solution 3:

I had the same problem. I took a stab at creating some Python code to pull together Yum Updates and advisories from the steve-meier Errata site mentioned above (I filter it based on installed packages).

In case it helps, here is the source:

Solution 4:

Scientific Linux (at least 6.2 and 6.3; I don't have any 6.1 systems left) not only supports yum-plugin-security but the configuration file for for yum-autoupdate, /etc/sysconfig/yum-autoupdate, allows you enable only the installation of security updates.

#   This switches from using yum update to using yum-plugin-security
#     true  - run 'yum --security' update rather than 'yum update'
#     false - defaults to traditional behavior running 'yum update' (default)
#   + anything other than true defaults to false