Mastering Linux Security and Hardening
上QQ阅读APP看书,第一时间看更新

Updating Red Hat 7-based systems

With Red Hat-based systems, which include CentOS and Oracle Linux, there's no automatic update mechanism that you can set up during installation. So, with the default configuration, you'll need to perform updates yourself:

  1. To update a Red Hat 7-based system, just run this one command:
sudo yum upgrade
  1. Sometimes, you might just want to see if there are any security-related updates that are ready to be installed. Do that by running the following command:
sudo yum updateinfo list updates security
  1. If any security updates are available, you'll see them at the end of the command output. On the system that I just tested, there was only one security update available, which looks like this:
FEDORA-EPEL-2019-d661b588d2 Low/Sec. nagios-common-4.4.3-1.el7.x86_64

updateinfo list done
  1. If the only thing you want to install is just the security updates, run the following command:
sudo yum upgrade --security
  1. Now, let's say that you need a CentOS system to automatically update itself. You're in luck because there's a package for that. Install and enable it, and start it by running the following commands:
sudo yum install yum-cron

sudo systemctl enable --now yum-cron
  1. To configure it, go into the /etc/yum directory, and edit the yum-cron.conf file. At the top of the file, you'll see this:
[commands]
# What kind of update to use:
# default = yum upgrade
# security = yum --security upgrade
# security-severity:Critical = yum --sec-severity=Critical upgrade
# minimal = yum --bugfix update-minimal
# minimal-security = yum --security update-minimal
# minimal-security-severity:Critical = --sec-severity=Critical update-minimal
update_cmd = default

This lists the various types of upgrades we can do. The last line shows that we're set to update everything. 

  1. Let's say that you only want security updates to get applied automatically. Just change the last line to the following:
update_cmd = security
  1. On lines 15 and 20, you'll see this line:
download_updates = yes
apply_updates = no

This indicates that by default, yum-cron is only set to automatically download updates, but not to install them. 

  1. If you want the updates to get automatically installed, change the apply_updates parameter to yes.
Note that unlike Ubuntu, there's no setting to make the system automatically reboot itself after an update.
  1. Finally, let's look at the mail settings for yum-cron, which you'll find on lines 48 through 57 of the yum-cron.conf file, as shown here:
[email]
# The address to send email messages from.
# NOTE: 'localhost' will be replaced with the value of system_name.
email_from = root@localhost

# List of addresses to send messages to.
email_to = root

# Name of the host to connect to to send email messages.
email_host = localhost

As you can see, the email_to = line is set to send messages to the root user account. If you want to receive messages at your own account, just change it here. 

  1. To see the messages, you'll need to install a mail reader program, if one isn't already installed. (It hasn't been installed if you chose Minimal installation when you installed the operating system.) Your best bet is to install mutt, like so:
sudo yum install mutt
  1. When you open mutt and look at a message, you'll see something like this:

  1. As with all operating systems, certain updates will require that the system be restarted. And how do you know when the system needs to be restarted? With the needs-restarting command, of course. First, though, you need to make sure that needs-restarting is installed on your system. Do that with the following line of code:
sudo yum install yum-utils

Once the package is installed, there are three ways to use needs-restarting. If you just run the command without any option switches, you'll see the services that need to be restarted and the packages that require you to reboot the machine. You can also use the -s or -r options, as shown here

Next, we will be updating Red Hat 8-based systems.