How to Setup Automatic Security Updates on CentOS
One of the recommended tasks that we can run in our operating systems, regardless of its developer, is to keep it updated with the latest patches developed by the manufacturer as this optimizes the best levels of security, compatibility, and performance.
Although Linux is one of the safest operating systems, we can not leave aside the issue of updates since the constant current threats have been developed to affect all types of operating systems.
To follow this tutorial you will need to be in the root user.
Install Yum-cron in CentOS 7
Yum-cron is a command line tool which allows us to manage system and package updates in CentOS systems.
This daemon is available in CentOS and Fedora which makes use of a cron script with which it checks daily if there are available updates, and if they exist, it gives us the possibility to install them, download them or send us an email notification of their availability.
This utility is available in the CentOS 7 repository and for its installation we will execute the following:
yum -y install yum-cron
Once the installation has been completed, we proceed to start the yum-cron service and to configure it to start automatically at the start of the system, for this we can execute the following commands. In this way we have installed yum-cron in CentOS 7.
systemctl start yum-cron systemctl enable yum-cron
Configure Yum-cron For Automatic Updates
After installing the yum-cron package in CentOS 7, it will be necessary to configure it for automatic updates. By default, yum-cron provides three types of updates:
- Default update using the command
yum upgrade
- Minimum update
- Security update
To configure these values we must go to the directory yum-cron.conf and access it with the desired editor, in this case nano:
cd /etc/yum/ nano yum-cron.conf
In this file we must go to the update_cmd line to define the type of update that CentOS 7 will have.
We can see that its current value is default and to download and install the security updates we will define the following line:
update_cmd = security
Now we must confirm that in the update_messages line this is the value yes.
Finally it will be necessary to validate that the following lines are in yes. In this way, whenever there is a security update available, the system will automatically download the required packages and then apply all the updates.
download_updates = yes apply_updates = yes
Now, we will see how to configure message notification, remember that yum-cron allows us to send the notification to an email address.
If we wish to receive notification by mail, we will establish the following value on the emit_via line:
emit_via = email
Now we can define the email address:
email_from = root@localhost email_to = [email protected] email_host = localhost
Save the changes using the following key combination Ctrl + O and exit the editor using Ctrl + X.
Once processed the changes will restart the yum-cron service executing the following.
With this process, system security updates will be automatically downloaded and will be applied using yum-cron on a daily basis.
systemctl restart yum-cron
Configure To Exclude Packages in CentOS 7
At this point we may not want to apply automatic updates on some packages, including the CentOS 7 kernel.
For these exceptions we will access the configuration file again:
cd /etc/yum/ nano yum-cron.conf
In the final part of the file we will find the base section and we must add the following line, for example, to exclude the kernel with MySQL:
exclude = mysql* kernel*
In this specific example, all packages with names that start with ‘mysql' or ‘kernel' will be disabled for automatic updates. We save the changes and restart the service by executing:
systemctl restart yum-cron
Within this configuration file of yum-cron we can mention four fundamental parameters that are:
- CHECK_ONLY (yes | no): This option allows us to indicate if it will only be checked if there are downloads but not to perform more actions (without installing or downloading them).
- DOWNLOAD_ONLY (yes | no): Applies in case not only check if there are updates (CHECK_ONLY = NO), but this parameter allows us to download and install, or only download the updates available for CentOS 7.
- MAILTO (email): It allows to send a notification mail with the result of the actions carried out each time yum-cron is executed.
- DAYS_OF_WEEK (“0123456”): This parameter is used to indicate which days of the week the update check will take place.
Check Yum-cron Logs on CentOs
The yum-cron parameter makes use of a cronjob for automatic security updates and all the records of this cron will be available in the /var/log directory.
To see these records we will execute the following:
cd /var/log/ cat cron | grep yum-daily
If we want to look at the packages that have been installed, we will run the following:
cat yum.log | grep Updated
With this option yum-cron we can be sure that the updates will be ready to be downloaded and installed as soon as there is one available.
Does this still work? I see lots of other information around that says this might not work anymore.