Enabling automatic updates

Introduction

This is the first article in a series about hardening the security of GNU/Linux systems. This serie aims to provide useful, practical, hands on and easy to follow tutorial-like articles for any system administrator or user to implement.

In this series of articles we’ll use the CentOS 7 (Community Enterprise Operating System)[1] as our default operating system. CentOS is a free, enterprise-class, community-supported computing platform functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL)[2]. If you prefer an alternative operating system, please note that some configurations and packages might differ from what is described here.

If you like this article, have suggestions or comments; please feel free to leave a comment bellow.

About this article

This article provide instructions on how to set up your system to automatically download and install updates or patches using the yum-cron package. Having your system up to date is vital to maintain the integrity of your system and the data it contains. Every day thousands of thousands of system are subject to automated attacks that exploit known security flaws. Having an outdated or unpatched system makes you easy target for any such attack.

Enabling automatic updates

The yum-cron package

About

yum-cron is an alternate interface to yum that is optimised to be convenient to call from cron. It provides methods to keep repository metadata up to date, and to check for, download, and apply updates.

Rather than accepting many different command line arguments, the different functions of yum-cron can be accessed through config files. config-file is used to optionally specify the path to the configuration file to use. If it is not given, the default configuration file will be used. It is useful to be able to specify different configuration files for different use cases. For example, one configuration file might be set to update the repository metadata, and a line could be added to the crontab to run yum-cron frequently using this file. Then, another configuration file might be set to install updates, and yum-cron could be run from cron using this file just once each day [3].

Installing yum-cron

The yum-cron package is located in the default CentOS repository. It can easily be installed from the terminal:

sudo yum install -y yum-cron

Configuring yum-cron

The yum-cron configuration file(s) enables a wide variety of settings. The configuration file is relatively easy to understand and modify for any needs. The main configuration file for yum-cron is /etc/yum/yum-cron.conf and states the following:

[commands]
#  What kind of update to use:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix update-minimal
# minimal-security                   = yum --security update-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
update_cmd = default

# Whether a message should be emitted when updates are available,
# were downloaded, or applied.
update_messages = yes

# Whether updates should be downloaded when they are available.
download_updates = yes

# Whether updates should be applied when they are available.  Note
# that download_updates must also be yes for the update to be applied.
apply_updates = no

# Maximum amout of time to randomly sleep, in minutes.  The program
# will sleep for a random amount of time between 0 and random_sleep
# minutes before running.  This is useful for e.g. staggering the
# times that multiple systems will access update servers.  If
# random_sleep is 0 or negative, the program will run immediately.
# 6*60 = 360
random_sleep = 360


[emitters]
# Name to use for this system in messages that are emitted.  If
# system_name is None, the hostname will be used.
system_name = None

# How to send messages.  Valid options are stdio and email.  If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages.  If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via is None or left blank, no messages will be sent.
emit_via = stdio

# The width, in characters, that messages that are emitted should be
# formatted to.
output_width = 80


[email]
# The address to send email messages from.
# NOTE: 'localhost' will be replaced with the value of system_name.
email_from = root@localhost

# List of addresses to send messages to.
email_to = root

# Name of the host to connect to to send email messages.
email_host = localhost


[groups]
# NOTE: This only works when group_command != objects, which is now the default
# List of groups to update
group_list = None

# The types of group packages to install
group_package_types = mandatory, default

[base]
# This section overrides yum.conf

# Use this to filter Yum core messages
# -4: critical
# -3: critical+errors
# -2: critical+errors+warnings (default)
debuglevel = -2

# skip_broken = True
mdpolicy = group:main

# Uncomment to auto-import new gpg keys (dangerous)
# assumeyes = True

The first and most important configuration to make is to enable yum-cron to actually install the updates. The default value for apply_update is set to no, resulting in new updates or patches being downloaded but not installed.

sudo sed -i -e 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf

For most systems, especially client workstations, this configuration would now be sufficient. The default value for update_command is set to default, resulting in the download and installation of any new updates or patches. However this might not suit all kinds of systems.

While having your system up to date is vital to maintain the integrity of your system, not all software updates contain critical security patches. Having a live production system set to install any available updates could potentially lead to server or service downtime. Any non-critical update should probably be tested in a sandbox environment before being deployed onto the live environment.

To resolve this issue yum-cron can be configured to restrict automatic updates of packages that isn’t marked as security update or patch. It can even be configured to restrict any packages that hasn’t been marked as a critical security updates. For any live production system, especially the once connected to the Internet, security updates is likely a good choice.

sudo sed -i -e 's/update_cmd = default/update_cmd = security/' /etc/yum/yum-cron.conf

Starting the service

The final two steps are to enable the yum-cron service on system startup and to start the service:

sudo systemctl enable yum-cron.service
sudo systemctl start yum-cron.service

References

  1. https://www.centos.org
  2. https://wiki.centos.org/FAQ/General#head-4b2dd1ea6dcc1243d6e3886dc3e5d1ebb252c194
  3. http://man7.org/linux/man-pages/man8/yum-cron.8.html