How To Check For Security Updates Using Yum

• What Is Security Patch?
• Identifying security vulnerabilities listing
• Sample Nessus report
• Security Patch Sources
• Perform Patch Management in RHEL 6/7/eight Linux
• Utilise Patch Online
  • List Available Security Erratas
  • Security Updates Listing
• View and Install Vulnerabilities list with CVE
• Update all bachelor security updates listing
• Utilise Patch Offline
• Steps to create offline security hotfix
• Perform Rollback or Fallback afterward applying security hotfix

In this commodity, nosotros will examine Cherry-red Lid Linux Patch Management, how y'all can check available vulnerabilities list, security updates lists via yum and external sources, in Alive product environment, and where you should get patches for RHEL Linux distributions. Patch management and steps to utilise patch methods vary by distribution. If you're paying for support from Cherry Hat or SUSE, you're paying in office for support through their patch management systems to apply patch.

What Is Security Patch?

A security patch is an update to ready sure vulnerability. Information technology incorporates changes in source code. Security Patches are commonly applied to specific software components, such as the kernel, or a service, such equally vsFTP. Security patches may gear up bugs, accost vulnerability issues etc

Identifying security vulnerabilities list

From time to time multiple security related vulnerabilities list are reported on Linux platform. If you've paid for a subscription to a Red Hat or a SUSE distribution, you can get email warnings about these vulnerabilities list and security updates lists.

You lot can use beneath pages to get the globally identified vulnerabilities list and CVE (Common Vulnerabilities and Exposures) list

• National Vulnerability Database
• Red Hat Listing of CVE
• SuSE List of CVE

At present there are 1000s of security vulnerabilities list identified on a daily basis so it is non possible for anyone to check these vulnerabilities list individually and then map them to your environs. Hence we perform security browse on our Linux machine to identify these vulnerabilities listing which are impacting our system and then employ security updates list accordingly.

There are a number of tools available which tin be used to scan your Linux surround, some of them are

• Nessus
• Qualys Guard
• IBM App Scanner
• Accunetix
• nmap

We in our surroundings have used Nessus and Accunetix to scan our Linux system to identify all the vulnerabilities lists and apply patch accordingly.

Sample Nessus written report

Hither I cannot put the entire vulnerabilities list report due to contractual reasons but I have put some snippets from the report which shows the list of vulnerable rpms and CVE

Below table shows the listing of impacted CVE with their description for kernel rpm which is installed on my RHEL Linux system:

This description listing is followed past the list of CVE. This is but a short output what was in that location in the report

Below table shows the vulnerable kernel rpm and the one from security updates list which we should install to mitigate all the reported vulnerabilities list.

Security Patch Sources

There are several sources for security patches and upgrades. The best source is generally the upgrade repository pre configured for your distribution. Still, at that place is often a filibuster when distribution developers procedure updates from other sources, such equally the kernel, or services, such as the Apache Spider web server.

Depending upon your support contract you tin can asking the developers to prioritise the patch delivery timelines. If you're in a hurry, you can download packages from the Web site directly associated with your service. While not congenital for your distribution, it can help y'all get new features into service every bit apace as possible.

At present depending upon your surround you can choose for online patch source or an offline patch source. Nosotros will discuss both these topics in depth subsequently in this article.

Perform Patch Management in RHEL 6/seven/8 Linux

Ideally Linux patch management refers when you lot have been reported with a mission critical vulnerability (since this article is all about security fixes we will consider vulnerability as our primary root cause) and client is requesting for an immediate set up to employ patch.

In such case you may deliver a minor hotfix which volition apply patch on all the nodes as per security updates listing in client environment. At present this security hotfix can apply patch and security updates online as well equally offline.

Apply Patch Online

To use online linux patch management your RHEL Linux system must be registered with Red Hat Network mapped with proper subscription channel to become the required security updates. If yous have a substantial number of Linux computers, it may exist cost effective to buy, configure, and dedicate one or more computers to the patch management chore. For example, assume that you have a network of 100 computers, and linux patch management requires that each of these computers downloads 20MB per day. Downloading an boosted 2GB per solar day, every day, can be expensive on business-level Net connections.

In RHEL vii and eight this can exist achieved using yum-security plugin, for RHEL 6 you must install yum-plugin-security rpm manually

On RHEL half-dozen

# yum install yum-plugin-security

Listing Available Security Erratas

To list all available security erratas without installing them, run:

# yum updateinfo list available RHSA-2014:1031 Of import/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64 RHSA-2015:0416 Important/Sec. 389-ds-base-ane.3.3.1-thirteen.el7.x86_64 RHBA-2015:0626 bugfix         389-ds-base-1.3.3.1-15.el7_1.x86_64 RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64 RHBA-2015:1554 bugfix         389-ds-base-1.three.three.i-20.el7_1.x86_64 RHBA-2015:1960 bugfix         389-ds-base of operations-one.iii.three.1-23.el7_1.x86_64 RHBA-2015:2351 bugfix         389-ds-base of operations-one.three.4.0-xix.el7.x86_64          <Output trimmed>                  

Security Updates Listing

To list all available rpms from security updates list without installing them, run:

# yum updateinfo listing security all   RHSA-2018:3056 Moderate/Sec.  samba-customer-four.8.iii-4.el7.x86_64   RHSA-2019:2099 Moderate/Sec.  samba-client-4.ix.1-vi.el7.x86_64 i RHSA-2016:0006 Moderate/Sec.  samba-client-libs-4.2.iii-11.el7_2.x86_64 i RHSA-2016:0448 Moderate/Sec.  samba-client-libs-4.2.3-12.el7_2.x86_64 i RHSA-2016:0612 Disquisitional/Sec.  samba-client-libs-4.ii.10-6.el7_2.x86_64          <Output trimmed>        

# yum updateinfo listing sec i RHSA-2014:0678 Important/Sec. kernel-3.10.0-123.1.2.el7.x86_64 i RHSA-2014:0786 Important/Sec. kernel-3.10.0-123.four.2.el7.x86_64 i RHSA-2014:0923 Important/Sec. kernel-three.10.0-123.4.4.el7.x86_64 i RHSA-2014:1023 Important/Sec. kernel-3.10.0-123.half-dozen.three.el7.x86_64 i RHSA-2014:1281 Moderate/Sec.  kernel-3.ten.0-123.8.i.el7.x86_64          <Output trimmed>        

To get a list of rpms from the currently installed security updates list this control can be used:

# yum updateinfo listing security installed RHSA-2014:0678 Important/Sec. kernel-3.10.0-123.i.2.el7.x86_64 RHSA-2014:0786 Important/Sec. kernel-3.10.0-123.iv.ii.el7.x86_64 RHSA-2014:0923 Important/Sec. kernel-3.10.0-123.iv.4.el7.x86_64 RHSA-2014:1023 Important/Sec. kernel-3.10.0-123.6.3.el7.x86_64          <output trimmed>        

To know more about the informational from the security updates listing before you lot apply patch:

[root@rhel-fews-cc ~]# yum updateinfo RHSA-2019:2135 Loaded plugins: langpacks, production-id, search-disabled-repos, subscription-director  ===============================================================================   Moderate: qt5 security, issues fix, and enhancement update ===============================================================================   Update ID : RHSA-2019:2135     Release : 0        Type : security      Status : terminal      Issued : 2019-08-06 08:04:56 UTC     Updated : 2019-08-06 08:04:44 UTC       Bugs : 1564000 - Rebase qt5-qtbase to 5.9.7             : 1564001 - Rebase qt5-qtcanvas3d to five.9.7             : 1564002 - Rebase qt5-qtconnectivity to 5.9.7             : 1564003 - Rebase qt5-qtdeclarative to 5.9.7             : 1564004 - Rebase qt5-qtdoc to 5.9.7             : 1564006 - Rebase qt5-qtgraphicaleffects to v.9.7             : 1564007 - Rebase qt5-qtimageformats to 5.nine.7             : 1564008 - Rebase qt5-qtlocation to 5.ix.7          <output trimmed>          : refer to the CVE page(south) listed in the References             : department.             :             : Additional Changes:             :             : For detailed information on changes in this             : release, see the Red Hat Enterprise Linux 7.7             : Release Notes linked from the References section.    Severity : Moderate updateinfo info done          <Output trimmed>        

If you lot desire to apply patch only for 1 specific advisory:

# yum update --advisory=RHSA-2014:0159

To list all available security updates list with verbose descriptions of the bug they apply to:

# yum info-sec ===============================================================================   GeoIP bug fix and enhancement update ===============================================================================   Update ID : RHBA-2019:2224     Release : 0        Type : bugfix      Condition : final      Issued : 2019-08-06 08:14:36 UTC     Updated : 2019-08-06 08:fourteen:34 UTCDescription : GeoIP is a C library that enables the user to notice the land             : that any IP address or host name originates from.             : Information technology uses a file-based database that tin be,             : optionally, updated on a weekly basis past             : installing the GeoIP-update package.             :             : For detailed data on changes in this             : release, see the Red Chapeau Enterprise Linux 7.7             : Release Notes linked from the References department.             :             : Users of GeoIP are advised to upgrade to these             : updated packages.    Severity : None          <Output trimmed>        

View and Install Vulnerabilities listing with CVE

To view Vulnerabilities List or CVEs which touch the organization with:

# yum updateinfo list cves  CVE-2018-14633   Moderate/Sec.  kernel-3.10.0-957.1.3.el7.x86_64  CVE-2018-14646   Moderate/Sec.  kernel-3.10.0-957.1.iii.el7.x86_64  CVE-2018-18397   Important/Sec. kernel-iii.10.0-957.5.one.el7.x86_64  CVE-2018-18559   Important/Sec. kernel-3.ten.0-957.v.i.el7.x86_64  CVE-2018-9568    Important/Sec. kernel-three.10.0-957.x.one.el7.x86_64  CVE-2018-17972   Important/Sec. kernel-3.10.0-957.10.1.el7.x86_64          <utput trimmed>        

To install packages impacting a certain CVE Number

# yum update --cve CVE-2008-0947

Update all available security updates list

Run yum update security in the below syntax to download and apply all available security updates list from Red Hat Network hosted or Reddish Hat Network Satellite:

# yum -y update --security

Important NOTE:

It will install the concluding version available of any parcel with at least one security errata thus can install not-security erratas if they provide a more than updated version of the package.

To only install the packages that accept a security errata utilise

# yum update-minimal --security -y

Apply Patch Offline

Most of the production surround are not connected to Internet hence online patch direction is not possible. Then in such cases there are two possible arroyo taken by customers.

• Create a local repo which is always in synch with Ruby-red Hat Network. If you can configure a proxy server, you could download Linux patch information one time from the Internet, then the 100 computers on your network could download the patches locally. Y'all would so save the boosted costs for your Internet connection.

NOTE:

Such configuration requires you to take fast physical servers with good CPU, memory speed and most importantly large storage device to shop all these security updates

• Create a security hotfix with all the packages. This hotfix will contain scripts to create local repo and update the packages locally on individual nodes or on some HTTP server. With this you practise not need access to external network in your product environs and is the most secure method to perform patch management and apply security hotfix.

Steps to create offline security hotfix

Based on Nessus scan report you volition go the list of CVE or vulnerabilities list which are impacting your Linux node. So y'all can download the rpms which fixes the respective CVE every bit explained underOnline Patch Direction

Identify all the rpms from security updates list under one location on whatever Linux node, for instance in our case we volition keep all the rpms nether /tmp/rhel_security_updates

# mkdir /tmp/rhel_security_updates

Next once you take the list of rpms which y'all demand to download, you can and so download these rpms from RHN forth with their dependencies and keep it under the same path to apply patch.

Side by side execute createrepo as shown below

# cd /tmp/rhel_security_updates  # createrepo .

This volition create the necessary repodata files required to create an offline repo

Now our repo directory is set up to utilize patch offline (security hotfix). You can create a script which tin can now do the below list of tasks

• Create repo file required to create a repo on individual node. A sample content is placed below

[rhel74_updates] proper noun=rhel74_updates baseurl=file:///tmp/rhel_security_updates gpgcheck=1 enabled=1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

• Update all the rpms using (yum update -y)
• Verify if the update was successful

Perform Rollback or Fallback later on applying security hotfix

At present it is very important that in production environment yous have an choice available to rollback or fallback. So afterwards you apply patch, to fallback or rollback to the older working state of your RHEL Linux host yous must know the last state.

Here I mean that bold the existing (before you lot employ patch or security hotfix) your RHEL system had 500 rpms then later on fallback it is expected that you lot return the system to aforementioned set with 500 rpms.

At present before applying security hotfix I had below list of kernel rpms so after fallback likewise I should have same set of rpms

# rpm -qa | grep kernel kernel-tools-libs-three.10.0-957.21.3.el7.x86_64 kernel-three.10.0-957.21.3.el7.x86_64 kernel-tools-3.x.0-957.21.3.el7.x86_64

This is actually tricky to handle because with every security update you install on your RHEL Linux host, at that place are a number of dependencies and additional rpms which gets installed.

Now for case I wish to update samba-common rpm due to some vulnerability. Currently my RHEL system has samba-common-iv.8.iii-iv.el7.noarch

# rpm -qa | grep samba samba-mutual-libs-iv.8.3-4.el7.x86_64 samba-mutual-four.8.3-4.el7.noarch samba-client-libs-4.8.3-4.el7.x86_64

While there is a security update available with samba-common-4.9.i-6.el7.noarch

# yum updateinfo list sec | grep samba RHSA-2019:2099 Moderate/Sec.  samba-customer-libs-4.9.1-half dozen.el7.x86_64 RHSA-2019:2099 Moderate/Sec.  samba-common-4.ix.i-vi.el7.noarch RHSA-2019:2099 Moderate/Sec.  samba-common-libs-four.nine.1-half-dozen.el7.x86_64

So I plan to update samba-common rpm

# yum update samba-common          <Output trimmed>          Dependencies Resolved  =============================================================================================  Package                  Arch          Version              Repository                 Size ============================================================================================= Updating:  samba-common             noarch        iv.9.one-6.el7          rhel-7-server-rpms        209 chiliad Updating for dependencies:          libsmbclient                    x86_64        4.9.1-6.el7          rhel-seven-server-rpms        137 k          libtevent                    x86_64        0.9.37-1.el7         rhel-7-server-rpms         twoscore k          libwbclient                    x86_64        4.9.1-6.el7          rhel-vii-server-rpms        111 g          samba-client-libs          x86_64        four.9.one-6.el7          rhel-7-server-rpms        4.9 M          samba-common-libs          x86_64        iv.ix.ane-6.el7          rhel-7-server-rpms        170 k

As you encounter due to dependency reason I was supposed to also update additional rpms. But there is no such guarantee that while performing downgrade of samba-common to iv.8.3-4.el7.noarch we volition get the same set of dependency listing.

In such cases you can manually download the individual rpm → identify the dependencies and then downgrade the rpm using "rpm" control. But this is very hectic and not recommended.

I recommend using LVM Snapshot characteristic to perform fallback of such security hotfix. In such case if you wish to fallback and then you tin simply revert back the using the LVM snapshot.
Starting RHEL 7.vii and RHEL eight yous can too boot your RHEL system using the LVM snapshot using BOOM.

It is the most reliable solution for such use cases. Although to perform LVM snapshot yous need some mandatory prerequisites which I have explained in detail in a separate article.

Now showing you a step by stride guide to perform LVM snapshot volition be out of scope for this article then I have added hyperlinks to my other articles where I accept explained this in particular with examples.

Lastly I hope the steps from the article to get an overview on linux employ patch, security errata, security updates list and performing linux patch direction on RHEL Linux was helpful. So, allow me know your suggestions and feedback using the annotate section.

Source: https://www.golinuxcloud.com/patch-management-rhel-linux-security-hotfix/

Posted by: greenehincture.blogspot.com

Share this post