How to enable automatic security updates on CentOS 7 with yum-cron

If CentOS helps to power your data center, you might be interested in knowing it is possible (and fairly easy) to enable the automatic updating of security updates. This is especially handy if you have a number of CentOS 7 machines and would like this process to happen without you having to set aside precious time each week to make it so.

Why would you do this? Simple: Security updates are critical to keep your servers running smoothly and safely. When security patches arrive, it is in your best interest to apply them as soon as possible. To that end, depending upon a manual process can lead to human error. The last thing you want to is become victim of an exploit ... knowing had you only applied that recent security patch, the breach could have been avoided.

And so, let's take a look at how you can enable automatic security updates on CentOS 7. This will be taken care of, thanks to a small program, called yum-cron. Let's install the application and see how it is used.


Since yum-cron can be found in the standard repositories, the installation can be done with a simple, single command. Open up a terminal window and issue the following:

sudo yum -y install yum-cron

When that command completes, the tool is ready to be used.

Once installed, start and enable yum-cron with the commands:

sudo systemctl start yum-cron
​sudo systemctl enable yum-cron


As you might have expected, yum-cron is a command line tool that needs to be configured from, you guessed it, the command line. Open up the configuration file with the command:

sudo nano /etc/yum/yum-cron.conf

Within that configuration file, you'll want to change the following line from:

update_cmd = default


update_cmd = security

Next, locate the line:

apply_updates = no

Change that line to:

apply_updates = yes

Now we want to stay informed when updates occur. To do this, locate the line:

emit_via = stdio

Change that line to:

emit_via = email

Below that, you will see the [email] section. Change email_from to the address you want the reports to come from, email_to to the email address you want reports sent and, if necessary, change the email_host to your required email host (Figure A).

Figure A

Figure A

Enabling email alerts with yum-cron.

That's all there is to the configuration. Save and close the file. In order for the changes to take place, you must restart yum-cron with the command:

sudo systemctl restart yum-cron

At this point, yum-cron will take over and start downloading and applying updates on a regular basis.

Beyond the basics

You might have a need to exclude certain packages from being included in the security updates. Say, for instance, you want to hold back kernel upgrades to run them manually. That makes perfect sense, as often a kernel upgrade requires a system reboot (in order for the changes to take effect). With yum-cron you can set up package exclusions. To do that, go back to the /etc/yum/yum-cron.conf file, scroll down to the [base] section. In that section, you will need to add the following line (to exclude kernel upgrades):

exclude = kernel*

Once you've added that line, save and close the file. Once again, restart yum-cron with the command:

sudo systemctl restart yum-cron

Now yum-cron won't include the kernel in the upgrades. You should, however, make sure to schedule regular manual upgrades, to ensure the kernel is up to date.

All you have to do now is wait for the yum-cron reports to grace your inbox.

Keep those systems updated

There are many reasons why updates are released—one of the more important being security patches. If you're not regularly updating your systems, you are vulnerable to who knows what. If you don't have time to constantly be updating and upgrading your CentOS systems, yum-cron has your back.

0 (0)
Article Rating (No Votes)
Rate this article
There are no attachments for this article.
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Red Hat Cluster Tutorial
Viewed 1136 times since Sun, Jun 3, 2018
Viewed 4095 times since Sat, Jun 2, 2018
Oracle Linux 7 – How to audit changes to a trusted file such as /etc/passwd or /etc/shadow
Viewed 1808 times since Wed, Jul 25, 2018
Netcat shell zabezpieczony hasłem
Viewed 1237 times since Thu, May 24, 2018
RHEL: Adding a boot entry to GRUB/GRUB2 configuration
Viewed 1920 times since Sun, May 27, 2018
RHEL: Reserved space on a ext2/ext3/ext4 filesystem
Viewed 2955 times since Sun, May 27, 2018
Using Official Redhat DVD as repository
Viewed 9212 times since Mon, Oct 29, 2018
How To Use the Linux Auditing System on CentOS 7
Viewed 1861 times since Fri, Apr 5, 2019
RHCS6: Show/Add GFS2/GFS journals
Viewed 11280 times since Sun, Jun 3, 2018
Linux PAM configuration that allows or deny login via the sshd server
Viewed 805 times since Wed, Oct 3, 2018