How to enable automatic security updates on CentOS 7 with yum-cron

If CentOS helps to power your data center, you might be interested in knowing it is possible (and fairly easy) to enable the automatic updating of security updates. This is especially handy if you have a number of CentOS 7 machines and would like this process to happen without you having to set aside precious time each week to make it so.

Why would you do this? Simple: Security updates are critical to keep your servers running smoothly and safely. When security patches arrive, it is in your best interest to apply them as soon as possible. To that end, depending upon a manual process can lead to human error. The last thing you want to is become victim of an exploit ... knowing had you only applied that recent security patch, the breach could have been avoided.

And so, let's take a look at how you can enable automatic security updates on CentOS 7. This will be taken care of, thanks to a small program, called yum-cron. Let's install the application and see how it is used.


Since yum-cron can be found in the standard repositories, the installation can be done with a simple, single command. Open up a terminal window and issue the following:

sudo yum -y install yum-cron

When that command completes, the tool is ready to be used.

Once installed, start and enable yum-cron with the commands:

sudo systemctl start yum-cron
​sudo systemctl enable yum-cron


As you might have expected, yum-cron is a command line tool that needs to be configured from, you guessed it, the command line. Open up the configuration file with the command:

sudo nano /etc/yum/yum-cron.conf

Within that configuration file, you'll want to change the following line from:

update_cmd = default


update_cmd = security

Next, locate the line:

apply_updates = no

Change that line to:

apply_updates = yes

Now we want to stay informed when updates occur. To do this, locate the line:

emit_via = stdio

Change that line to:

emit_via = email

Below that, you will see the [email] section. Change email_from to the address you want the reports to come from, email_to to the email address you want reports sent and, if necessary, change the email_host to your required email host (Figure A).

Figure A

Figure A

Enabling email alerts with yum-cron.

That's all there is to the configuration. Save and close the file. In order for the changes to take place, you must restart yum-cron with the command:

sudo systemctl restart yum-cron

At this point, yum-cron will take over and start downloading and applying updates on a regular basis.

Beyond the basics

You might have a need to exclude certain packages from being included in the security updates. Say, for instance, you want to hold back kernel upgrades to run them manually. That makes perfect sense, as often a kernel upgrade requires a system reboot (in order for the changes to take effect). With yum-cron you can set up package exclusions. To do that, go back to the /etc/yum/yum-cron.conf file, scroll down to the [base] section. In that section, you will need to add the following line (to exclude kernel upgrades):

exclude = kernel*

Once you've added that line, save and close the file. Once again, restart yum-cron with the command:

sudo systemctl restart yum-cron

Now yum-cron won't include the kernel in the upgrades. You should, however, make sure to schedule regular manual upgrades, to ensure the kernel is up to date.

All you have to do now is wait for the yum-cron reports to grace your inbox.

Keep those systems updated

There are many reasons why updates are released—one of the more important being security patches. If you're not regularly updating your systems, you are vulnerable to who knows what. If you don't have time to constantly be updating and upgrading your CentOS systems, yum-cron has your back.

0 (0)
Article Rating (No Votes)
Rate this article
There are no attachments for this article.
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
How log rotation works with logrotate
Viewed 2569 times since Fri, Nov 30, 2018
HowTo: Send Email from an SMTP Server using the Command Line
Viewed 845 times since Mon, Feb 18, 2019
Easily Find Bugs In Shell Scripts With ShellCheck
Viewed 1372 times since Thu, Apr 18, 2019
Tropienie pożeracza dysku
Viewed 1238 times since Thu, May 24, 2018
LVM: Extend an existing Volume Group by adding a new disk
Viewed 1015 times since Sat, Jun 2, 2018
How do I add ethtool settings to a network device permanently?
Viewed 4756 times since Mon, May 21, 2018
RHEL: Force system to prompt for password in Single User mode
Viewed 3568 times since Sat, Jun 2, 2018
RHEL: Enabling standard ftp/telnet
Viewed 1599 times since Sun, May 27, 2018
CentOS / RHEL : How to move a Volume Group from one system to another
Viewed 1515 times since Mon, Jan 28, 2019
awk printf
Viewed 11452 times since Wed, Aug 19, 2020