How to enable automatic security updates on CentOS 7 with yum-cron

If CentOS helps to power your data center, you might be interested in knowing it is possible (and fairly easy) to enable the automatic updating of security updates. This is especially handy if you have a number of CentOS 7 machines and would like this process to happen without you having to set aside precious time each week to make it so.

Why would you do this? Simple: Security updates are critical to keep your servers running smoothly and safely. When security patches arrive, it is in your best interest to apply them as soon as possible. To that end, depending upon a manual process can lead to human error. The last thing you want to is become victim of an exploit ... knowing had you only applied that recent security patch, the breach could have been avoided.

And so, let's take a look at how you can enable automatic security updates on CentOS 7. This will be taken care of, thanks to a small program, called yum-cron. Let's install the application and see how it is used.

Installation

Since yum-cron can be found in the standard repositories, the installation can be done with a simple, single command. Open up a terminal window and issue the following:

sudo yum -y install yum-cron
 

When that command completes, the tool is ready to be used.

Once installed, start and enable yum-cron with the commands:

sudo systemctl start yum-cron
​sudo systemctl enable yum-cron

Usage

As you might have expected, yum-cron is a command line tool that needs to be configured from, you guessed it, the command line. Open up the configuration file with the command:

sudo nano /etc/yum/yum-cron.conf

Within that configuration file, you'll want to change the following line from:

update_cmd = default

to

update_cmd = security

Next, locate the line:

apply_updates = no

Change that line to:

apply_updates = yes

Now we want to stay informed when updates occur. To do this, locate the line:

emit_via = stdio

Change that line to:

emit_via = email

Below that, you will see the [email] section. Change email_from to the address you want the reports to come from, email_to to the email address you want reports sent and, if necessary, change the email_host to your required email host (Figure A).

Figure A

Figure A

Enabling email alerts with yum-cron.

That's all there is to the configuration. Save and close the file. In order for the changes to take place, you must restart yum-cron with the command:

sudo systemctl restart yum-cron

At this point, yum-cron will take over and start downloading and applying updates on a regular basis.

Beyond the basics

You might have a need to exclude certain packages from being included in the security updates. Say, for instance, you want to hold back kernel upgrades to run them manually. That makes perfect sense, as often a kernel upgrade requires a system reboot (in order for the changes to take effect). With yum-cron you can set up package exclusions. To do that, go back to the /etc/yum/yum-cron.conf file, scroll down to the [base] section. In that section, you will need to add the following line (to exclude kernel upgrades):

exclude = kernel*

Once you've added that line, save and close the file. Once again, restart yum-cron with the command:

sudo systemctl restart yum-cron

Now yum-cron won't include the kernel in the upgrades. You should, however, make sure to schedule regular manual upgrades, to ensure the kernel is up to date.

All you have to do now is wait for the yum-cron reports to grace your inbox.

Keep those systems updated

There are many reasons why updates are released—one of the more important being security patches. If you're not regularly updating your systems, you are vulnerable to who knows what. If you don't have time to constantly be updating and upgrading your CentOS systems, yum-cron has your back.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
10 Linux DIG Command Examples for DNS Lookup
Viewed 10859 times since Sun, Sep 30, 2018
RHEL: Crash kernel dumps configuration and analysis on RHEL 6
Viewed 4480 times since Sat, Jun 2, 2018
20 Linux Command Tips and Tricks That Will Save You A Lot of Time linux
Viewed 4409 times since Thu, Apr 18, 2019
Linux – How to check the exit status of several piped commands
Viewed 2798 times since Wed, Jul 25, 2018
ZPOOL: Grow a zpool by adding new device(s)
Viewed 5899 times since Sun, Jun 3, 2018
Linux File Systems (mkfs, mount, fstab) ext4
Viewed 3006 times since Sat, Jun 2, 2018
Check a Website Availability from the Linux Command Line
Viewed 6282 times since Mon, Feb 18, 2019
LVM: Create a new Logical Volume / Filesystem
Viewed 1938 times since Sat, Jun 2, 2018
Linux Screen
Viewed 1876 times since Sat, Jun 2, 2018
How To: Create Self-Signed Certificate – OpenSSL
Viewed 2777 times since Mon, Feb 18, 2019