Home » Categories » Linux

How to enable automatic security updates on CentOS 7 with yum-cron

Article Number: 421 | Rating: Unrated | Last Updated: Fri, Oct 26, 2018 3:27 PM

If CentOS helps to power your data center, you might be interested in knowing it is possible (and fairly easy) to enable the automatic updating of security updates. This is especially handy if you have a number of CentOS 7 machines and would like this process to happen without you having to set aside precious time each week to make it so.

Why would you do this? Simple: Security updates are critical to keep your servers running smoothly and safely. When security patches arrive, it is in your best interest to apply them as soon as possible. To that end, depending upon a manual process can lead to human error. The last thing you want to is become victim of an exploit ... knowing had you only applied that recent security patch, the breach could have been avoided.

And so, let's take a look at how you can enable automatic security updates on CentOS 7. This will be taken care of, thanks to a small program, called yum-cron. Let's install the application and see how it is used.

Installation

Since yum-cron can be found in the standard repositories, the installation can be done with a simple, single command. Open up a terminal window and issue the following:

sudo yum -y install yum-cron
 

When that command completes, the tool is ready to be used.

Once installed, start and enable yum-cron with the commands:

sudo systemctl start yum-cron
​sudo systemctl enable yum-cron

Usage

As you might have expected, yum-cron is a command line tool that needs to be configured from, you guessed it, the command line. Open up the configuration file with the command:

sudo nano /etc/yum/yum-cron.conf

Within that configuration file, you'll want to change the following line from:

update_cmd = default

to

update_cmd = security

Next, locate the line:

apply_updates = no

Change that line to:

apply_updates = yes

Now we want to stay informed when updates occur. To do this, locate the line:

emit_via = stdio

Change that line to:

emit_via = email

Below that, you will see the [email] section. Change email_from to the address you want the reports to come from, email_to to the email address you want reports sent and, if necessary, change the email_host to your required email host (Figure A).

Figure A

Figure A

Enabling email alerts with yum-cron.

That's all there is to the configuration. Save and close the file. In order for the changes to take place, you must restart yum-cron with the command:

sudo systemctl restart yum-cron

At this point, yum-cron will take over and start downloading and applying updates on a regular basis.

Beyond the basics

You might have a need to exclude certain packages from being included in the security updates. Say, for instance, you want to hold back kernel upgrades to run them manually. That makes perfect sense, as often a kernel upgrade requires a system reboot (in order for the changes to take effect). With yum-cron you can set up package exclusions. To do that, go back to the /etc/yum/yum-cron.conf file, scroll down to the [base] section. In that section, you will need to add the following line (to exclude kernel upgrades):

exclude = kernel*

Once you've added that line, save and close the file. Once again, restart yum-cron with the command:

sudo systemctl restart yum-cron

Now yum-cron won't include the kernel in the upgrades. You should, however, make sure to schedule regular manual upgrades, to ensure the kernel is up to date.

All you have to do now is wait for the yum-cron reports to grace your inbox.

Keep those systems updated

There are many reasons why updates are released—one of the more important being security patches. If you're not regularly updating your systems, you are vulnerable to who knows what. If you don't have time to constantly be updating and upgrading your CentOS systems, yum-cron has your back.
Posted - Fri, Oct 26, 2018 3:27 PM. This article has been viewed 2232 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Linux PAM configuration that allows or deny login via the sshd server
Viewed 1595 times since Wed, Oct 3, 2018
Top 4 Reasons for Node Reboot or Node Eviction in Real Application Cluster (RAC) Environment
Viewed 79464 times since Thu, Jun 21, 2018
Exclude multiple files and directories with rsync
Viewed 2032 times since Wed, Oct 31, 2018
Open SSL Creating Certificate Signing Request — CSR Generation
Viewed 1622 times since Mon, Feb 18, 2019
30 Handy Bash Shell Aliases For Linux / Unix / MacOS
Viewed 4112 times since Thu, Feb 11, 2021
logrotate - rotates, compresses, and mails system logs.
Viewed 1502 times since Fri, Nov 30, 2018
Top 20 OpenSSH Server Best Security Practices - good article
Viewed 10139 times since Mon, Oct 1, 2018
python learning
Viewed 1592 times since Wed, Dec 18, 2019
RHEL: Rename a network interface on RHEL 7
Viewed 9979 times since Sat, Jun 2, 2018
CentOS / RHEL 7 : Configuring an NFS server and NFS client Linux NFS
Viewed 15930 times since Fri, Feb 21, 2020