On CentOS, RedHat and Fedora you can configure automatic installation of security updates as soon as they appear in the repositories. In this article we will tell how to use the yum-cron or dnf-automatic to regularly check and automatically install security updates on CentOS and RHEL Linux.
Configuring Automatic Updates with Yum-cron on CentOS 7/ RHEL 7
To automatically update CentOS 7 or RHEL 7, you can use the yum-cron tool, which can be installed using the yum package manager:
# yum install -y yum-cron
After you have installed the package, edit the configuration file:
# nano /etc/yum/yum-cron.conf
And make the following changes:
update_cmd = security update_messages = yes download_updates = yes apply_updates = yes
These parameters mean that the security updates must be automatically downloaded and installed. All other updates are ignored, and you can install them manually.
security-severity:Critical – install only critical security updates;
minimal-security – install bug fixes and security updates;
minimal-security-severity:Critical – install bug fixes and critical updates only.
If a mail transfer agent (MTA) is configured on your server, you can enable automatic email notifications to the email address you specify in the configuration file:
emit_via = email email_from = server32@localhost email_to = firstname.lastname@example.org email_host = smtpgw.woshub.com
You can exclude some packages from the automatic update installation task. Add the package names in the exclude field of the [base] section, for example:
exclude= mysql* kernel* php*
Save the changes in the configuration file, start the yum-cron service add it to startup:
# systemctl start yum-cron
# systemctl enable yum-cron
You will get the information about security updates installation by email or you check the log file /var/log/yum.log. In order the time is displayed in the logs correctly, make sure that time on your Linux device is synchronized with a reliable NTP host.
# yum upgrade –security
Command line error: no such option: —security
The problem is solved by installing the appropriate package:
# yum install -y yum-security
Automatic Security Updates with Dnf-automatic on CentOS 8 or RHEL 8
On CentOS 8 and RHEL 8, the yum package manager was replaced by dnf, and it is recommended to use dnf to install/update/remove packages (however, yum is still working as a symbolic link to dnf). To configure automatic installation of security updates, install the dnf-automatic:
# dnf install -y dnf-automatic
After running this command, dnf-automatic will be installed and some packages will be updated.
The dnf-automatic configuration file is /etc/dnf/automatic.conf:
# nano /etc/dnf/automatic.conf
You need to change some options in the config file:
upgrade_type = security download_updates = yes apply_updates = yes emit_via = email email_from = server2@localhost
To get e-mail notifications, enter your smtp address.
Run the dnf-automatic service:
# systemctl start dnf-automatic.timer
# systemctl enable dnf-automatic.timer
You can view your automatic update tasks using this command:
# systemctl list-timers *dnf*
You can get the update log by email or check the local log file /var/log/dnf.rpm.log.
Automatic updates installation allows to enhance security and protection of your Linux server in the Internet by installing security updates and bug fixes for your software as soon as possible. In most cases, automatic update installation on production servers without the administrator control is a poor solution. But in some cases, automatic update is critical or security risks outweigh the risks of temporary service unavailability.