Chapter 3. Keeping Your System Up-to-Date
This chapter describes the process of keeping your system up-to-date, which involves planning and configuring the way security updates are installed, applying changes introduced by newly updated packages, and using the Red Hat Customer Portal for keeping track of security advisories.
3.1. Maintaining Installed Software
As security vulnerabilities are discovered, the affected software must be updated in order to limit any potential security risks. If the software is a part of a package within a Red Hat Enterprise Linux distribution that is currently supported, Red Hat is committed to releasing updated packages that fix the vulnerabilities as soon as possible.
Often, announcements about a given security exploit are accompanied with a patch (or source code) that fixes the problem. This patch is then applied to the Red Hat Enterprise Linux package and tested and released as an erratum update. However, if an announcement does not include a patch, Red Hat developers first work with the maintainer of the software to fix the problem. Once the problem is fixed, the package is tested and released as an erratum update.
If an erratum update is released for software used on your system, it is highly recommended that you update the affected packages as soon as possible to minimize the amount of time the system is potentially vulnerable.
3.1.1. Planning and Configuring Security Updates
All software contains bugs. Often, these bugs can result in a vulnerability that can expose your system to malicious users. Packages that have not been updated are a common cause of computer intrusions. Implement a plan for installing security patches in a timely manner to quickly eliminate discovered vulnerabilities, so they cannot be exploited.
Test security updates when they become available and schedule them for installation. Additional controls need to be used to protect the system during the time between the release of the update and its installation on the system. These controls depend on the exact vulnerability, but may include additional firewall rules, the use of external firewalls, or changes in software settings.
Bugs in supported packages are fixed using the errata mechanism. An erratum consists of one or more RPM packages accompanied by a brief explanation of the problem that the particular erratum deals with. All errata are distributed to customers with active subscriptions through the Red Hat Subscription Management service. Errata that address security issues are called Red Hat Security Advisories.
For more information on working with security errata, see Section 3.2.1, “Viewing Security Advisories on the Customer Portal”. For detailed information about the Red Hat Subscription Management service, including instructions on how to migrate from RHN Classic, see the documentation related to this service: Red Hat Subscription Management.
184.108.40.206. Using the Security Features of Yum
The Yum package manager includes several security-related features that can be used to search, list, display, and install security errata. These features also make it possible to use Yum to install nothing but security updates.
To check for security-related updates available for your system, enter the following command as
yum check-update --securityLoaded plugins: langpacks, product-id, subscription-manager rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00 No packages needed for security; 0 packages available
Note that the above command runs in a non-interactive mode, so it can be used in scripts for automated checking whether there are any updates available. The command returns an exit value of 100 when there are any security updates available and 0 when there are not. On encountering an error, it returns 1.
Analogously, use the following command to only install security-related updates:
yum update --security
updateinfosubcommand to display or act upon information provided by repositories about available updates. The
updateinfosubcommand itself accepts a number of commands, some of which pertain to security-related uses. See Table 3.1, “Security-related commands usable with yum updateinfo” for an overview of these commands.
Table 3.1. Security-related commands usable with yum updateinfo
| ||Displays information about one or more advisories. Replace advisories with an advisory number or numbers.|
| ||Displays the subset of information that pertains to CVE (Common Vulnerabilities and Exposures).|
| ||Displays all security-related information.|
| ||Displays information about security-relevant packages of the supplied severity_level.|
3.1.2. Updating and Installing Packages
When updating software on a system, it is important to download the update from a trusted source. An attacker can easily rebuild a package with the same version number as the one that is supposed to fix the problem but with a different security exploit and release it on the Internet. If this happens, using security measures, such as verifying files against the original RPM, does not detect the exploit. Thus, it is very important to only download RPMs from trusted sources, such as from Red Hat, and to check the package signatures to verify their integrity.
See the Yum chapter of the Red Hat Enterprise Linux 7 System Administrator's Guide for detailed information on how to use the Yum package manager.
220.127.116.11. Verifying Signed Packages
All Red Hat Enterprise Linux packages are signed with the Red Hat GPG key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. If the verification of a package signature fails, the package may be altered and therefore cannot be trusted.
The Yum package manager allows for an automatic verification of all packages it installs or upgrades. This feature is enabled by default. To configure this option on your system, make sure the
gpgcheckconfiguration directive is set to
Use the following command to manually verify package files on your filesystem:
rpmkeys --checksig package_file.rpm
See the Product Signing (GPG) Keys article on the Red Hat Customer Portal for additional information about Red Hat package-signing practices.
18.104.22.168. Installing Signed Packages
To install verified packages (see Section 22.214.171.124, “Verifying Signed Packages” for information on how to verify packages) from your filesystem, use the
yum installcommand as the
rootuser as follows:
yum install package_file.rpm
Use a shell glob to install several packages at once. For example, the following commands installs all
.rpmpackages in the current directory:
yum install *.rpm
Before installing any security errata, be sure to read any special instructions contained in the erratum report and execute them accordingly. See Section 3.1.3, “Applying Changes Introduced by Installed Updates” for general instructions about applying changes made by errata updates.
3.1.3. Applying Changes Introduced by Installed Updates
After downloading and installing security errata and updates, it is important to halt the usage of the old software and begin using the new software. How this is done depends on the type of software that has been updated. The following list itemizes the general categories of software and provides instructions for using updated versions after a package upgrade.
In general, rebooting the system is the surest way to ensure that the latest version of a software package is used; however, this option is not always required, nor is it always available to the system administrator.
- User-space applications are any programs that can be initiated by the user. Typically, such applications are used only when the user, a script, or an automated task utility launch them.Once such a user-space application is updated, halt any instances of the application on the system, and launch the program again to use the updated version.
- The kernel is the core software component for the Red Hat Enterprise Linux 7 operating system. It manages access to memory, the processor, and peripherals, and it schedules all tasks.Because of its central role, the kernel cannot be restarted without also rebooting the computer. Therefore, an updated version of the kernel cannot be used until the system is rebooted.
- When the qemu-kvm and libvirt packages are updated, it is necessary to stop all guest virtual machines, reload relevant virtualization modules (or reboot the host system), and restart the virtual machines.Use the
lsmodcommand to determine which modules from the following are loaded:
kvm-amd. Then use the
modprobe -rcommand to remove and subsequently the
modprobe -acommand to reload the affected modules. Fox example:
lsmod | grep kvmkvm_intel 143031 0 kvm 460181 1 kvm_intel ~]#
modprobe -r kvm-intel~]#
modprobe -r kvm~]#
modprobe -a kvm kvm-intel
- Shared Libraries
- Shared libraries are units of code, such as
glibc, that are used by a number of applications and services. Applications utilizing a shared library typically load the shared code when the application is initialized, so any applications using an updated library must be halted and relaunched.To determine which running applications link against a particular library, use the
lsof libraryFor example, to determine which running applications link against the
lsof /lib64/libwrap.so.0COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME pulseaudi 12363 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6 gnome-set 12365 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6 gnome-she 12454 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6This command returns a list of all the running programs that use
TCPwrappers for host-access control. Therefore, any program listed must be halted and relaunched when the tcp_wrappers package is updated.
- systemd Services
- systemd services are persistent server programs usually launched during the boot process. Examples of systemd services include
vsftpd.Because these programs usually persist in memory as long as a machine is running, each updated systemd service must be halted and relaunched after its package is upgraded. This can be done as the
rootuser using the
systemctl restart service_nameReplace service_name with the name of the service you want to restart, such as
- Other Software
- Follow the instructions outlined by the resources linked below to correctly update the following applications.
- Red Hat Directory Server — See the Release Notes for the version of the Red Hat Directory Server in question at https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/.
- Red Hat Enterprise Virtualization Manager — See the Installation Guide for the version of the Red Hat Enterprise Virtualization in question at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/.