Chapter 3. Keeping Your System Up-to-Date
3.1. Maintaining Installed Software
3.1.1. Planning and Configuring Security Updates
18.104.22.168. Using the Security Features of Yum
yum check-update --securityLoaded plugins: langpacks, product-id, subscription-manager rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00 No packages needed for security; 0 packages available
yum update --security
updateinfosubcommand to display or act upon information provided by repositories about available updates. The
updateinfosubcommand itself accepts a number of commands, some of which pertain to security-related uses. See Table 3.1, “Security-related commands usable with yum updateinfo” for an overview of these commands.
Table 3.1. Security-related commands usable with yum updateinfo
| ||Displays information about one or more advisories. Replace advisories with an advisory number or numbers.|
| ||Displays the subset of information that pertains to CVE (Common Vulnerabilities and Exposures).|
| ||Displays all security-related information.|
| ||Displays information about security-relevant packages of the supplied severity_level.|
3.1.2. Updating and Installing Packages
22.214.171.124. Verifying Signed Packages
gpgcheckconfiguration directive is set to
rpmkeys --checksig package_file.rpm
126.96.36.199. Installing Signed Packages
yum installcommand as the
rootuser as follows:
yum install package_file.rpm
.rpmpackages in the current directory:
yum install *.rpm
3.1.3. Applying Changes Introduced by Installed Updates
- User-space applications are any programs that can be initiated by the user. Typically, such applications are used only when the user, a script, or an automated task utility launch them.Once such a user-space application is updated, halt any instances of the application on the system, and launch the program again to use the updated version.
- The kernel is the core software component for the Red Hat Enterprise Linux 7 operating system. It manages access to memory, the processor, and peripherals, and it schedules all tasks.Because of its central role, the kernel cannot be restarted without also rebooting the computer. Therefore, an updated version of the kernel cannot be used until the system is rebooted.
- When the qemu-kvm and libvirt packages are updated, it is necessary to stop all guest virtual machines, reload relevant virtualization modules (or reboot the host system), and restart the virtual machines.Use the
lsmodcommand to determine which modules from the following are loaded:
kvm-amd. Then use the
modprobe -rcommand to remove and subsequently the
modprobe -acommand to reload the affected modules. Fox example:
lsmod | grep kvmkvm_intel 143031 0 kvm 460181 1 kvm_intel ~]#
modprobe -r kvm-intel~]#
modprobe -r kvm~]#
modprobe -a kvm kvm-intel
- Shared Libraries
- Shared libraries are units of code, such as
glibc, that are used by a number of applications and services. Applications utilizing a shared library typically load the shared code when the application is initialized, so any applications using an updated library must be halted and relaunched.To determine which running applications link against a particular library, use the
lsof libraryFor example, to determine which running applications link against the
lsof /lib64/libwrap.so.0COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME pulseaudi 12363 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6 gnome-set 12365 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6 gnome-she 12454 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6This command returns a list of all the running programs that use
TCPwrappers for host-access control. Therefore, any program listed must be halted and relaunched when the tcp_wrappers package is updated.
- systemd Services
- systemd services are persistent server programs usually launched during the boot process. Examples of systemd services include
vsftpd.Because these programs usually persist in memory as long as a machine is running, each updated systemd service must be halted and relaunched after its package is upgraded. This can be done as the
rootuser using the
systemctl restart service_nameReplace service_name with the name of the service you want to restart, such as
- Other Software
- Follow the instructions outlined by the resources linked below to correctly update the following applications.
- Red Hat Directory Server — See the Release Notes for the version of the Red Hat Directory Server in question at https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/.
- Red Hat Enterprise Virtualization Manager — See the Installation Guide for the version of the Red Hat Enterprise Virtualization in question at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/.