Red Hat Training

A Red Hat training course is available for RHEL 8

Managing and monitoring security updates

Red Hat Enterprise Linux 8

A guide to managing and monitoring security updates in Red Hat Enterprise Linux 8

Red Hat Customer Content Services

Abstract

This document describes how to learn about and install security updates, as well as display additional details about the updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Providing feedback on Red Hat documentation

We appreciate your input on our documentation. Please let us know how we could make it better. To do so:

  • For simple comments on specific passages:

    1. Make sure you are viewing the documentation in the Multi-page HTML format. In addition, ensure you see the Feedback button in the upper right corner of the document.
    2. Use your mouse cursor to highlight the part of text that you want to comment on.
    3. Click the Add Feedback pop-up that appears below the highlighted text.
    4. Follow the displayed instructions.
  • For submitting more complex feedback, create a Bugzilla ticket:

    1. Go to the Bugzilla website.
    2. As the Component, use Documentation.
    3. Fill in the Description field with your suggestion for improvement. Include a link to the relevant part(s) of documentation.
    4. Click Submit Bug.

Chapter 1. Identifying security updates

Keeping enterprise systems secure from current and future threats requires regular security updates. Red Hat Product Security provides the guidance you need to confidently deploy and maintain enterprise solutions.

1.1. What are security advisories?

Red Hat Security Advisories (RHSA) document the information about security flaws being fixed in Red Hat products and services.

Each RHSA includes the following information:

  • Severity
  • Type and status
  • Affected products
  • Summary of fixed issues
  • Links to the tickets about the problem. Note that not all tickets are public.
  • Common Vulnerabilities and Exposures (CVE) numbers and links with additional details, such as attack complexity.

Red Hat Customer Portal provides a list of Red Hat Security Advisories published by Red Hat. You can display details of a specific advisory by navigating to the advisory’s ID from the list of Red Hat Security Advisories.

Figure 1.1. List of security advisories

customer portal list security advisories

Optionally, you can also filter the results by specific product, variant, version, and architecture. For example, to display only advisories for Red Hat Enterprise Linux 8, you can set the following filters:

  • Product: Red Hat Enterprise Linux
  • Variant: All Variants
  • Version: 8
  • Alternatively, select a minor version, such as 8.2.

1.2. Displaying security updates that are not installed on a host

You can list all available security updates for your system by using the yum utility.

Prerequisite

  • A Red Hat subscription attached to the host.

Procedure

  • List all available security updates which have not been installed on the host:

    # yum updateinfo list updates security
    ...
    RHSA-2019:0997 Important/Sec. platform-python-3.6.8-2.el8_0.x86_64
    RHSA-2019:0997 Important/Sec. python3-libs-3.6.8-2.el8_0.x86_64
    RHSA-2019:0990 Moderate/Sec.  systemd-239-13.el8_0.3.x86_64
    ...

1.3. Displaying security updates that are installed on a host

You can list installed security updates for your system by using the yum utility.

Procedure

  • List all security updates which are installed on the host:

    # yum updateinfo list security installed
    ...
    RHSA-2019:1234 Important/Sec. libssh2-1.8.0-7.module+el8+2833+c7d6d092
    RHSA-2019:4567 Important/Sec. python3-libs-3.6.7.1.el8.x86_64
    RHSA-2019:8901 Important/Sec. python3-libs-3.6.8-1.el8.x86_64
    ...

    If multiple updates of a single package are installed, yum lists all advisories for the package. In the previous example, two security updates for the python3-libs package have been installed since the system installation.

1.4. Displaying a specific advisory using yum

You can use the yum utility to display a specific advisory information that is available for an update.

Prerequisites

Procedure

  • Display a specific advisory:

    # yum updateinfo info <Update ID>
    ====================================================================
      Important: python3 security update
    ====================================================================
      Update ID: RHSA-2019:0997
           Type: security
        Updated: 2019-05-07 05:41:52
           Bugs: 1688543 - CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization
           CVEs: CVE-2019-9636
    Description: ...

    Replace the Update ID with the required advisory. For example, # yum updateinfo info <RHSA-2019:0997>.

Chapter 2. Installing security updates

2.1. Installing all available security updates

To keep the security of your system up to date, you can install all currently available security updates using the yum utility.

Prerequisite

  • A Red Hat subscription attached to the host.

Procedure

  1. Install security updates using yum utility:

    # yum update --security
    Note

    The --security parameter is important. Without it, yum update installs all updates, including bug fixes and enhancements.

  2. Confirm and start the installation by pressing y:

    ...
    Transaction Summary
    ===========================================
    Upgrade  ... Packages
    
    Total download size: ... M
    Is this ok [y/d/N]: y
  3. Optional: list processes that require a manual restart of the system after installing the updated packages:

    # yum needs-restarting
    1107 : /usr/sbin/rsyslogd -n
    1199 : -bash
    Note

    This command lists only processes that require a restart, and not services. That is, you cannot restart processes listed using the systemctl utility. For example, the bash process in the output is terminated when the user that owns this process logs out.

2.2. Installing a security update provided by a specific advisory

In certain situations, you might want to install only specific updates. For example, if a specific service can be updated without scheduling a downtime, you can install security updates for only this service, and install the remaining security updates later.

Prerequisites

Procedure

  1. Install a specific advisory:

    # yum update --advisory=<Update ID>

    Replace the Update ID with the required advisory. For exaample, #yum update --advisory=<RHSA-2019:0997>

  2. Confirm and start the installation by pressing y:

    ...
    Transaction Summary
    ===========================================
    Upgrade  ... Packages
    
    Total download size: ... M
    Is this ok [y/d/N]: y
  3. Optional: List the processes that require a manual restart of the system after installing the updated packages:

    # yum needs-restarting
    1107 : /usr/sbin/rsyslogd -n
    1199 : -bash
    Note

    This command lists only processes that require a restart, and not services. This means that you cannot restart all processes listed by using the systemctl utility. For example, the bash process in the output is terminated when the user that owns this process logs out.

2.3. Additional resources

  • Refer the RHEL 8 Security Hardening document for more information on practices of securing workstations and servers.
  • For more information about Security-Enhanced Linux, see the RHEL 8 Using SELinux documentation.

Legal Notice

Copyright © 2021 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.