Red Hat Training

A Red Hat training course is available for RHEL 8

Managing and monitoring security updates

Red Hat Enterprise Linux 8

A guide to managing and monitoring security updates in Red Hat Enterprise Linux 8

Red Hat Customer Content Services

Abstract

This document describes how to learn about and install security updates, as well as displaying additional details about the updates.

Providing feedback on Red Hat documentation

We appreciate your input on our documentation. Please let us know how we could make it better. To do so:

  • For simple comments on specific passages, make sure you are viewing the documentation in the Multi-page HTML format. Highlight the part of text that you want to comment on. Then, click the Add Feedback pop-up that appears below the highlighted text, and follow the displayed instructions.
  • For submitting more complex feedback, create a Bugzilla ticket:

    1. Go to the Bugzilla website.
    2. As the Component, use Documentation.
    3. Fill in the Description field with your suggestion for improvement. Include a link to the relevant part(s) of documentation.
    4. Click Submit Bug.

Chapter 1. Overview of security topics

This chapter provides an overview about topics important to know when you are responsible for installing security updates on Red Hat Enterprise Linux 8.

1.1. What are security advisories?

Red Hat provides information about security flaws that affect Red Hat products and services in the form of security advisories.

Red Hat Security Advisories (RHSA) contain important information, such as:

  • Severity
  • Summary of fixed issues
  • Links to the tickets about the problem. Note that not all tickets are public.
  • CVE numbers and links with additional details, such as the attack complexity.

Additional resources

Chapter 2. Identifying security updates

This chapter describes how you can display a list of available and already installed security updates.

2.1. Displaying available security updates

This section describes how to use the yum utility to list available security updates on your system.

Prerequisites

  • A valid Red Hat subscription is assigned to the host.

Procedure

  1. List the security updates available for the host which have not been installed:

    $ sudo yum updateinfo list updates security
    ...
    RHSA-2019:0997 Important/Sec. platform-python-3.6.8-2.el8_0.x86_64
    RHSA-2019:0997 Important/Sec. python3-libs-3.6.8-2.el8_0.x86_64
    RHSA-2019:0990 Moderate/Sec.  systemd-239-13.el8_0.3.x86_64
    ...

2.2. Displaying security updates that are installed on a host

If you want to display the list of security updates which have been installed on a Red Hat Enterprise Linux 8 host, use the yum updateinfo list security installed command. This section explains the command and its output.

Procedure

  1. Display the list of security updates that have been installed on the host:

    $ sudo yum updateinfo list security installed
    ...
    RHSA-2019:1234 Important/Sec. libssh2-1.8.0-7.module+el8+2833+c7d6d092
    RHSA-2019:4567 Important/Sec. python3-libs-3.6.7.1.el8.x86_64
    RHSA-2019:8901 Important/Sec. python3-libs-3.6.8-1.el8.x86_64
    ...

    If multiple updates of a single package have been installed, yum lists all advisories for the package. In the above example, two security updates for the python3-libs package were installed since Red Hat Enterprise Linux 8 installation.

Chapter 3. Viewing security advisories

This chapter describes where you can find information about Red Hat Security Advisories (RHSA) and how to display the advisories.

3.1. Displaying advisories on the Customer Portal

Red Hat publishes security advisories on the Red Hat Customer Portal. This section describes where you find the advisories, and how to filter and display them.

Procedure

  1. Open https://access.redhat.com/security/security-updates/ in a browser.

    This page lists all security advisories Red Hat published.

  2. Optionally, filter for a specific product, variant, version, and architecture. For example, to display only advisories for Red Hat Enterprise Linux 8 server, set the following filters:

    • Product: Red Hat Enterprise Linux
    • Variant: Red Hat Enterprise Linux Server
    • Version: 8
  3. To display details of a specific advisory, click the advisory’s ID in the table.

    customer portal list security advisories

3.2. Displaying a specific advisory using yum

If an update provided by an advisory is not already installed, use the yum utility to display the advisory.

Prerequisites

  • A valid Red Hat subscription is assigned to the host.
  • The ID of the security advisory is known. For details about displaying advisories of installed and available security updates for the host, see Chapter 2, Identifying security updates.
  • The update provided by the advisory is not installed.

Procedure

  1. Display the advisory. For example, to display the details of the RHSA-2019:0997 advisory:

    $ sudo yum updateinfo info RHSA-2019:0997
    ===============================================================================
      Important: python3 security update
    ===============================================================================
      Update ID: RHSA-2019:0997
           Type: security
        Updated: 2019-05-07 05:41:52
           Bugs: 1688543 - CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization
           CVEs: CVE-2019-9636
    Description: ...

Chapter 4. Installing security updates

This chapter describes how to install security updates on Red Hat Enterprise Linux 8.

Prerequisites

  • A valid Red Hat subscription is assigned to the host.

4.1. Installing all available security updates

This section describes how to install all security updates available for a host.

Procedure

  1. To install all security updates, enter:

    $ sudo yum update --security

    Note that without the --security parameter, yum installs updates also that include bug fixes and enhancements.

  2. Press y to confirm, and start the installation:

    ...
    Transaction Summary
    ===========================================
    Upgrade  ... Packages
    
    Total download size: ... M
    Is this ok [y/d/N]: y
  3. Optionally, list the processes that require to be restarted manually after installing the updated packages:

    $ yum needs-restarting

Additional resources

4.2. Installing a security update provided by a specific advisory

In certain situations, for example, if a specific service can be updated without scheduling a downtime, administrators want to install only security updates for this service, and install all other security updates later.

This section explains how to install the updated packages provided by a specific security advisory.

Prerequisites

  • A valid Red Hat subscription is assigned to the host.
  • The ID of the security advisory is known. For details about displaying advisories of installed and available security updates for the host, see Chapter 2, Identifying security updates.

Procedure

  1. Install the security updates provided by a specific security advisory. For example, to install the updates provided by the RHSA-2019:0997 advisory, enter:

    $ sudo yum update --advisory=RHSA-2019:0997
  2. Press y to confirm, and start the installation:

    ...
    Transaction Summary
    ===========================================
    Upgrade  ... Packages
    
    Total download size: ... M
    Is this ok [y/d/N]: y
  3. Optionally, list the processes that require to be restarted manually after installing the updated packages:

    $ yum needs-restarting

Additional resources

Chapter 5. Additional tasks after applying security updates

After you have installed security updates on Red Hat Enterprise Linux 8, you may need to perform additional tasks. This section describes these tasks.

5.1. Displaying which services require a restart after applying security updates

When you update a package on Red Hat Enterprise Linux 8, certain processes using updated libraries and executables might need to be restarted manually. This section explains how to identify these processes.

Prerequisites

Procedure

  1. To list all processes that still use libraries or executables from the time before the update:

    $ sudo yum needs-restarting
    1107 : /usr/sbin/rsyslogd -n
    1199 : -bash
    ...

    The yum needs-restarting command lists only processes, not services. This means that you cannot restart all processes listed using the systemctl utility. For example, the bash process in the output will be terminated when the user that owns this process logs out.

Legal Notice

Copyright © 2019 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.