Chapter 2. Installing security updates
2.1. Installing all available security updates
To keep the security of your system up to date, you can install all currently available security updates using the dnf utility.
Prerequisite
- A Red Hat subscription attached to the host.
Procedure
Install security updates using
dnfutility:#
dnf update --securityNoteThe
--securityparameter is important. Without it,dnf updateinstalls all updates, including bug fixes and enhancements.Confirm and start the installation by pressing y:
... Transaction Summary =========================================== Upgrade ... Packages Total download size: ... M Is this ok [y/d/N]: yOptional: list processes that require a manual restart of the system after installing the updated packages:
#
dnf needs-restarting1107 : /usr/sbin/rsyslogd -n 1199 : -bashNoteThis command lists only processes that require a restart, and not services. That is, you cannot restart processes listed using the
systemctlutility. For example, thebashprocess in the output is terminated when the user that owns this process logs out.
2.2. Installing a security update provided by a specific advisory
In certain situations, you might want to install only specific updates. For example, if a specific service can be updated without scheduling a downtime, you can install security updates for only this service, and install the remaining security updates later.
Prerequisites
- A Red Hat subscription attached to the host.
- You have a security advisory Update ID. See identifying the security advisory updates.
Procedure
Install a specific advisory:
#
dnf update --advisory=<Update ID>Replace the Update ID with the required advisory. For example,
#dnf update --advisory=<RHSA-2019:0997>Confirm and start the installation by pressing
y:... Transaction Summary =========================================== Upgrade ... Packages Total download size: ... M Is this ok [y/d/N]: yOptional: List the processes that require a manual restart of the system after installing the updated packages:
#
dnf needs-restarting1107 : /usr/sbin/rsyslogd -n 1199 : -bashNoteThis command lists only processes that require a restart, and not services. This means that you cannot restart all processes listed by using the
systemctlutility. For example, thebashprocess in the output is terminated when the user that owns this process logs out.
2.3. Installing security updates automatically
Use to following procedure to update your system automatically with security updates.
Prerequisites
- A Red Hat subscription attached to the host.
Procedure
Install dnf-automatic using dnf
# dnf install dnf-automatic
Confirm and start the installation by pressing y:
... Transaction Summary =========================================== Upgrade ... Packages Total download size: ... M Is this ok [y/d/N]: y
Open the
/etc/dnf/automatic.conffile in a text editor of your choice, for example:# vi /etc/dnf/automatic.conf
Configure the
upgrade_type = securityoption in the[commands]section:[commands] # What kind of upgrade to perform: # default = all available upgrades # security = only the security upgrades upgrade_type = security
-
Enable the
systemd timer unit
# systemctl enable --now dnf-automatic-install.timer
Additional resources
-
dnf-automatic(8)man page
2.4. Additional resources
- See practices of securing workstations and servers in Security Hardening document.
- Security-Enhanced Linux documentation.