The YUM security plugin is a package that allows you to search specifically for security patches applicable to a Redhat/Centos server. This functionality comes in very handy when having to cross reference CVEs to Redhat Security Advisories (RHSAs). If you work closely with anyone in an information security role, you already know how vital functionality is.
Before you can begin you need to make sure that you have the plugin installed. Use the command below to install it.
# yum -y install yum-plugin-security
Then you can use the plugin to get a overview of the security updates availible for your system.
# yum updateinfo
Updates Information Summary: available
3 Security notice(s)
1 Important Security notice(s)
2 Moderate Security notice(s)
12 Bugfix notice(s)
1 Enhancement notice(s)
You can get a specific list of updates, sorted by security advisories, bug fixes, and enhancement advisories.
# yum updateinfo list
To get more specific information on a RHSA and the CVEs that it applies to, you can search by RHSA as seen below.
# yum updateinfo RHSA-2014:0771
Need to see what patches are required to address a certain CVE, then this next command is for you. Trust me this one is useful as it gives you a list of all required packages that address that CVE.
# yum updateinfo list –cve=CVE-2013-6378
Loaded plugins: amazon-id, rhui-lb, security
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. kernel-firmware-2.6.32-431.20.3.el6.noarch
RHSA-2014:0771 Important/Sec. kernel-headers-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. perf-2.6.32-431.20.3.el6.x86_64
Want to see a list of all fixes by severity. Then you can use the command below. Note that I am using important as my severity as there are no critical updates that are applicable to my test system at this time.
yum updateinfo list –sec-severity=Important
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. kernel-firmware-2.6.32-431.20.3.el6.noarch
RHSA-2014:0771 Important/Sec. kernel-headers-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. perf-2.6.32-431.20.3.el6.x86_64
You can also search for security fixes by package name as shown below.
# yum updateinfo list kernel
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64
You can also use YUM to apply only security related updates. See below. This is useful if you are in a pinch and need to quickly apply all security updates to make your Infosec Team happy.
# yum –security update
Related articles