patching

Quick and Dirty Yum Security Plugin Overview

/ Christopher Paquin

Maneki-neko-mountain-tummy-13745890The YUM security plugin is a package that allows you to search specifically for security patches applicable to a Redhat/Centos server.  This functionality comes in very handy when having to cross reference CVEs to Redhat Security Advisories (RHSAs). If you work closely with anyone in an information security role, you already know how vital functionality is.

Before you can begin you need to make sure that you have the plugin installed.  Use the command below to install it.

# yum -y install yum-plugin-security

 

Then you can use the plugin to get a overview of the security updates availible for your system.

# yum updateinfo
    
Updates Information Summary: available
3 Security notice(s)
         1 Important Security notice(s)
         2 Moderate Security notice(s)
12 Bugfix notice(s)
1 Enhancement notice(s)

 

You can get a specific list of updates, sorted by security advisories, bug fixes, and enhancement advisories.

# yum updateinfo list

 

To get more specific information on a RHSA and the CVEs that it applies to, you can search by RHSA as seen below.

# yum updateinfo RHSA-2014:0771

 

Need to see what patches are required to address a certain CVE, then this next command is for you. Trust me this one is useful as it gives you a list of all required packages that address that CVE.

# yum updateinfo list –cve=CVE-2013-6378
Loaded plugins: amazon-id, rhui-lb, security
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. kernel-firmware-2.6.32-431.20.3.el6.noarch
RHSA-2014:0771 Important/Sec. kernel-headers-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. perf-2.6.32-431.20.3.el6.x86_64

 

Want to see a list of all fixes by severity. Then you can use the command below. Note that I am using important as my severity as there are no critical updates that are applicable to my test system at this time.

yum updateinfo list –sec-severity=Important
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. kernel-firmware-2.6.32-431.20.3.el6.noarch
RHSA-2014:0771 Important/Sec. kernel-headers-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. perf-2.6.32-431.20.3.el6.x86_64

 

You can also search for security fixes by package name as shown below.

# yum updateinfo list kernel
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64

 

You can also use YUM to apply only security related updates. See below. This is useful if you are in a pinch and need to quickly apply all security updates to make your Infosec Team happy.

# yum –security update

Related articles

Using Yum Update to Apply Security Patches Only
SCAP CVE Audit
YFD plugin updated

Patching ESXi 4.1 via the Linux RCLI

/ Christopher Paquin / Leave a comment
PIRATE_MASK_IMAGE_rdax_65

Great Balls of Frustration… could the documentation be anymore confusing and convoluted regarding the process of patching an ESX server via the Linux remote cli.

No, I am not running windows, and no I am not on the local ESX console, and no I am not running the Vmware Management Appliance, and most of all, no I do not want outdated instructions from 2008. I just want to download some patches to my local linux destop and patch my ESX servers. Specifically I want to install the latest and greatest Qlogic drivers to troubleshoot a SAN connectivity issue that I will probably blog about at a later date.

Anyway here is how I did what I needed to do without resorting to using a windows box.

First download the driver isos to your local Linux desktop and mount the isos up locally,

mount -o loop vmware-esx-drivers-scsi-fnic_400.1.4.0.201-1vmw.2.17.00000.491446.iso /mnt

Second locate the offline-bundle directory. I moved mine off to another directory that I created specifically for the Qlogic Driver. This way I dont have to unmount and remount the iso when i patch my other boxes.

Next put the host in maint mode.

vicfg-hostops –username root –server esx04 -o enter

Then navigate to the offline_bundle directory and run the following command, replace the bundle name that I used with the bundle name in your directory

vihostupdate –server esx04 –install –bundle 841.k1.16.2-1vmw-offline_bundle-340223.zip

Wait for the following message

Please wait patch installation is in progress …
The update completed successfully, but the system needs to be rebooted for the changes to be effective.

Then reboot

vicfg-hostops –username root –server esx04 -o reboot