Red Hat SummitChapter 8. Managing and monitoring security updates
Install security updates and display additional details about the updates to keep your Red Hat Enterprise Linux systems secured against newly discovered threats and vulnerabilities.
8.1. Identifying security updates
Keeping enterprise systems secure from current and future threats requires regular security updates. Red Hat Product Security provides the guidance you need to confidently deploy and maintain enterprise solutions.
8.1.1. What are security advisories
Red Hat Security Advisories (RHSA) document the information about security flaws being fixed in Red Hat products and services.
Each RHSA includes the following information:
- Severity
- Type and status
- Affected products
- Summary of fixed issues
- Links to the tickets about the problem. Note that not all tickets are public.
- Common Vulnerabilities and Exposures (CVE) numbers and links with additional details, such as attack complexity.
Red Hat Customer Portal provides a list of Red Hat Security Advisories published by Red Hat. You can display details of a specific advisory by navigating to the advisory’s ID from the list of Red Hat Security Advisories.
Figure 8.1. List of security advisories
Optionally, you can also filter the results by specific product, variant, version, and architecture. For example, to display only advisories for Red Hat Enterprise Linux 9, you can set the following filters:
- Product: Red Hat Enterprise Linux
- Variant: All Variants
- Version: 9
- Optionally, select a minor version.
8.1.2. Displaying security updates that are not installed on a host
Display all security updates that are currently not installed on your host system to identify critical packages that require immediate action or installation.
You can list all available security updates for your system by using the DNF utility.
Prerequisites
- A Red Hat subscription is attached to the host.
Procedure
List all available security updates which have not been installed on the host:
# dnf updateinfo list updates security … RHSA-2019:0997 Important/Sec. platform-python-3.6.8-2.el8_0.x86_64 RHSA-2019:0997 Important/Sec. python3-libs-3.6.8-2.el8_0.x86_64 RHSA-2019:0990 Moderate/Sec. systemd-239-13.el8_0.3.x86_64 …
8.1.3. Displaying security updates that are installed on a host
Display security updates that are already installed on your host. This helps you verify that required fixes are applied and track your system’s current security posture.
You can list installed security updates for your system by using the DNF utility.
Procedure
List all security updates which are installed on the host:
# dnf updateinfo list security --installed … RHSA-2019:1234 Important/Sec. libssh2-1.8.0-7.module+el8+2833+c7d6d092 RHSA-2019:4567 Important/Sec. python3-libs-3.6.7.1.el8.x86_64 RHSA-2019:8901 Important/Sec. python3-libs-3.6.8-1.el8.x86_64 …If multiple updates of a single package are installed,
dnflists all advisories for the package. In the previous example, two security updates for thepython3-libspackage have been installed since the system installation.
8.1.4. Displaying a specific advisory by using DNF
Use the DNF utility to display detailed information about a specific security advisory. This helps you understand the related bug, its severity, and which packages are included in the fix.
Prerequisites
- A Red Hat subscription is attached to the host.
- You know the ID of the security advisory.
- The update provided by the advisory is not installed.
Procedure
Display a specific advisory, for example:
# dnf updateinfo info RHSA-2019:0997 ==================================================================== Important: python3 security update ==================================================================== Update ID: RHSA-2019:0997 Type: security Updated: 2019-05-07 05:41:52 Bugs: 1688543 - CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization CVEs: CVE-2019-9636 Description: …
8.2. Installing security updates
In Red Hat Enterprise Linux, you can install a specific security advisory and all available security updates. You can also configure the system to download and install security updates automatically.
8.2.1. Installing all available security updates
Install all available Red Hat security updates by using the DNF utility. This helps patch all known vulnerabilities and quickly brings the system into full compliance.
Prerequisites
- A Red Hat subscription is attached to the host.
Procedure
Install security updates by using the DNF utility:
# dnf update --securityWithout the
--securityparameter,dnf updateinstalls all updates, including bug fixes and enhancements.Confirm and start the installation by pressing y:
… Transaction Summary =========================================== Upgrade … Packages Total download size: … M Is this ok [y/d/N]: yOptional: List processes that require a manual restart of the system after installing the updated packages:
# dnf needs-restarting 1107 : /usr/sbin/rsyslogd -n 1199 : -bashThe previous command lists only processes that require a restart, and not services. That is, you cannot restart processes listed by using the
systemctlcommand. For example, thebashprocess shown in the output terminates when the user who owns it logs out.
8.2.2. Installing a security update provided by a specific advisory
Install a security update associated with a specific advisory ID by using the DNF utility. This enables targeted patching of critical vulnerabilities without updating all packages.
In certain situations, you should install only specific updates. For example, if a specific service can be updated without scheduling downtime, you can install security updates for that service only and install the remaining updates later.
Prerequisites
- A Red Hat subscription is attached to the host.
You know the ID of the security advisory that you want to update.
For more information, see the Identifying the security advisory updates section.
Procedure
Install a specific advisory, for example:
# dnf update --advisory=RHSA-2019:0997Alternatively, update to apply a specific advisory with a minimal version change by using the
dnf upgrade-minimalcommand, for example:# dnf upgrade-minimal --advisory=RHSA-2019:0997Confirm and start the installation by pressing
y:… Transaction Summary =========================================== Upgrade … Packages Total download size: … M Is this ok [y/d/N]: yOptional: List the processes that require a manual restart of the system after installing the updated packages:
# dnf needs-restarting 1107 : /usr/sbin/rsyslogd -n 1199 : -bashThe previous command lists only processes that require a restart, and not services. That is, you cannot restart processes listed by using the
systemctlcommand. For example, thebashprocess shown in the output terminates when the user who owns it logs out.
8.2.3. Installing security updates automatically
Configure the dnf-automatic tool to download and install security updates automatically. Automating this task helps ensure that your systems remain protected against newly discovered threats without manual intervention.
See the dnf-automatic(8) man page on your system for more information.
Prerequisites
- A Red Hat subscription is attached to the host.
-
The
dnf-automaticpackage is installed.
Procedure
In the
/etc/dnf/automatic.conffile, in the[commands]section, make sure theupgrade_typeoption is set to eitherdefaultorsecurity:[commands] # What kind of upgrade to perform: # default = all available upgrades # security = only the security upgrades upgrade_type = securityEnable and start the systemd timer unit:
# systemctl enable --now dnf-automatic-install.timer
Verification
Verify that the timer is enabled:
# systemctl status dnf-automatic-install.timer
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}