Questo contenuto non è disponibile nella lingua selezionata.
47.5. Security Updates
As security vulnerabilities are discovered, the affected software must be updated in order to limit any potential security risks. If the software is part of a package within a Red Hat Enterprise Linux distribution that is currently supported, Red Hat, Inc. is committed to releasing updated packages that fix the vulnerability as soon as possible. Often, announcements about a given security exploit are accompanied with a patch (or source code that fixes the problem). This patch is then applied to the Red Hat Enterprise Linux package, tested by the Red Hat quality assurance team, and released as an errata update. However, if an announcement does not include a patch, a Red Hat developer works with the maintainer of the software to fix the problem. Once the problem is fixed, the package is tested and released as an errata update.
If an errata update is released for software used on your system, it is highly recommended that you update the effected packages as soon as possible to minimize the amount of time the system is potentially vulnerable.
47.5.1. Updating Packages
When updating software on a system, it is important to download the update from a trusted source. An attacker can easily rebuild a package with the same version number as the one that is supposed to fix the problem but with a different security exploit and release it on the Internet. If this happens, using security measures such as verifying files against the original RPM does not detect the exploit. Thus, it is very important to only download RPMs from trusted sources, such as from Red Hat, Inc. and check the signature of the package to verify its integrity.
Red Hat offers two ways to find information on errata updates:
- Listed and available for download on Red Hat Network
- Listed and unlinked on the Red Hat Errata website
Note
Beginning with the Red Hat Enterprise Linux product line, updated packages can be downloaded only from Red Hat Network. Although the Red Hat Errata website contains updated information, it does not contain the actual packages for download.
47.5.1.1. Using Automatic Updates with RHN Classic
Warning
Automatic system updates are only available using RHN Classic, which basis subscription consumption on access to content repository channels. RHN Classic is available as a convenience for customer environments with legacy systems which have not updated to Certificate-Based Red Hat Network.
The update and content stream is different for Certificate-Based Red Hat Network, so automatic updates are not used.
The new Certificate-Based Red Hat Network and the differences between Certificate-Based Red Hat Network and RHN Classic are described in Chapter 15, Registering a System and Managing Subscriptions.
RHN Classic allows the majority of the update process to be automated. It determines which RPM packages are necessary for the system, downloads them from a secure repository, verifies the RPM signature to make sure they have not been tampered with, and updates them. The package install can occur immediately or can be scheduled during a certain time period.
RHN Classic requires a system profile for each machine, which contains hardware and software information about the system. This information is kept confidential and is not given to anyone else. It is only used to determine which errata updates are applicable to each system, and, without it, RHN Classic can not determine whether a given system needs updates. When a security errata (or any type of errata) is released, RHN Classic sends an email with a description of the errata as well as a list of systems which are affected. To apply the update, use the Red Hat Update Agent or schedule the package to be updated through the RHN Classic Subscription Management area of the Customer Portal.
Important
Before installing any security errata, be sure to read any special instructions contained in the errata report and execute them accordingly. Refer to Section 47.5.1.5, “Applying the Changes” for general instructions about applying the changes made by an errata update.
47.5.1.2. Using the Red Hat Errata Website
When security errata reports are released, they are published on the Red Hat Errata website available at http://www.redhat.com/security/. From this page, select the product and version for your system, and then select security at the top of the page to display only Red Hat Enterprise Linux Security Advisories. If the synopsis of one of the advisories describes a package used on your system, click on the synopsis for more details.
The details page describes the security exploit and any special instructions that must be performed in addition to updating the package to fix the security hole.
To download the updated package(s), click on the link to login to Red Hat Network, click the package name(s) and save to the hard drive. It is highly recommended that you create a new directory, such as
/tmp/updates
, and save all the downloaded packages to it.
47.5.1.3. Verifying Signed Packages
All Red Hat Enterprise Linux packages are signed with the Red Hat, Inc. GPG key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) held by Red Hat locks the package while the public key unlocks and verifies the package. If the public key distributed by Red Hat does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
The RPM utility within Red Hat Enterprise Linux automatically tries to verify the GPG signature of an RPM package before installing it. If the Red Hat GPG key is not installed, install it from a secure, static location, such as an Red Hat Enterprise Linux installation CD-ROM.
Assuming the CD-ROM is mounted in
/mnt/cdrom
, use the following command to import it into the keyring (a database of trusted keys on the system):
rpm --import /mnt/cdrom/RPM-GPG-KEY-redhat-release
To display a list of all keys installed for RPM verification, execute the following command:
rpm -qa gpg-pubkey*
For the Red Hat key, the output includes the following:
gpg-pubkey-37017186-45761324
To display details about a specific key, use the
rpm -qi
command followed by the output from the previous command, as in this example:
rpm -qi gpg-pubkey-37017186-45761324
It is extremely important to verify the signature of the RPM files before installing them to ensure that they have not been altered from the Red Hat, Inc. release of the packages. To verify all the downloaded packages at once, issue the following command:
rpm -K /tmp/updates/*.rpm
For each package, if the GPG key verifies successfully, the command returns
gpg OK
. If it doesn't, make sure you are using the correct Red Hat public key, as well as verifying the source of the content. Packages that do not pass GPG verifications should not be installed, as they may have been altered by a third party.
After verifying the GPG key and downloading all the packages associated with the errata report, install the packages as root at a shell prompt.
47.5.1.4. Installing Signed Packages
Installation for most packages can be done safely (except kernel packages) by issuing the following command:
rpm -Uvh /tmp/updates/*.rpm
For kernel packages use the following command:
rpm -ivh /tmp/updates/<kernel-package>
Replace <kernel-package> in the previous example with the name of the kernel RPM.
Once the machine has been safely rebooted using the new kernel, the old kernel may be removed using the following command:
rpm -e <old-kernel-package>
Replace <old-kernel-package> in the previous example with the name of the older kernel RPM.
Note
It is not a requirement that the old kernel be removed. The default boot loader, GRUB, allows for multiple kernels to be installed, then chosen from a menu at boot time.
Important
Before installing any security errata, be sure to read any special instructions contained in the errata report and execute them accordingly. Refer to Section 47.5.1.5, “Applying the Changes” for general instructions about applying the changes made by an errata update.
47.5.1.5. Applying the Changes
After downloading and installing security errata via Red Hat Network or the Red Hat errata website, it is important to halt usage of the older software and begin using the new software. How this is done depends on the type of software that has been updated. The following list itemizes the general categories of software and provides instructions for using the updated versions after a package upgrade.
Note
In general, rebooting the system is the surest way to ensure that the latest version of a software package is used; however, this option is not always available to the system administrator.
- Applications
- User-space applications are any programs that can be initiated by a system user. Typically, such applications are used only when a user, script, or automated task utility launches them and they do not persist for long periods of time.Once such a user-space application is updated, halt any instances of the application on the system and launch the program again to use the updated version.
- Kernel
- The kernel is the core software component for the Red Hat Enterprise Linux operating system. It manages access to memory, the processor, and peripherals as well as schedules all tasks.Because of its central role, the kernel cannot be restarted without also stopping the computer. Therefore, an updated version of the kernel cannot be used until the system is rebooted.
- Shared Libraries
- Shared libraries are units of code, such as
glibc
, which are used by a number of applications and services. Applications utilizing a shared library typically load the shared code when the application is initialized, so any applications using the updated library must be halted and relaunched.To determine which running applications link against a particular library, use thelsof
command as in the following example:lsof /usr/lib/libwrap.so*
This command returns a list of all the running programs which use TCP wrappers for host access control. Therefore, any program listed must be halted and relaunched if thetcp_wrappers
package is updated. - SysV Services
- SysV services are persistent server programs launched during the boot process. Examples of SysV services include
sshd
,vsftpd
, andxinetd
.Because these programs usually persist in memory as long as the machine is booted, each updated SysV service must be halted and relaunched after the package is upgraded. This can be done using the Services Configuration Tool or by logging into a root shell prompt and issuing the/sbin/service
command as in the following example:service <service-name> restart
In the previous example, replace <service-name> with the name of the service, such assshd
.Refer to Chapter 17, Network Configuration for more information on the Services Configuration Tool. xinetd
Services- Services controlled by the
xinetd
super service only run when a there is an active connection. Examples of services controlled byxinetd
include Telnet, IMAP, and POP3.Because new instances of these services are launched byxinetd
each time a new request is received, connections that occur after an upgrade are handled by the updated software. However, if there are active connections at the time thexinetd
controlled service is upgraded, they are serviced by the older version of the software.To kill off older instances of a particularxinetd
controlled service, upgrade the package for the service then halt all processes currently running. To determine if the process is running, use theps
command and then use thekill
orkillall
command to halt current instances of the service.For example, if security errataimap
packages are released, upgrade the packages, then type the following command as root into a shell prompt:ps -aux | grep imap
This command returns all active IMAP sessions. Individual sessions can then be terminated by issuing the following command:kill <PID>
If this fails to terminate the session, use the following command instead:kill -9 <PID>
In the previous examples, replace <PID> with the process identification number (found in the second column of theps
command) for an IMAP session.To kill all active IMAP sessions, issue the following command:killall imapd