Automatically check for Security Updates on CentOS or Scientific Linux?

Posted by Stefan Lasiewski on Server Fault See other posts from Server Fault or by Stefan Lasiewski
Published on 2012-03-14T22:19:48Z Indexed on 2012/10/13 3:39 UTC
Read the original article Hit count: 573

We have machines running RedHat-based distros such as CentOS or Scientific Linux. We want the systems to automatically notify us if there are any known vulnerabilities to the installed packages. FreeBSD does this with the ports-mgmt/portaudit port.

RedHat provides yum-plugin-security, which can check for vulnerabilities by their Bugzilla ID, CVE ID or advisory ID. In addition, Fedora recently started to support yum-plugin-security. I believe this was added in Fedora 16.

Scientific Linux 6 did not support yum-plugin-security as of late 2011. It does ship with /etc/cron.daily/yum-autoupdate, which updates RPMs daily. I don't think this handles Security Updates only, however.

CentOS does not support yum-plugin-security.

I monitor the CentOS and Scientific Linux mailinglists for updates, but this is tedious and I want something which can be automated.

For those of us who maintain CentOS and SL systems, are there any tools which can:

  1. Automatically (Progamatically, via cron) inform us if there are known vulnerabilities with my current RPMs.
  2. Optionally, automatically install the minimum upgrade required to address a security vulnerability, which would probably be yum update-minimal --security on the commandline?

I have considered using yum-plugin-changelog to print out the changelog for each package, and then parse the output for certain strings. Are there any tools which do this already?

© Server Fault or respective owner

Related posts about centos

Related posts about security