Keeping on top of your systems security updates is one important step in a defense in depth strategy for your solution. Security best practices indicate security updates should be applied within 30 days of being released.
While I prefer to test any and all updates in a test environment before deploying to production just in case the updates break existing functionality, some system administrators prefer to have the updates applied automatically nightly or weekly. The school of thought behind this is automatic updates are applied quickly, more often, and generally more consistently than they would be if done manually.
Also, its important to ensure that you are excluding any packages that may be critical to your system, such as the kernel or perhaps MySQL. Configuring the package exclusion list is shown below.
Please keep in mind, in rare cases, system updates have been known to cause problems. So you should be cautious with any type of automatic updates, especially on production systems, and fully understand the risks involved before proceeding.
To enable automatic updates, first install the yum-cron package:
[root@web01 ~]# yum -y install yum-cron [root@web01 ~]# chkconfig yum-cron on [root@web01 ~]# service yum-cron start
The main configuration file resides in /etc/sysconfig/yum-cron. Some common options for configuring how yum-cron works is documented below:
# Default - Check for updates, download and install: [root@web01 ~]# vim /etc/sysconfig/yum-cron ... CHECK_ONLY=no DOWNLOAD_ONLY=no ... # Download only and send an email report: [root@web01 ~]# vim /etc/sysconfig/yum-cron ... [email protected] CHECK_ONLY=no DOWNLOAD_ONLY=yes ... # Send email report only, but do not download or install: [root@web01 ~]# vim /etc/sysconfig/yum-cron ... [email protected] CHECK_ONLY=yes DOWNLOAD_ONLY=no ...
You can also configure this to apply updates on specific days. This example below will check for updates, download and apply them on Sundays:
[root@web01 ~]# vim /etc/sysconfig/yum-cron ... CHECK_ONLY=no DOWNLOAD_ONLY=no DAYS_OF_WEEK="0" ...
If you would like to exclude specific packages from receiving automatic updates, you can add exclusions. In this example, we are excluding updates to the mysql and the kernel. Please be sure to pay close attention to the single quotes and double quotes!
[root@web01 ~]# vim /etc/sysconfig/yum-cron ... YUM_PARAMETER="--exclude='mysql*' --exclude='kernel*'" ...
Once that is complete, no further configuration should be needed as yum-cron will run when the daily cron jobs are set to run.
If you find that you need to roll back a package update, you can do that by:
[root@web01 ~]# yum history
Loaded plugins: fastestmirror
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
9 | root | 2016-02-09 17:47 | Install | 1
8 | root | 2016-02-09 17:47 | Update | 1
7 | root | 2015-08-18 03:19 | I, O, U | 189 EE
6 | root | 2015-03-01 16:44 | Install | 1
5 | root | 2015-03-01 16:31 | Erase | 1
4 | root | 2015-03-01 16:30 | Install | 49
3 | root | 2015-03-01 16:28 | Install | 1
2 | root | 2015-03-01 16:25 | I, U | 80
1 | System | 2015-03-01 15:52 | Install | 298
[root@web01 ~]# yum history undo ID