Chapter 3, Keeping Your System Up-to-date
This chapter describes the process of keeping your system up-to-date, which includes planning and configuring how to install security updates, apply changes introduced by the latest update packages, and use the Red Hat Red Hat Customer Portal to learn about security update bulletins .
3.1. Maintaining Installed Software
If a security vulnerability is discovered, the affected software must be updated in order to limit the potential security threat. If the software is part of a package currently supported by a Red Hat Enterprise Linux distribution, Red Hat releases an update package that fixes the vulnerability as soon as possible.
Bulletins about specific security vulnerabilities are often accompanied by patches (or source code) to fix the problem. This patch is applied directly to the Red Hat Enterprise Linux packages and released as an Errata Update after testing. However, if the bulletin does not include a patch, Red Hat developers will first work with the software maintainer to resolve the issue. Once the issue is fixed, the package will be released as an errata update after testing.
If errata updates are released for used software on your system, we strongly recommend that you update the affected packages as soon as possible to minimize the time that your system is exposed to potential vulnerabilities.
3.1.1. Scheduling and Configuring Security Updates
All software contains bugs, which often create gaps that allow malicious users to break into your system. Out-of-date software packages are a common cause of computer intrusions. A timely security patching program can quickly remove discovered vulnerabilities so they cannot be exploited.
When security updates are available, schedule the updates to be installed and test them. We need to use additional controls to protect our systems during the release of updates and during system installation of updates. These controls depend on each matching vulnerability, but also include other firewall principles, the use of external firewalls and changes in software settings.
Fix bugs in support packages by using the errata mechanism. Errata consist of one or more RPM packages, accompanied by a brief explanation of what each specific errata addresses. All errata are distributed to actively subscribed customers through the Red Hat Subscription Management Service. Errata that address security issues are known as Red Hat Security Advisories.
3.1.1.1. Using Yum's Security Features
The Yum package manager includes a number of security-related features that can be used to search, list, display, and install security errata. These signatures have the potential to use Yum to install security updates.
To check for available security-related updates on your system, run the following command as root:
~]# yum check-update --security
Loaded plugins: langpacks, product-id, subscription-manager
rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00
No packages needed for security; 0 packages available
Note that the above command is run non-interactively, so it can automatically detect if an update is available in the script. The command returns an exit value of 100 when a security update is available. Changes to 0 when security updates are not available. It returns 1 upon encountering an error.
In a simulated situation, use the following command values to install security-related updates:
~]# yum update --security
Use the updateinfo subcommand to display or follow the information provided by the repository of available updates. The updateinfo subcommand itself accepts a number of commands, some of which have security-related uses. For an overview of these commands, refer to Table 3.1, “Available Security-Related Commands and yum updateinfo” .
Table 3.1. Available security-related commands and yum updateinfo
| Order |
describe |
|
| advisory [advisories] |
Show about one or more suggestions. Replace advisory with one or more advice numbers. |
|
| cves |
Display sub-device information about CVE (Common Vulnerabilities and Exposures). |
|
| security or sec |
Displays all security-related information. |
|
| severity or sev severity_level |
Display information for security-related packages at the provided severity_level. |
3.1.2. Updating and installing packages
When updating software packages on your system, it is important to download updates from trusted sources. Attackers can easily rebuild the software package of the same version number that solves the problem, pass through different security holes and publish it to the Internet. If this happens, security measures such as verifying the files against the original RPM will not detect the vulnerability. Therefore, it is very important to only download RPMs from trusted sources, such as Red Hat, and to check the package signatures to determine their integrity.
For more information on how to use the Yum package manager, refer to the Red Hat Enterprise Linux 7 System Administration Guide .
3.1.2.1. Verifying signed packages
All Red Hat Enterprise Linux packages are marked with a Red Hat GPG key. GPG, which stands for GNU Privacy Guard, or GnuPG, is a free software package used to ensure the authenticity of distributed files. If verifying the package signature fails, the package may have been modified and therefore cannot be trusted.
The Yum package manager allows automatic verification of all installed and updated packages, which is the default feature. To configure this option on your system, the gpgcheck configuration directive must be set to 1 in the /etc/yum.conf configuration file.
On your filesystem, manually verify package information with the following command.
rpmkeys --checksig
package_file.rpm
Please refer to the Product Signing (GPG) Keys article on the Red Hat Customer Portal for additional information on Red Hat's package signing practices.
3.1.2.2. Installing signed packages
Install verified packages from your filesystem (see Section 3.1.2.1, “Verifying Signed Packages” for more information on how to verify packages). As the root user, use the yum install command.
yum install
package_file.rpm
Install multiple packages at once using shell globs. For example, the following command installs all .rpm packages in an existing directory.
yum install
*.rpm
important
Before installing any security errata, please make sure to read all the specific steps contained in the errata report and follow them in order. Please refer to Section 3.1.3, “Applying Changes Introduced by Installing Updates” for basic instructions on changes introduced by Errata Updates.
3.1.3. Changes Introduced by Application Installation Updates
After downloading and installing security errata and updates, it is important to stop using the old software and start using the new software. How to do this depends on the type of software installed. The following list identifies the general classification of software and provides steps to use the newer version after a package upgrade.
Remark
Usually rebooting the system is the surest way to ensure the latest version of the software is used, but this is not often required and not often performed by system administrators.
application
A user space application can be any program started by a system user. Usually such programs are only used when started by a user, script, or automated task tool.
When such a user-space program is updated, stop all transactions of the program in the system, and start the program again to use the updated version.
kernel
The kernel is the core software component of the Red Hat Enterprise Linux 7 operating system. It manages access to memory, processors, and peripherals, and schedules all tasks.
Due to its core role, it is not possible to restart the Kernel without downtime. Therefore, the updated version of Kernel can only be used after restarting the system.
KVM
When updating the qemu-kvm and libvirt packages, it is necessary to stop all guest VMs, reload the associated virtual modules (or reboot the host system) and restart the VMs.
Use the lsmod command to determine which module to download from: kvm, kvm-intel, or kvm-amd. Then use the modprove -r command to remove, and then use the modprobe -a command to reload the affected modules. For example:
~]# lsmod | grep kvm
kvm_intel 143031 0
kvm 460181 1 kvm_intel
~]# modprobe -r kvm-intel
~]# modprobe -r kvm
~]# modprobe -a kvm kvm-intel
shared library
Shared libraries are units of code, such as glibc, that are used by many applications and services. Applications using shared libraries typically load shared code at startup, so all applications using updated libraries must be stopped and restarted.
To determine the running applications associated with a particular library, use the lsof command:
lsof
library
Example: To determine the running application associated with the libwrap.so.0 library, enter:
~]# lsof /lib64/libwrap.so.0
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
pulseaudi 12363 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6
gnome-set 12365 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6
gnome-she 12454 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6
This command returns all running programs that use TCP wrappers for host access control. Therefore, if the tcp_wrappers package is updated, the listed programs must be stopped and restarted.
system service
System services are persistent server programs that are started frequently during the boot process. Examples of system services include sshd or vsftpd.
These programs are often kept in memory as long as the machine is running, and each updated system service must be stopped and restarted after a package update. This can be done from the root user using the systemctl command:
systemctl restart
service_name
Override service_name with the name of the service you wish to restart, eg sshd.
other software
Please follow the instructions below as summarized by the link to the properly updated application below.
- Red Hat Directory Server: Refer to the Release Notes for the version of Red Hat Directory Server in question on the Red Hat Directory Server Product Documentation Page .
- Red Hat Enterprise Virtualization Manager: Refer to the Red Hat Enterprise Linux 7 Installation Guide for the version of Red Hat Enterprise Virtualization in question on the Red Hat Enterprise Virtualization Product Documentation Page .
3.2. Other resources
For more information on security updates, how to install security updates, the Red Hat Customer Portal, and related topics, refer to the resources listed below.
installed files
- yum(8) — Yum's man page for explaining the package manager provides information on how to use Yum to install, update, and remove packages on your system.
- rpmkeys(8) — The rpmkeys man page explaining the utility explains the methods the program can use to verify the authenticity of downloaded packages.
online documentation
- Red Hat Enterprise Linux 7 System Administrator's Guide — The System Administrator's Guide explains the Yum and rpm programs that can be used to install, update, and remove software packages on a Red Hat Enterprise Linux 7 system.
- Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide — The SELinux User's and Administrator's Guide explains configuration of SELinux mandatory access control mechanisms.
Red Hat Customer Portal
- Red Hat Customer Portal—The Customer Portal home page contains links to the most important resources and updates on new content as it becomes available.
- Security Contacts and Procedures — Provides information on Red Hat's Security Response Team and how-to instructions on when to contact it.
- Red Hat Security Blog — Provides articles on the latest security-related issues from Red Hat security professionals.
see
- < Chapter 2 Security Tips for Installation > describes how to safely configure your system at the initial stage, making it easier for the system to implement other security settings later.
- < Section 4.8.2, “Creating a GPG Key” > describes how to create a personal GPG key to authenticate your communications.
- Copyright statement: This article is an original article of allway2, following the CC 4.0 BY-SA copyright agreement, please attach the original source link and this statement for reprinting. Original link: https://blog.csdn.net/allway2/article/details/100577508