Why you shouldn't enable automatic security updates on CentOS 7 with yum-cron

Automatic security updates on your CentOS 7-powered data center servers will not secure your device. Jack Wallen explains why.

Image: Jack Wallen

Updated Dec., 4 2018: This article was originally published in Oct. 2017. Based on new information we have updated this article and removed the original steps mentioned in order to prevent anyone from making their device less secure.

One of the best things about the open source community is that it tends to always want to ensure that the best information is available regarding the products it creates. One very illuminating case for this occurred over the last couple of years when there were recommendations to set up automatic security updates for Cent OS. Recently, one of the CentOS developers reached out to inform me that these automatic security updates do more harm than good.

Let me explain.

By making use of yum-cron and yum-plugin-security for the automation of security updates, you are counting on yum to supply all the necessary bits of information needed for such a process. Turns out, it doesn't.

SEE: Power checklist: Managing and troubleshooting Linux user accounts (Tech Pro Research)

The problem is that CentOS does not supply the necessary metadata in its yum repositories such that yum-plugin-security can function. In other words, yum-plugin-security does nothing, and the automation of security updates is a lost cause in CentOS. In fact, the CentOS developers go so far as to say this will never work. And yum-cron is no solution as it actually disables security updates from the CentOS repositories completely. The only yum repository that contains relevant security metadata is EPEL (which still doesn't solve the yum-plugin-security problem).

The only way to specify security updates for CentOS is using the yum command like so:

sudo yum -y update --security

As for automating the security updates for CentOS with yum-plugin-security? That solution is not only not a solution, it's a problem ... one that renders the platform even less secure.

What's an admin to do?

The answer to this question is actually quite easy. There are two possible solutions for this. The first is to handle your updates manually. And why wouldn't you want to do this anyway? The security updates for your servers should be of utmost concern, one that any Linux administrator should want to handle manually. Sure, you could create a cron job to run the yum update, as that will update everything. However, I would still suggest running such a crucial command manually. Why? Because you see the results as they happen and can act accordingly (should something go awry or an update get missed). You can also decide whether or not you want to apply an update or not. Finally, you'll know, right away, if a reboot is required after an update (and can plan accordingly).

Updating your servers isn't something you should take lightly. Nor is it something you should hand over to a cron job or a plugin you're not certain about. And if you have too many Linux servers to do one at a time, you can always make use of a tool like Rundeck, that will enable you to run one command (or job) simultaneously on many machines.

SEE: IT pro's guide to working smarter with Linux (Tech Pro Reseach)

The other solution? Use Red Hat Enterprise Linux. Why? Because that is the only way yum-plugin-security actually works (as the necessary metadata is available with a valid license). So it is possible to automate security updates with RHEL. But with CentOS, the base, updates, and extras repositories do not contain the necessary data to allow automatic updates. In the end, it's either a valid RHEL license or manual updates with Cent OS. Which you choose, is up to you and your company budget.

Also see