By Jason Bell, QCIF eResearch Analyst at CQU.
As you will most likely be aware, security is a vital aspect of server deployments. But maintaining, updating and patching servers, virtual machines and “Nectar instances” can be a mundane and arduous task. It is very easy to forget, unless you set up some sort of reminder system.
This eResearch Tip will provide you with instructions on how to set up automatic updates through the deployment of cron-yum and cron-apt (depending on the operating system you are running). By installing updates on a regular basis (hourly or daily), this will ensure your server is less likely to be compromised.
Before auto updates are configured, it is suggested that you:
- snapshot the Nectar instance (virtual machine) within the Nectar dashboard.
- instructions on how to do this can be found at: https://support.ehelp.edu.au/support/solutions/articles/6000175790-snapshots.
- manually update the system if using an instance running:
- CentOS, Fedora or Scientific Linux — you can issue the command
yum update
, to update the system - Debian or Ubuntu Linux — you can issue the command
apt-get upgrade
, to update the system.
- CentOS, Fedora or Scientific Linux — you can issue the command
Once you have installed all of the updates, check that everything is still working as expected. If not, you may need to roll back the updates or rebuild the instance using the “snapshot” taken before applying the updates.
The following provides instructions on how to set up automatic updates:
- If you are using a Debian or Ubuntu Linux system, it is suggested that you can use the
apt-cron
package for configuring automatic updates. See https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo for instructions on how to do this. - If you are running CentOS 7 on your Nectar instance (in which it should be similar for Fedora or Scientific Linux, as well as older versions of CentOS), then you can use the
yum-cron
package for configuring automatic updates. The following instructions will provide the basic steps on how to implement this:- To install the yum-cron software, simply issue the command:
sudo yum install yum-cron
- You will then need to modify the configuration file so that updates are installed by default. Use your preferred editor, in this example
vi
will be used:sudo vi /etc/yum/yum-cron.conf
- Make sure updates should be applied when they are available, thus change the value from
apply_updates
to yes:apply_updates = yes
- You may wish to modify what type of update is performed by changing the value of “
update_cmd
”. You may wish to select one of the following options:default = yum upgrade
security = yum --security upgrade
security-severity: Critical = yum --sec-severity=Critical upgrade
minimal = yum --bugfix update-minimal
minimal-security = yum --security update-minimal
minimal-security-severity: Critical = --sec-severity=Critical update-minimal\
- The default is to update everything:
update_cmd = default
- Please note, due to the fact that Centos does not provide the security information within its repositories, the “security” arguments within yum will not work. Thus to ensure the system is actually being updated on a regular basis, it is suggested to just use the “default” value for the “
update_cmd
”. It should be noted that security settings actually works on RHEL systems, just not CentOS (which is a derivative of RHEL). - repositories, the “security” arguments within yum will not work. Thus to ensure the system is
- This configuration file modifies the behaviour of the daily update service. If you wish, you can modify the
/etc/yum/yum-cron-hourly.conf
file so that the updates occur on an hourly basis.
- Make sure updates should be applied when they are available, thus change the value from
- Once the configuration file has been modified, we need to turn on and enable the service.
- To enable the service (so that it starts if the system is ever restarted), issue the command:
sudo systemctl enable yum-cron.service
- To start the service, issue the command:
sudo systemctl start yum-cron.service
- To check that the service is running, you can run the command:
sudo systemctl status yum-cron.service
- To enable the service (so that it starts if the system is ever restarted), issue the command:
- You can see what packages, and when the packages were updated, by looking at the
/var/log/yum.log
file. - If you have the package “
yum-utils
” installed, you may wish to check out the “needs-restarting
” application, which will inform you if you need to reboot the system for some of the updates to come into effect. - As an example:
- To install the yum-cron software, simply issue the command:
$ needs-restarting -r
Core libraries or services have been updated:
systemd -> 219-57.el7
linux-firmware -> 20180220-62.2.git6d51311.el7_5
kernel -> 3.10.0-862.2.3.el7
kernel -> 3.10.0-693.21.1.el7
openssl-libs -> 1:1.0.2k-12.el7
kernel -> 3.10.0-862.3.2.el7
glibc -> 2.17-222.el7
dbus -> 1:1.10.24-7.el7
Reboot is required to ensure that your system benefits from these updates.
More information:
https://access.redhat.com/solutions/27943
- At this stage it is debatable whether automatically rebooting a system after applying updates to packages that require a reboot is preferable or not. Therefore this document will only suggest to regularly check whether you need to do a restart and then deciding whether to do so or not.
Hopefully by following the above instructions, your Nectar instance is now being regularly updated and thus will be more secure!
Any queries, please contact Jason Bell: j.bell@cqu.edu.au.
This article was first published on 13/06/2018.