Security Updates and yum-cron

[SPDTeam]

Hi all

I'm after some advice security updates (and updates in general).

I'm aware that WHM manages the majority of system and package updates for the server its installed on. However, it does not monitor all packages. Our organisation has a policy that a security patch should be installed within 14 days of release which means we need to keep on top of this requirement.

I've looked at using yum-cron to automate security patching. However, what is best practice using yum-cron along with WHM, should any packages be exuded?

Is there a better way to manage this?

 

[cPRex]

Hey there! If you check the /etc/cpupdate.conf file you should see something like this:

CPANEL=release
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

That's a pretty standard update file, and with the RPMUP value set to "daily" and the UPDATES value set to "daily" that will tell the system to perform a "yum update" as part of the nightly maintenance, which would handle all packages that have been installed through yum. If you aren't seeing that happening how you expect, it may be worth checking the /var/log/yum.log file to see if there are any errors related to those package updates.

 

[rscalover]

Hello,

yum-cron not a fan of it and there is a good reason any code running on servers that uses features removed in later versions or any configuration files that change syntax or any new security features that prevent the correct execution without you knowing that untill your phone starts to ring every 5 minutes ..... the update proces requires a human you cannot get around that.

 

[SPDTeam]

Hi all, thanks for your posts.

I'd already check cpupdate.conf and it was setup correctly, (Although I was unaware of the "Enable Linux kernel update during nightly maintenance" option before now).

I've looked in the logs but cannot see anything in particular.

So, I'm a little stumped as to why certain updates, including security ones, have been missed.

For example, here are the outstanding updates on one server compared to another. For reference I've already patched the security packages.

Server 1:

GraphicsMagick.x86_64 1.3.36-1.el7 epel
epel-release.noarch 7-13 epel
hdf5.x86_64 1.8.12-11.el7 epel
kmod-libs.x86_64 20-28.el7 base
libargon2.x86_64 20161029-3.el7 epel
libc-client.x86_64 2007f-16.el7 epel
libsodium.x86_64 1.0.18-1.el7 epel

Server 2:

GraphicsMagick.x86_64 1.3.36-1.el7 epel
atop.x86_64 2.4.0-4.el7 epel
kmod-libs.x86_64 20-28.el7 base

The servers 'should' be setup in the same way so unless the updates are only slightly out of sync, I'm at a loss as to why there is such a difference. Especially when it came to the security patches being so many versions behind.

I'd like to be sure that 'at least' security patches are consistently applied. Plus, ideally be sent emails when security patches are available.

If I rely on WHM to apply the patches/updates is there any feature which will also send emails. Or do you recommend using yum-cron to send the messages, but not the patching itself?

 

[cPRex]

If you have another system that is having this particular issue you may want to open a ticket with us to have us check the machine directly. However, since these are operating system packages that aren't controlled by cPanel, our support may be a bit limited, but we could at least check and make sure the updates are working well on the server in general.

 

[SPDTeam]

Hi cPRex

"Should" these packages be automatically updated via WHM? And if so, do they require the kernel option to be enabled to do so?

If you have another system that is having this particular issue you may want to open a ticket with us to have us check the machine directly. However, since these are operating system packages that aren't controlled by cPanel, our support may be a bit limited, but we could at least check and make sure the updates are working well on the server in general.

 

[cPRex]

I would expect them to be updated, yes. The kernel exclusion just adds the "kernel*" entry to the /etc/yum.conf file to exclude those updates if you wish, and wouldn't be related to the other packages on the system.

 

[SPDTeam]

Thanks for the reply.

For now, I've manually patched the outstanding updates. I'll continue to monitor the systems to see if it gets into the same situation. If so, then I'll open a support call.

I would expect them to be updated, yes. The kernel exclusion just adds the "kernel*" entry to the /etc/yum.conf file to exclude those updates if you wish, and wouldn't be related to the other packages on the system.

 

[cPRex]

That sounds like a plan!