To ensure yum-cron is properly configured for automatic security updates on CentOS 7, follow these steps:
# Check if yum-cron is installed and running
sudo systemctl status yum-cron
# Verify the configuration file
cat /etc/yum/yum-cron.conf
Key settings to confirm in /etc/yum/yum-cron.conf:
update_cmd = security(applies only security updates)apply_updates = yes(automatically installs updates)emit_via = stdio,email(outputs to both console and email)
To test if email notifications are working without waiting for actual updates:
# Create a test email
echo "Test email from yum-cron" | mail -s "yum-cron test" administrator@example.com
# Check mail logs for errors
sudo tail -n 50 /var/log/maillog
You can simulate an update check without actually applying changes:
# Manual dry run with the same parameters yum-cron uses
sudo yum --security check-update --downloadonly
For thorough testing, you can create a dummy package to simulate a security update:
# Create a test RPM (requires rpmdevtools)
yum install -y rpmdevtools
rpmdev-setuptree
cd ~/rpmbuild/SPECS
cat > test-security-package.spec << 'EOF'
Name: test-security-package
Version: 1.0
Release: 1%{?dist}
Summary: Test package for yum-cron verification
License: GPL
URL: http://example.com
Source0: %{name}-%{version}.tar.gz
%description
This is a test package for verifying yum-cron security updates.
%prep
%setup -q
%install
mkdir -p %{buildroot}/usr/bin
touch %{buildroot}/usr/bin/test-security-cmd
%files
/usr/bin/test-security-cmd
%changelog
* Wed Jun 01 2022 Test User <test@example.com> - 1.0-1
- Initial package with security fix (TEST-2022-0001)
EOF
# Build and install the test package
rpmbuild -ba test-security-package.spec
sudo yum localinstall -y ~/rpmbuild/RPMS/x86_64/test-security-package-1.0-1.el7.x86_64.rpm
# Create an "update" version
sed -i 's/Version: 1.0/Version: 1.1/' test-security-package.spec
rpmbuild -ba test-security-package.spec
# Place the update in a local repo
mkdir -p /tmp/test-repo
cp ~/rpmbuild/RPMS/x86_64/test-security-package-1.1-1.el7.x86_64.rpm /tmp/test-repo
createrepo /tmp/test-repo
# Create a repo file
cat > /etc/yum.repos.d/test.repo << 'EOF'
[test-repo]
name=Test Repo for Security Updates
baseurl=file:///tmp/test-repo
enabled=1
gpgcheck=0
EOF
# Now yum-cron should detect this as a security update
Check these log files to verify yum-cron is working:
# yum transaction log
tail -f /var/log/yum.log
# system logs for yum-cron
journalctl -u yum-cron -f
# mail logs for notifications
tail -f /var/log/maillog
For more control during testing, create a manual cron job that mimics yum-cron:
# Create a test script
cat > /usr/local/bin/yum-security-test.sh << 'EOF'
#!/bin/bash
LOG_FILE="/var/log/yum-security-test.log"
{
echo "=== $(date) ==="
yum --security check-update
yum --security update --downloadonly
} >> "$LOG_FILE" 2>&1
EOF
chmod +x /usr/local/bin/yum-security-test.sh
# Add to crontab (runs daily at 4am)
(crontab -l 2>/dev/null; echo "0 4 * * * /usr/local/bin/yum-security-test.sh") | crontab -
Let's first examine your /etc/yum/yum-cron.conf file configuration. The critical settings for security updates are:
[commands]
update_cmd = security
update_messages = yes
download_updates = yes
apply_updates = yes
This configuration tells yum-cron to:
- Only apply security-related updates (
update_cmd = security) - Download and install them automatically (
download_updatesandapply_updates) - Generate update messages (
update_messages = yes)
To verify email notifications are working, you can manually trigger a test email:
echo "Test message from yum-cron" | mail -s "yum-cron test" administrator@example.com
If you don't receive this test email, check:
- Your mail server configuration on localhost
- Spam filters that might be blocking the emails
- SMTP server availability if not using localhost
You can simulate what yum-cron would do without actually applying changes:
yum --security check-update --assumeno
This will show what security updates are available but won't install them. Compare this with:
yum-cron --check-only --security-level=security
Check these log files for yum-cron activity:
grep yum-cron /var/log/cron
tail -n 50 /var/log/yum.log
journalctl -u yum-cron
You should see entries like:
Mar 15 04:02:01 server yum-cron[1234]: check-update completed: 0 security notices
To properly test the full workflow, you can:
- Create a dummy package with a security vulnerability
- Set up a local yum repository
- Configure yum-cron to check this test repository
Example test package creation:
mkdir -p /tmp/testrepo/Packages
fpm -s empty -t rpm -n testpkg --version 1.0 --iteration 1 -p /tmp/testrepo/Packages/
createrepo /tmp/testrepo
Then create a test repo file at /etc/yum.repos.d/test.repo:
[test]
name=Test Repo
baseurl=file:///tmp/testrepo
enabled=1
gpgcheck=0
Update the package version to trigger an update:
fpm -s empty -t rpm -n testpkg --version 1.1 --iteration 1 -p /tmp/testrepo/Packages/
createrepo --update /tmp/testrepo
Now yum-cron should detect this as an available update on its next run.
To ensure everything works end-to-end:
- Manually run yum-cron:
yum-cron --security-level=security - Check for the test package update:
rpm -q testpkg - Verify the email notification was sent
- Check logs for the update activity
Once confirmed, disable the test repository:
sed -i 's/enabled=1/enabled=0/' /etc/yum.repos.d/test.repo
yum clean all