Automating Security Updates and Vulnerability Checks on CentOS/Scientific Linux: Tools and Scripts


2 views

Managing security updates on RedHat-based systems like CentOS and Scientific Linux presents unique challenges compared to other distributions. While FreeBSD offers portaudit and RHEL provides yum-plugin-security, these solutions aren't directly available for CentOS/SL users.

The default /etc/cron.daily/yum-autoupdate script handles general updates but lacks security-specific filtering. Here's how to check its contents:

cat /etc/cron.daily/yum-autoupdate
# Typical output shows basic yum update commands without security filters

For automated vulnerability checking, consider these approaches:

1. yum-plugin-security Alternative

While not directly supported, you can implement similar functionality with:

yum updateinfo list security all
yum updateinfo list cves

2. Custom Security Update Script

Create a cron job that checks for security updates and sends notifications:

#!/bin/bash
SECURITY_UPDATES=$(yum check-update --security | grep -v "^$" | wc -l)
if [ $SECURITY_UPDATES -gt 0 ]; then
    echo "$SECURITY_UPDATES security updates available" | mail -s "Security Updates Alert" admin@example.com
fi

3. Minimal Security Updates

For minimal-impact security updates:

yum --security update-minimal

Consider these additional tools:

  • Vuls: Open-source vulnerability scanner
  • OpenSCAP: Security compliance solution
  • Spacewalk: Systems management server

Here's a complete script for automated security checks:

#!/bin/bash
# Security update checker for CentOS/Scientific Linux

LOG_FILE="/var/log/security_updates.log"
RECIPIENT="admin@example.com"

# Check for security updates
UPDATES=$(yum check-update --security)

if [[ $? -eq 100 ]]; then
    echo "$(date) - Security updates available:" >> $LOG_FILE
    echo "$UPDATES" >> $LOG_FILE
    echo "$UPDATES" | mail -s "Security Updates Available" $RECIPIENT
elif [[ $? -eq 0 ]]; then
    echo "$(date) - No security updates available" >> $LOG_FILE
else
    echo "$(date) - Error checking for updates" >> $LOG_FILE
fi

Add this to crontab for daily checks:

0 3 * * * /path/to/security_check.sh

Automate monitoring of security advisories:

#!/bin/bash
# Monitor CentOS/SL security advisories

wget -q -O - https://lists.centos.org/pipermail/centos-announce/ | \
grep -E "Critical|Important|Moderate" | \
mail -s "Latest Security Advisories" admin@example.com

Managing security updates on CentOS and Scientific Linux presents unique challenges compared to upstream RHEL systems. While RHEL offers yum-plugin-security for vulnerability tracking, these downstream distributions often lag in implementing such features.

For administrators maintaining these systems, we have several potential approaches:

  • Basic YUM Cron Jobs: The default /etc/cron.daily/yum-autoupdate handles general updates but lacks security-specific filtering
  • Manual Monitoring: Tracking mailing lists for security announcements (tedious and not scalable)
  • Third-party Solutions: Some community-developed tools attempt to fill this gap

Here are the most effective methods I've found for automating security monitoring:

# Method 1: Using yum-plugin-changelog for basic security scanning
yum install yum-plugin-changelog
yum changelog all | grep -iE 'CVE-[0-9]{4}-[0-9]+|security|vulnerability'

For more robust monitoring, consider this Python script that checks for available security updates:

#!/usr/bin/env python
import subprocess
import re

def check_security_updates():
    cmd = ['yum', '--security', 'check-update']
    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    stdout, stderr = process.communicate()
    
    if process.returncode == 100:
        return "Security updates available!\n" + stdout.decode('utf-8')
    elif process.returncode == 0:
        return "No security updates available"
    else:
        return "Error checking updates: " + stderr.decode('utf-8')

print(check_security_updates())

For systems where automatic security updates are acceptable, this cron job provides a balanced approach:

# /etc/cron.weekly/security-update
#!/bin/sh
yum -y --security update-minimal && \
logger -t security-update "Applied security patches: $?"

The Open Vulnerability and Assessment Language (OVAL) provides another approach:

# Install openscap scanner
yum install openscap-scanner scap-security-guide

# Run basic security scan
oscap oval eval --results /var/log/oval-results.xml \
--report /var/www/html/oval-report.html \
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

For larger deployments, consider these centralized solutions:

  • Spacewalk (upstream of Red Hat Satellite)
  • Foreman with Katello plugin
  • Ansible playbooks with security update roles

Remember that automated security updates require careful planning:

  • Always test updates in staging environments first
  • Maintain proper rollback procedures (snapshots or VM backups)
  • Monitor for false positives in security alerts