如何在 CentOS 或 RHEL 系统上检查可用的安全更新?

当你更新系统时,根据你所在公司的安全策略,有时候可能只需要打上与安全相关的补丁。

如何在 CentOS 或 RHEL 系统上检查可用的安全更新?

当你更新系统时,根据你所在公司的安全策略,有时候可能只需要打上与安全相关的补丁。大多数情况下,这应该是出于程序兼容性方面的考量。那该怎样实践呢?有没有办法让 yum 只安装安全补丁呢?

答案是肯定的,可以用 yum 包管理器轻松实现。

在这篇文章中,我们不但会提供所需的信息。而且,我们会介绍一些额外的命令,可以帮你获取指定安全更新的详实信息。

希望这样可以启发你去了解并修复你列表上的那些漏洞。一旦有安全漏洞被公布,就必须更新受影响的软件,这样可以降低系统中的安全风险。

对于 RHEL 或 CentOS 6 系统,运行下面的 Yum 命令 来安装 yum 安全插件。

“`

yum -y install yum-plugin-security

“`

在 RHEL 7&8 或是 CentOS 7&8 上面,这个插件已经是 yum 的一部分了,不用单独安装。

要列出全部可用的补丁(包括安全、Bug 修复以及产品改进),但不安装它们:

“`

yum updateinfo list available

Loaded plugins: changelog, packageupload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7
0.x8664
RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86
64
RHBA-2015:0626 bugfix 389-ds-base-1.3.3.1-15.el71.x8664
RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el71.x8664
RHBA-2015:1554 bugfix 389-ds-base-1.3.3.1-20.el71.x8664
RHBA-2015:1960 bugfix 389-ds-base-1.3.3.1-23.el71.x8664
RHBA-2015:2351 bugfix 389-ds-base-1.3.4.0-19.el7.x8664
RHBA-2015:2572 bugfix 389-ds-base-1.3.4.0-21.el7
2.x8664
RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7
2.x8664
RHBA-2016:0550 bugfix 389-ds-base-1.3.4.0-29.el7
2.x8664
RHBA-2016:1048 bugfix 389-ds-base-1.3.4.0-30.el7
2.x8664
RHBA-2016:1298 bugfix 389-ds-base-1.3.4.0-32.el7
2.x86_64
“`

要统计补丁的大约数量,运行下面的命令:

“`

yum updateinfo list available | wc -l

11269
“`

想列出全部可用的安全补丁但不安装,以下命令用来展示你系统里已安装和待安装的推荐补丁:

“`

yum updateinfo list security all

Loaded plugins: changelog, packageupload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7
0.x8664
RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86
64
RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el71.x8664
RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el72.x8664
RHSA-2016:2594 Moderate/Sec. 389-ds-base-1.3.5.10-11.el7.x8664
RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el7
3.x8664
RHSA-2017:2569 Moderate/Sec. 389-ds-base-1.3.6.1-19.el7
4.x8664
RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el7
4.x8664
RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el7
4.x8664
RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el7
5.x8664
RHSA-2018:2757 Moderate/Sec. 389-ds-base-1.3.7.5-28.el7
5.x8664
RHSA-2018:3127 Moderate/Sec. 389-ds-base-1.3.8.4-15.el7.x86
64
RHSA-2014:1031 Important/Sec. 389-ds-base-libs-1.3.1.6-26.el70.x8664
“`

要显示所有待安装的安全补丁:

“`

yum updateinfo list security all | grep -v “i”

RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el70.x8664
RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x8664
RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7
1.x8664
RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7
2.x8664
RHSA-2016:2594 Moderate/Sec. 389-ds-base-1.3.5.10-11.el7.x86
64
RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el73.x8664
RHSA-2017:2569 Moderate/Sec. 389-ds-base-1.3.6.1-19.el74.x8664
RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el74.x8664
RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el74.x8664
RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el75.x8664
RHSA-2018:2757 Moderate/Sec. 389-ds-base-1.3.7.5-28.el75.x8664
“`

要统计全部安全补丁的大致数量,运行下面的命令:

“`

yum updateinfo list security all | wc -l

3522
“`

下面根据已装软件列出可更新的安全补丁。这包括 bugzilla(bug 修复)、CVE(知名漏洞数据库)、安全更新等:

“`

yum updateinfo list security

或者

yum updateinfo list sec

Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock

RHSA-2018:3665 Important/Sec. NetworkManager-1:1.12.0-8.el76.x8664
RHSA-2018:3665 Important/Sec. NetworkManager-adsl-1:1.12.0-8.el76.x8664
RHSA-2018:3665 Important/Sec. NetworkManager-bluetooth-1:1.12.0-8.el76.x8664
RHSA-2018:3665 Important/Sec. NetworkManager-config-server-1:1.12.0-8.el76.noarch
RHSA-2018:3665 Important/Sec. NetworkManager-glib-1:1.12.0-8.el7
6.x8664
RHSA-2018:3665 Important/Sec. NetworkManager-libnm-1:1.12.0-8.el7
6.x8664
RHSA-2018:3665 Important/Sec. NetworkManager-ppp-1:1.12.0-8.el7
6.x8664
RHSA-2018:3665 Important/Sec. NetworkManager-team-1:1.12.0-8.el7
6.x8664
RHSA-2018:3665 Important/Sec. NetworkManager-tui-1:1.12.0-8.el7
6.x8664
RHSA-2018:3665 Important/Sec. NetworkManager-wifi-1:1.12.0-8.el7
6.x8664
RHSA-2018:3665 Important/Sec. NetworkManager-wwan-1:1.12.0-8.el7
6.x86_64
“`

显示所有与安全相关的更新,并且返回一个结果来告诉你是否有可用的补丁:

“`

yum –security check-update

Loaded plugins: changelog, packageupload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
rhel-7-server-rpms | 2.0 kB 00:00:00
–> policycoreutils-devel-2.2.5-20.el7.x86
64 from rhel-7-server-rpms excluded (updateinfo)
–> smc-raghumalayalam-fonts-6.0-7.el7.noarch from rhel-7-server-rpms excluded (updateinfo)
–> amanda-server-3.3.3-17.el7.x8664 from rhel-7-server-rpms excluded (updateinfo)
–> 389-ds-base-libs-1.3.4.0-26.el7
2.x8664 from rhel-7-server-rpms excluded (updateinfo)
–> 1:cups-devel-1.6.3-26.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
–> openwsman-client-2.6.3-3.git4391e5c.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
–> 1:emacs-24.3-18.el7.x86
64 from rhel-7-server-rpms excluded (updateinfo)
–> augeas-libs-1.4.0-2.el74.2.i686 from rhel-7-server-rpms excluded (updateinfo)
–> samba-winbind-modules-4.2.3-10.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
–> tftp-5.2-11.el7.x86
64 from rhel-7-server-rpms excluded (updateinfo)
.
.
35 package(s) needed for security, out of 115 available
NetworkManager.x8664 1:1.12.0-10.el76 rhel-7-server-rpms
NetworkManager-adsl.x8664 1:1.12.0-10.el76 rhel-7-server-rpms
NetworkManager-bluetooth.x8664 1:1.12.0-10.el76 rhel-7-server-rpms
NetworkManager-config-server.noarch 1:1.12.0-10.el76 rhel-7-server-rpms
NetworkManager-glib.x86
64 1:1.12.0-10.el76 rhel-7-server-rpms
NetworkManager-libnm.x86
64 1:1.12.0-10.el76 rhel-7-server-rpms
NetworkManager-ppp.x86
64 1:1.12.0-10.el7_6 rhel-7-server-rpms
“`

列出所有可用的安全补丁,并且显示其详细信息:

“`

yum info-sec

.

.

tzdata bug fix and enhancement update

Update ID : RHBA-2019:0689
Release : 0
Type : bugfix
Status : final
Issued : 2019-03-28 19:27:44 UTC
Description : The tzdata packages contain data files with rules for various
: time zones.
:
: The tzdata packages have been updated to version
: 2019a, which addresses recent time zone changes.
: Notably:
:
: * The Asia/Hebron and Asia/Gaza zones will start
: DST on 2019-03-30, rather than 2019-03-23 as
: previously predicted.
: * Metlakatla rejoined Alaska time on 2019-01-20,
: ending its observances of Pacific standard time.
:
: (BZ#1692616, BZ#1692615, BZ#1692816)
:
: Users of tzdata are advised to upgrade to these
: updated packages.
Severity : None
“`

如果你想要知道某个更新的具体内容,可以运行下面这个命令:

“`

yum updateinfo RHSA-2019:0163

Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock

rhel-7-server-rpms | 2.0 kB 00:00:00

Important: kernel security, bug fix, and enhancement update

Update ID : RHSA-2019:0163
Release : 0
Type : security
Status : final
Issued : 2019-01-29 15:21:23 UTC
Updated : 2019-01-29 15:23:47 UTC Bugs : 1641548 – CVE-2018-18397 kernel: userfaultfd bypasses tmpfs file permissions
: 1641878 – CVE-2018-18559 kernel: Use-after-free due to race condition in AFPACKET implementation
CVEs : CVE-2018-18397
: CVE-2018-18559
Description : The kernel packages contain the Linux kernel, the core of any
: Linux operating system.
:
: Security Fix(es):
:
: * kernel: Use-after-free due to race condition in
: AF
PACKET implementation (CVE-2018-18559)
:
: * kernel: userfaultfd bypasses tmpfs file
: permissions (CVE-2018-18397)
:
: For more details about the security issue(s),
: including the impact, a CVSS score, and other
: related information, refer to the CVE page(s)
: listed in the References section.
:
: Bug Fix(es):
:
: These updated kernel packages include also
: numerous bug fixes and enhancements. Space
: precludes documenting all of the bug fixes in this
: advisory. See the descriptions in the related
: Knowledge Article:
: https://access.redhat.com/articles/3827321
Severity : Important
updateinfo info done
“`

跟之前类似,你可以只查询那些通过 CVE 释出的系统漏洞:

“`

yum updateinfo list cves

Loaded plugins: changelog, packageupload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
CVE-2018-15688 Important/Sec. NetworkManager-1:1.12.0-8.el7
6.x8664
CVE-2018-15688 Important/Sec. NetworkManager-adsl-1:1.12.0-8.el7
6.x8664
CVE-2018-15688 Important/Sec. NetworkManager-bluetooth-1:1.12.0-8.el7
6.x8664
CVE-2018-15688 Important/Sec. NetworkManager-config-server-1:1.12.0-8.el7
6.noarch
CVE-2018-15688 Important/Sec. NetworkManager-glib-1:1.12.0-8.el76.x8664
CVE-2018-15688 Important/Sec. NetworkManager-libnm-1:1.12.0-8.el76.x8664
CVE-2018-15688 Important/Sec. NetworkManager-ppp-1:1.12.0-8.el76.x8664
CVE-2018-15688 Important/Sec. NetworkManager-team-1:1.12.0-8.el76.x8664
“`

你也可以查看那些跟 bug 修复相关的更新,运行下面的命令:

“`

yum updateinfo list bugfix | less

Loaded plugins: changelog, packageupload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
RHBA-2018:3349 bugfix NetworkManager-1:1.12.0-7.el7
6.x8664
RHBA-2019:0519 bugfix NetworkManager-1:1.12.0-10.el7
6.x8664
RHBA-2018:3349 bugfix NetworkManager-adsl-1:1.12.0-7.el7
6.x8664
RHBA-2019:0519 bugfix NetworkManager-adsl-1:1.12.0-10.el7
6.x8664
RHBA-2018:3349 bugfix NetworkManager-bluetooth-1:1.12.0-7.el7
6.x8664
RHBA-2019:0519 bugfix NetworkManager-bluetooth-1:1.12.0-10.el7
6.x8664
RHBA-2018:3349 bugfix NetworkManager-config-server-1:1.12.0-7.el7
6.noarch
RHBA-2019:0519 bugfix NetworkManager-config-server-1:1.12.0-10.el7_6.noarch
“`

要想得到待安装更新的摘要信息,运行这个:

“`

yum updateinfo summary

Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
rhel-7-server-rpms | 2.0 kB 00:00:00
Updates Information Summary: updates
13 Security notice(s)
9 Important Security notice(s)
3 Moderate Security notice(s)
1 Low Security notice(s)
35 Bugfix notice(s)
1 Enhancement notice(s)
updateinfo summary done
“`

如果只想打印出低级别的安全更新,运行下面这个命令。类似的,你也可以只查询重要级别和中等级别的安全更新。

“`

yum updateinfo list sec | grep -i “Low”

RHSA-2019:0201 Low/Sec. libgudev1-219-62.el76.3.x8664
RHSA-2019:0201 Low/Sec. systemd-219-62.el76.3.x8664
RHSA-2019:0201 Low/Sec. systemd-libs-219-62.el76.3.x8664
RHSA-2019:0201 Low/Sec. systemd-sysv-219-62.el76.3.x8664
“`


via: https://www.2daygeek.com/check-list-view-find-available-security-updates-on-redhat-rhel-centos-system/

作者:Magesh Maruthamuthu 选题:lujun9972 译者:jdh8383 校对:wxy

本文由 LCTT 原创编译,Linux中国 荣誉推出

主题测试文章,只做测试使用。发布者:eason,转转请注明出处:https://aicodev.cn/2019/06/05/%e5%a6%82%e4%bd%95%e5%9c%a8-centos-%e6%88%96-rhel-%e7%b3%bb%e7%bb%9f%e4%b8%8a%e6%a3%80%e6%9f%a5%e5%8f%af%e7%94%a8%e7%9a%84%e5%ae%89%e5%85%a8%e6%9b%b4%e6%96%b0%ef%bc%9f/

Like (0)
eason的头像eason
Previous 2019年6月4日
Next 2019年6月5日

相关推荐

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

联系我们

400-800-8888

在线咨询: QQ交谈

邮件:admin@example.com

工作时间:周一至周五,9:30-18:30,节假日休息

关注微信