如何在 CentOS 或 RHEL 系统上检查可用的安全更新? | Linux 中国

当你更新系统时,根据你所在公司的安全策略,有时候可能只需要打上与安全相关的补丁。

— Magesh Maruthamuthu

当你更新系统时,根据你所在公司的安全策略,有时候可能只需要打上与安全相关的补丁。大多数情况下,这应该是出于程序兼容性方面的考量。那该怎样实践呢?有没有办法让 yum 只安装安全补丁呢?

答案是肯定的,可以用 yum 包管理器轻松实现。

在这篇文章中,我们不但会提供所需的信息。而且,我们会介绍一些额外的命令,可以帮你获取指定安全更新的详实信息。

希望这样可以启发你去了解并修复你列表上的那些漏洞。一旦有安全漏洞被公布,就必须更新受影响的软件,这样可以降低系统中的安全风险。

对于 RHEL 或 CentOS 6 系统,运行下面的 Yum 命令 来安装 yum 安全插件。

  1. #yum-y install yum-plugin-security

在 RHEL 7&8 或是 CentOS 7&8 上面,这个插件已经是 yum 的一部分了,不用单独安装。

要列出全部可用的补丁(包括安全、Bug 修复以及产品改进),但不安装它们:

  1. #yum updateinfo list available
  2. Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
  3. : subscription-manager, verify, versionlock
  4. RHSA-2014:1031Important/Sec.389-ds-base-1.3.1.6-26.el7_0.x86_64
  5. RHSA-2015:0416Important/Sec.389-ds-base-1.3.3.1-13.el7.x86_64
  6. RHBA-2015:0626 bugfix 389-ds-base-1.3.3.1-15.el7_1.x86_64
  7. RHSA-2015:0895Important/Sec.389-ds-base-1.3.3.1-16.el7_1.x86_64
  8. RHBA-2015:1554 bugfix 389-ds-base-1.3.3.1-20.el7_1.x86_64
  9. RHBA-2015:1960 bugfix 389-ds-base-1.3.3.1-23.el7_1.x86_64
  10. RHBA-2015:2351 bugfix 389-ds-base-1.3.4.0-19.el7.x86_64
  11. RHBA-2015:2572 bugfix 389-ds-base-1.3.4.0-21.el7_2.x86_64
  12. RHSA-2016:0204Important/Sec.389-ds-base-1.3.4.0-26.el7_2.x86_64
  13. RHBA-2016:0550 bugfix 389-ds-base-1.3.4.0-29.el7_2.x86_64
  14. RHBA-2016:1048 bugfix 389-ds-base-1.3.4.0-30.el7_2.x86_64
  15. RHBA-2016:1298 bugfix 389-ds-base-1.3.4.0-32.el7_2.x86_64

要统计补丁的大约数量,运行下面的命令:

  1. #yum updateinfo list available |wc-l
  2. 11269

想列出全部可用的安全补丁但不安装,以下命令用来展示你系统里已安装和待安装的推荐补丁:

  1. #yum updateinfo list security all
  2. Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
  3. : subscription-manager, verify, versionlock
  4. RHSA-2014:1031Important/Sec.389-ds-base-1.3.1.6-26.el7_0.x86_64
  5. RHSA-2015:0416Important/Sec.389-ds-base-1.3.3.1-13.el7.x86_64
  6. RHSA-2015:0895Important/Sec.389-ds-base-1.3.3.1-16.el7_1.x86_64
  7. RHSA-2016:0204Important/Sec.389-ds-base-1.3.4.0-26.el7_2.x86_64
  8. RHSA-2016:2594Moderate/Sec.389-ds-base-1.3.5.10-11.el7.x86_64
  9. RHSA-2017:0920Important/Sec.389-ds-base-1.3.5.10-20.el7_3.x86_64
  10. RHSA-2017:2569Moderate/Sec.389-ds-base-1.3.6.1-19.el7_4.x86_64
  11. RHSA-2018:0163Important/Sec.389-ds-base-1.3.6.1-26.el7_4.x86_64
  12. RHSA-2018:0414Important/Sec.389-ds-base-1.3.6.1-28.el7_4.x86_64
  13. RHSA-2018:1380Important/Sec.389-ds-base-1.3.7.5-21.el7_5.x86_64
  14. RHSA-2018:2757Moderate/Sec.389-ds-base-1.3.7.5-28.el7_5.x86_64
  15. RHSA-2018:3127Moderate/Sec.389-ds-base-1.3.8.4-15.el7.x86_64
  16. RHSA-2014:1031Important/Sec.389-ds-base-libs-1.3.1.6-26.el7_0.x86_64

要显示所有待安装的安全补丁:

  1. #yum updateinfo list security all |grep-v "i"
  3. RHSA-2014:1031Important/Sec.389-ds-base-1.3.1.6-26.el7_0.x86_64
  4. RHSA-2015:0416Important/Sec.389-ds-base-1.3.3.1-13.el7.x86_64
  5. RHSA-2015:0895Important/Sec.389-ds-base-1.3.3.1-16.el7_1.x86_64
  6. RHSA-2016:0204Important/Sec.389-ds-base-1.3.4.0-26.el7_2.x86_64
  7. RHSA-2016:2594Moderate/Sec.389-ds-base-1.3.5.10-11.el7.x86_64
  8. RHSA-2017:0920Important/Sec.389-ds-base-1.3.5.10-20.el7_3.x86_64
  9. RHSA-2017:2569Moderate/Sec.389-ds-base-1.3.6.1-19.el7_4.x86_64
  10. RHSA-2018:0163Important/Sec.389-ds-base-1.3.6.1-26.el7_4.x86_64
  11. RHSA-2018:0414Important/Sec.389-ds-base-1.3.6.1-28.el7_4.x86_64
  12. RHSA-2018:1380Important/Sec.389-ds-base-1.3.7.5-21.el7_5.x86_64
  13. RHSA-2018:2757Moderate/Sec.389-ds-base-1.3.7.5-28.el7_5.x86_64

要统计全部安全补丁的大致数量,运行下面的命令:

  1. #yum updateinfo list security all |wc-l
  2. 3522

下面根据已装软件列出可更新的安全补丁。这包括 bugzilla(bug 修复)、CVE(知名漏洞数据库)、安全更新等:

  1. #yum updateinfo list security
  3. 或者
  5. #yum updateinfo list sec
  7. Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
  8. : subscription-manager, verify, versionlock
  10. RHSA-2018:3665Important/Sec.NetworkManager-1:1.12.0-8.el7_6.x86_64
  11. RHSA-2018:3665Important/Sec.NetworkManager-adsl-1:1.12.0-8.el7_6.x86_64
  12. RHSA-2018:3665Important/Sec.NetworkManager-bluetooth-1:1.12.0-8.el7_6.x86_64
  13. RHSA-2018:3665Important/Sec.NetworkManager-config-server-1:1.12.0-8.el7_6.noarch
  14. RHSA-2018:3665Important/Sec.NetworkManager-glib-1:1.12.0-8.el7_6.x86_64
  15. RHSA-2018:3665Important/Sec.NetworkManager-libnm-1:1.12.0-8.el7_6.x86_64
  16. RHSA-2018:3665Important/Sec.NetworkManager-ppp-1:1.12.0-8.el7_6.x86_64
  17. RHSA-2018:3665Important/Sec.NetworkManager-team-1:1.12.0-8.el7_6.x86_64
  18. RHSA-2018:3665Important/Sec.NetworkManager-tui-1:1.12.0-8.el7_6.x86_64
  19. RHSA-2018:3665Important/Sec.NetworkManager-wifi-1:1.12.0-8.el7_6.x86_64
  20. RHSA-2018:3665Important/Sec.NetworkManager-wwan-1:1.12.0-8.el7_6.x86_64

显示所有与安全相关的更新,并且返回一个结果来告诉你是否有可用的补丁:

  1. #yum--security check-update
  2. Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
  3. rhel-7-server-rpms |2.0 kB 00:00:00
  4. --> policycoreutils-devel-2.2.5-20.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
  5. --> smc-raghumalayalam-fonts-6.0-7.el7.noarchfrom rhel-7-server-rpms excluded (updateinfo)
  6. --> amanda-server-3.3.3-17.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
  7. -->389-ds-base-libs-1.3.4.0-26.el7_2.x86_64 from rhel-7-server-rpms excluded (updateinfo)
  8. -->1:cups-devel-1.6.3-26.el7.i686from rhel-7-server-rpms excluded (updateinfo)
  9. --> openwsman-client-2.6.3-3.git4391e5c.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
  10. -->1:emacs-24.3-18.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
  11. --> augeas-libs-1.4.0-2.el7_4.2.i686 from rhel-7-server-rpms excluded (updateinfo)
  12. --> samba-winbind-modules-4.2.3-10.el7.i686from rhel-7-server-rpms excluded (updateinfo)
  13. --> tftp-5.2-11.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
  14. .
  15. .
  16. 35package(s) needed for security, out of 115 available
  17. NetworkManager.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
  18. NetworkManager-adsl.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
  19. NetworkManager-bluetooth.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
  20. NetworkManager-config-server.noarch 1:1.12.0-10.el7_6 rhel-7-server-rpms
  21. NetworkManager-glib.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
  22. NetworkManager-libnm.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
  23. NetworkManager-ppp.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms

列出所有可用的安全补丁,并且显示其详细信息:

  1. #yuminfo-sec
  2. .
  3. .
  4. ===============================================================================
  5. tzdata bug fix and enhancement update
  6. ===============================================================================
  7. Update ID : RHBA-2019:0689
  8. Release:0
  9. Type: bugfix
  10. Status:final
  11. Issued:2019-03-2819:27:44 UTC
  12. Description:The tzdata packages contain data files with rules for various
  13. :time zones.
  14. :
  15. :The tzdata packages have been updated to version
  16. :2019a, which addresses recent time zone changes.
  17. :Notably:
  18. :
  19. :*TheAsia/HebronandAsia/Gaza zones will start
  20. : DST on 2019-03-30, rather than 2019-03-23as
  21. : previously predicted.
  22. :*Metlakatla rejoined Alaskatime on 2019-01-20,
  23. : ending its observances of Pacific standard time.
  24. :
  25. :(BZ#1692616, BZ#1692615, BZ#1692816)
  26. :
  27. :Users of tzdata are advised to upgrade to these
  28. : updated packages.
  29. Severity:None

如果你想要知道某个更新的具体内容,可以运行下面这个命令:

  1. #yum updateinfo RHSA-2019:0163
  3. Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
  4. rhel-7-server-rpms |2.0 kB 00:00:00
  5. ===============================================================================
  6. Important: kernel security, bug fix,and enhancement update
  7. ===============================================================================
  8. Update ID : RHSA-2019:0163
  9. Release:0
  10. Type: security
  11. Status:final
  12. Issued:2019-01-2915:21:23 UTC
  13. Updated:2019-01-2915:23:47 UTC Bugs:1641548- CVE-2018-18397 kernel: userfaultfd bypasses tmpfs file permissions
  14. :1641878- CVE-2018-18559 kernel:Use-after-free due to race condition in AF_PACKET implementation
  15. CVEs: CVE-2018-18397
  16. : CVE-2018-18559
  17. Description:The kernel packages contain the Linux kernel, the core of any
  18. :Linux operating system.
  19. :
  20. :SecurityFix(es):
  21. :
  22. :* kernel:Use-after-free due to race condition in
  23. : AF_PACKET implementation (CVE-2018-18559)
  24. :
  25. :* kernel: userfaultfd bypasses tmpfs file
  26. : permissions (CVE-2018-18397)
  27. :
  28. :Formore details about the security issue(s),
  29. : including the impact, a CVSS score,and other
  30. : related information, refer to the CVE page(s)
  31. : listed in the References section.
  32. :
  33. :BugFix(es):
  34. :
  35. :These updated kernel packages include also
  36. : numerous bug fixes and enhancements.Space
  37. : precludes documenting all of the bug fixes inthis
  38. : advisory.See the descriptions in the related
  39. :KnowledgeArticle:
  40. : https://access.redhat.com/articles/3827321
  41. Severity:Important
  42. updateinfo infodone

跟之前类似,你可以只查询那些通过 CVE 释出的系统漏洞:

  1. #yum updateinfo list cves
  3. Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
  4. : subscription-manager, verify, versionlock
  5. CVE-2018-15688Important/Sec.NetworkManager-1:1.12.0-8.el7_6.x86_64
  6. CVE-2018-15688Important/Sec.NetworkManager-adsl-1:1.12.0-8.el7_6.x86_64
  7. CVE-2018-15688Important/Sec.NetworkManager-bluetooth-1:1.12.0-8.el7_6.x86_64
  8. CVE-2018-15688Important/Sec.NetworkManager-config-server-1:1.12.0-8.el7_6.noarch
  9. CVE-2018-15688Important/Sec.NetworkManager-glib-1:1.12.0-8.el7_6.x86_64
  10. CVE-2018-15688Important/Sec.NetworkManager-libnm-1:1.12.0-8.el7_6.x86_64
  11. CVE-2018-15688Important/Sec.NetworkManager-ppp-1:1.12.0-8.el7_6.x86_64
  12. CVE-2018-15688Important/Sec.NetworkManager-team-1:1.12.0-8.el7_6.x86_64

你也可以查看那些跟 bug 修复相关的更新,运行下面的命令:

  1. #yum updateinfo list bugfix |less
  3. Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
  4. : subscription-manager, verify, versionlock
  5. RHBA-2018:3349 bugfix NetworkManager-1:1.12.0-7.el7_6.x86_64
  6. RHBA-2019:0519 bugfix NetworkManager-1:1.12.0-10.el7_6.x86_64
  7. RHBA-2018:3349 bugfix NetworkManager-adsl-1:1.12.0-7.el7_6.x86_64
  8. RHBA-2019:0519 bugfix NetworkManager-adsl-1:1.12.0-10.el7_6.x86_64
  9. RHBA-2018:3349 bugfix NetworkManager-bluetooth-1:1.12.0-7.el7_6.x86_64
  10. RHBA-2019:0519 bugfix NetworkManager-bluetooth-1:1.12.0-10.el7_6.x86_64
  11. RHBA-2018:3349 bugfix NetworkManager-config-server-1:1.12.0-7.el7_6.noarch
  12. RHBA-2019:0519 bugfix NetworkManager-config-server-1:1.12.0-10.el7_6.noarch

要想得到待安装更新的摘要信息,运行这个:

  1. #yum updateinfo summary
  2. Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
  3. rhel-7-server-rpms |2.0 kB 00:00:00
  4. UpdatesInformationSummary: updates
  5. 13Security notice(s)
  6. 9ImportantSecurity notice(s)
  7. 3ModerateSecurity notice(s)
  8. 1LowSecurity notice(s)
  9. 35Bugfix notice(s)
  10. 1Enhancement notice(s)
  11. updateinfo summary done

如果只想打印出低级别的安全更新,运行下面这个命令。类似的,你也可以只查询重要级别和中等级别的安全更新。

  1. #yum updateinfo list sec |grep-i "Low"
  3. RHSA-2019:0201Low/Sec. libgudev1-219-62.el7_6.3.x86_64
  4. RHSA-2019:0201Low/Sec.systemd-219-62.el7_6.3.x86_64
  5. RHSA-2019:0201Low/Sec.systemd-libs-219-62.el7_6.3.x86_64
  6. RHSA-2019:0201Low/Sec.systemd-sysv-219-62.el7_6.3.x86_64

https://www.2daygeek.com/check-list-view-find-available-security-updates-on-redhat-rhel-centos-system/

作者:Magesh Maruthamuthu 选题:lujun9972 译者:jdh8383 校对:wxy

本文由 LCTT 原创编译,Linux中国 荣誉推出

Related Posts:

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

Time limit is exhausted. Please reload CAPTCHA.