This chapte r de s cribe s the proce s s of ke e ping your s ys te m up-to-date , which involve s planning and configuring the way s e curity update s are ins talle d, applying change s
introduce d by ne wly update d package s , and us ing the Re d Hat Cus tome r Portal for ke e ping track of s e curity advis orie s .
3.1. Maint aining Inst alled Soft ware
As s e curity vulne rabilitie s are dis cove re d, the affe cte d s oftware mus t be update d in orde r to limit any pote ntial s e curity ris ks . If the s oftware is a part of a package within a Re d Hat Ente rpris e Linux dis tribution that is curre ntly s upporte d, Re d Hat is committe d to re le as ing update d package s that fix the vulne rabilitie s as s oon as pos s ible .
Ofte n, announce me nts about a give n s e curity e xploit are accompanie d with a patch (or s ource code ) that fixe s the proble m. This patch is the n applie d to the Re d Hat
Ente rpris e Linux package and te s te d and re le as e d as an e rratum update . Howe ve r, if an announce me nt doe s not include a patch, Re d Hat de ve lope rs firs t work with the maintaine r of the s oftware to fix the proble m. Once the proble m is fixe d, the package is te s te d and re le as e d as an e rratum update .
If an e rratum update is re le as e d for s oftware us e d on your s ys te m, it is highly
re comme nde d that you update the affe cte d package s as s oon as pos s ible to minimize the amount of time the s ys te m is pote ntially vulne rable .
3.1.1. Planning and Configuring Securit y Updat es
All s oftware contains bugs . Ofte n, the s e bugs can re s ult in a vulne rability that can e xpos e your s ys te m to malicious us e rs . Package s that have not be e n update d are a common caus e of compute r intrus ions . Imple me nt a plan for ins talling s e curity patche s in a time ly manne r to quickly e liminate dis cove re d vulne rabilitie s , s o the y cannot be e xploite d.
Te s t s e curity update s whe n the y be come available and s che dule the m for ins tallation.
Additional controls ne e d to be us e d to prote ct the s ys te m during the time be twe e n the re le as e of the update and its ins tallation on the s ys te m. The s e controls de pe nd on the e xact vulne rability, but may include additional fire wall rule s , the us e of e xte rnal fire walls , or change s in s oftware s e ttings .
Bugs in s upporte d package s are fixe d us ing the e rrata me chanis m. An e rratum cons is ts of one or more RPM package s accompanie d by a brie f e xplanation of the proble m that the particular e rratum de als with. All e rrata are dis tribute d to cus tome rs with active
s ubs criptions through the Red Hat Subscript io n Management s e rvice . Errata that addre s s s e curity is s ue s are calle d Red Hat Security Advisories.
For more information on working with s e curity e rrata, s e e Se ction 3.2.1, “Vie wing Se curity Advis orie s on the Cus tome r Portal”. For de taile d information about the Red Hat
Subscript io n Management s e rvice , including ins tructions on how to migrate from RHN Classic, s e e the docume ntation re late d to this s e rvice : Re d Hat Subs cription Manage me nt.
3.1.1.1. Using the Security Features of Yum
The Yum package manage r include s s e ve ral s e curity-re late d fe ature s that can be us e d to s e arch, lis t, dis play, and ins tall s e curity e rrata. The s e fe ature s als o make it pos s ible to us e Yum to ins tall nothing but s e curity update s .
To che ck for s e curity-re late d update s available for your s ys te m, run the following command as root:
~]# yum check-update --security
Loaded plugins: langpacks, product-id, subscription-manager
rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00 No packages needed for security; 0 packages available
Note that the above command runs in a non-inte ractive mode , s o it can be us e d in s cripts for automate d che cking whe the r the re are any update s available . The command re turns an e xit value of 100 whe n the re are any s e curity update s available and 0 whe n the re are not. On e ncounte ring an e rror, it re turns 1.
Analogous ly, us e the following command to only ins tall s e curity-re late d update s :
~]# yum update --security
Us e the updateinfo s ubcommand to dis play or act upon information provide d by re pos itorie s about available update s . The updateinfo s ubcommand its e lf acce pts a numbe r of commands , s ome of which pe rtain to s e curity-re late d us e s . Se e Table 3.1,
“Se curity-re late d commands us able with yum update info” for an ove rvie w of the s e commands .
T able 3.1. Securit y-relat ed co mmands usable wit h yum updat einf o
Co mmand Descript io n
advisory [advisories] Dis plays information about one or more advis orie s . Re place advisory with an advis ory numbe r or numbe rs .
cves Dis plays the s ubs e t of information that pe rtains to CVE (Common Vulnerabilities and Exposures).
security or sec Dis plays all s e curity-re late d information.
severity or sev severity_level
Dis plays information about s e curity-re le vant package s of the s upplie d severity_level.
3.1.2. Updat ing and Inst alling Packages
Whe n updating s oftware on a s ys te m, it is important to download the update from a
trus te d s ource . An attacke r can e as ily re build a package with the s ame ve rs ion numbe r as the one that is s uppos e d to fix the proble m but with a diffe re nt s e curity e xploit and
re le as e it on the Inte rne t. If this happe ns , us ing s e curity me as ure s , s uch as ve rifying file s agains t the original RPM, doe s not de te ct the e xploit. Thus , it is ve ry important to only download RPMs from trus te d s ource s , s uch as from Re d Hat, and to che ck the package s ignature s to ve rify the ir inte grity.
Se e the Yum chapte r of the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide for de taile d information on how to us e the Yum package manage r.
3.1.2.1. Verif ying Signed Packages
All Re d Hat Ente rpris e Linux package s are s igne d with the Re d Hat GPG ke y. GPG s tands for GNU Privacy Guard, or GnuPG, a fre e s oftware package us e d for e ns uring the authe nticity of dis tribute d file s . If the ve rification of a package s ignature fails , the package may be alte re d and the re fore cannot be trus te d.
The Yum package manage r allows for an automatic ve rification of all package s it ins tall or upgrade s . This fe ature is e nable d by de fault. To configure this option on your s ys te m, make s ure the gpgcheck configuration dire ctive is s e t to 1 in the /etc/yum.conf configuration file .
Us e the following command to manually ve rify package file s on your file s ys te m:
rpmkeys --checksig package_file.rpm
Se e the Product Signing (GPG) Ke ys article on the Re d Hat Cus tome r Portal for additional information about Re d Hat package -s igning practice s .
3.1.2.2. Installing Signed Packages
To ins tall ve rifie d package s (s e e Se ction 3.1.2.1, “Ve rifying Signe d Package s ” for information on how to ve rify package s ) from your file s ys te m, us e the yum install command as the root us e r as follows :
yum install package_file.rpm
Us e a s he ll glob to ins tall s e ve ral package s at once . For e xample , the following commands ins talls all .rpm package s in the curre nt dire ctory:
yum install *.rpm
Important
Be fore ins talling any s e curity e rrata, be s ure to re ad any s pe cial ins tructions containe d in the e rratum re port and e xe cute the m accordingly. Se e Se ction 3.1.3,
“Applying Change s Introduce d by Ins talle d Update s ” for ge ne ral ins tructions about applying change s made by e rrata update s .
3.1.3. Applying Changes Int roduced by Inst alled Updat es
Afte r downloading and ins talling s e curity e rrata and update s , it is important to halt the us age of the old s oftware and be gin us ing the ne w s oftware . How this is done de pe nds on the type of s oftware that has be e n update d. The following lis t ite mize s the ge ne ral
cate gorie s of s oftware and provide s ins tructions for us ing update d ve rs ions afte r a package upgrade .
Note
In ge ne ral, re booting the s ys te m is the s ure s t way to e ns ure that the late s t ve rs ion of a s oftware package is us e d; howe ve r, this option is not always re quire d, nor is it always available to the s ys te m adminis trator.
Applicat io ns
Us e r-s pace applications are any programs that can be initiate d by the us e r.
Typically, s uch applications are us e d only whe n the us e r, a s cript, or an automate d tas k utility launch the m.
Once s uch a us e r-s pace application is update d, halt any ins tance s of the application on the s ys te m, and launch the program again to us e the update d ve rs ion.
Kernel
The ke rne l is the core s oftware compone nt for the Re d Hat Ente rpris e Linux 7 ope rating s ys te m. It manage s acce s s to me mory, the proce s s or, and pe riphe rals , and it s che dule s all tas ks .
Be caus e of its ce ntral role , the ke rne l cannot be re s tarte d without als o re booting the compute r. The re fore , an update d ve rs ion of the ke rne l cannot be us e d until the s ys te m is re boote d.
KVM
Whe n the qemu-kvm and libvirt package s are update d, it is ne ce s s ary to s top all gue s t virtual machine s , re load re le vant virtualization module s (or re boot the hos t s ys te m), and re s tart the virtual machine s .
Us e the lsmod command to de te rmine which module s from the following are loade d: kvm, kvm-intel, or kvm-amd. The n us e the modprove -r command to re move and s ubs e que ntly the modprobe -a command to re load the affe cte d module s . Fox e xample :
~]# lsmod | grep kvm
kvm_intel 143031 0
kvm 460181 1 kvm_intel
~]# modprobe -r kvm-intel
~]# modprobe -r kvm
~]# modprobe -a kvm kvm-intel
Shared Libraries
Share d librarie s are units of code , s uch as glibc, that are us e d by a numbe r of applications and s e rvice s . Applications utilizing a s hare d library typically load the s hare d code whe n the application is initialize d, s o any applications us ing an update d library mus t be halte d and re launche d.
To de te rmine which running applications link agains t a particular library, us e the lsof command:
lsof library
For e xample , to de te rmine which running applications link agains t the libwrap.so.0 library, type :
~]# lsof /lib64/libwrap.so.0
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME pulseaudi 12363 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6
gnome-set 12365 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6
gnome-she 12454 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6
This command re turns a lis t of all the running programs that us e TCP wrappe rs for hos t-acce s s control. The re fore , any program lis te d mus t be halte d and
re launche d whe n the tcp_wrappers package is update d.
syst emd Services
s ys te md s e rvice s are pe rs is te nt s e rve r programs us ually launche d during the boot proce s s . Example s of s ys te md s e rvice s include sshd or vsftpd.
Be caus e the s e programs us ually pe rs is t in me mory as long as a machine is running, e ach update d s ys te md s e rvice mus t be halte d and re launche d afte r its package is upgrade d. This can be done as the root us e r us ing the systemctl command:
systemctl restart service_name
Re place service_name with the name of the s e rvice you wis h to re s tart, s uch as sshd.
Ot her So f t ware
Follow the ins tructions outline d by the re s ource s linke d be low to corre ctly update the following applications .
Red Hat Direct o ry Server — Se e the Release Notes for the ve rs ion of the Re d Hat Dire ctory Se rve r in que s tion at
https ://acce s s .re dhat.com/s ite /docume ntation/e n-US/Re d_Hat_Dire ctory_Se rve r/.
Red Hat Ent erprise Virt ualizat io n Manager — Se e the Installation Guide for the ve rs ion of the Re d Hat Ente rpris e Virtualization in que s tion at
https ://acce s s .re dhat.com/s ite /docume ntation/e n-US/Re d_Hat_Ente rpris e _Virtualization/.
3.2. Using t he Red Hat Cust omer Port al
The Re d Hat Cus tome r Portal at https ://acce s s .re dhat.com/ is the main cus tome r-orie nte d re s ource for official information re late d to Re d Hat products . You can us e it to find
docume ntation, manage your s ubs criptions , download products and update s , ope n s upport cas e s , and le arn about s e curity update s .
3.2.1. Viewing Securit y Advisories on t he Cust omer Port al
To vie w s e curity advis orie s (e rrata) re le vant to the s ys te ms for which you have active s ubs criptions , log into the Cus tome r Portal at https ://acce s s .re dhat.com/ and click on the Download Products & Updates button on the main page . Whe n you e nte r the Software
& Download Center page , continue by clicking on the Errata button to s e e a lis t of advis orie s pe rtine nt to your re gis te re d s ys te ms .
To brows e a lis t of all s e curity update s for all active Re d Hat products , go to Securit y → Securit y Updat es → Act ive Pro duct s us ing the navigation me nu at the top of the page .
Click on the e rratum code in the le ft part of the table to dis play more de taile d information about the individual advis orie s . The ne xt page contains not only a de s cription of the give n e rratum, including its caus e s , cons e que nce s , and re quire d fixe s , but als o a lis t of all package s that the particular e rratum update s along with ins tructions on how to apply the update s . The page als o include s links to re le vant re fe re nce s , s uch as re late d CVE.
3.2.2. Navigat ing CVE Cust omer Port al Pages
The CVE (Common Vulnerabilities and Exposures) proje ct, maintaine d by
The MITRE Corporation, is a lis t of s tandardize d name s for vulne rabilitie s and s e curity e xpos ure s . To brows e a lis t of CVE that pe rtain to Re d Hat products on the Cus tome r Portal, log into your account at https ://acce s s .re dhat.com/ and navigate to Securit y → Reso urces → CVE Dat abase us ing the navigation me nu at the top of the page . Click on the CVE code in the le ft part of the table to dis play more de taile d information about the individual vulne rabilitie s . The ne xt page contains not only a de s cription of the give n CVE but als o a lis t of affe cte d Re d Hat products along with links to re le vant Re d Hat e rrata.
3.2.3. Underst anding Issue Severit y Classificat ion
All s e curity is s ue s dis cove re d in Re d Hat products are as s igne d an impact rating by the Red Hat Security Response Team according to the s e ve rity of the proble m. The four-point s cale cons is ts of the following le ve ls : Low, Mode rate , Important, and Critical. In addition to that, e ve ry s e curity is s ue s is rate d us ing the Common Vulnerability Scoring System (CVSS) bas e s core s .
Toge the r, the s e ratings he lp you unde rs tand the impact of s e curity is s ue s , allowing you to s che dule and prioritize upgrade s trate gie s for your s ys te ms . Note that the ratings re fle ct the pote ntial ris k of a give n vulne rability, which is bas e d on a te chnical analys is of the bug, not the curre nt thre at le ve l. This me ans that the s e curity impact rating doe s not change if an e xploit is re le as e d for a particular flaw.
To s e e a de taile d de s cription of the individual le ve ls of s e ve rity ratings on the Cus tome r Portal, log into your account at https ://acce s s .re dhat.com/ and navigate to Securit y → Po licies → Severit y Rat ings us ing the navigation me nu at the top of the page .
3.3. Addit ional Resources
For more information about s e curity update s , ways of applying the m, the Re d Hat Cus tome r Portal, and re late d topics , s e e the re s ource s lis te d be low.