如何在 CentOS 或 RHEL 系統上檢查可用的安全更新?
當你更新系統時,根據你所在公司的安全策略,有時候可能只需要打上與安全相關的補丁。大多數情況下,這應該是出於程式相容性方面的考量。那該怎樣實踐呢?有沒有辦法讓 yum
只安裝安全補丁呢?
答案是肯定的,可以用 yum
包管理器輕鬆實現。
在這篇文章中,我們不但會提供所需的資訊。而且,我們會介紹一些額外的命令,可以幫你獲取指定安全更新的詳實資訊。
希望這樣可以啟發你去了解並修復你列表上的那些漏洞。一旦有安全漏洞被公佈,就必須更新受影響的軟體,這樣可以降低系統中的安全風險。
對於 RHEL 或 CentOS 6 系統,執行下面的 Yum 命令 來安裝 yum 安全外掛。
# yum -y install yum-plugin-security
在 RHEL 7&8 或是 CentOS 7&8 上面,這個外掛已經是 yum
的一部分了,不用單獨安裝。
要列出全部可用的補丁(包括安全、Bug 修復以及產品改進),但不安裝它們:
# yum updateinfo list available
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64
RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64
RHBA-2015:0626 bugfix 389-ds-base-1.3.3.1-15.el7_1.x86_64
RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64
RHBA-2015:1554 bugfix 389-ds-base-1.3.3.1-20.el7_1.x86_64
RHBA-2015:1960 bugfix 389-ds-base-1.3.3.1-23.el7_1.x86_64
RHBA-2015:2351 bugfix 389-ds-base-1.3.4.0-19.el7.x86_64
RHBA-2015:2572 bugfix 389-ds-base-1.3.4.0-21.el7_2.x86_64
RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64
RHBA-2016:0550 bugfix 389-ds-base-1.3.4.0-29.el7_2.x86_64
RHBA-2016:1048 bugfix 389-ds-base-1.3.4.0-30.el7_2.x86_64
RHBA-2016:1298 bugfix 389-ds-base-1.3.4.0-32.el7_2.x86_64
要統計補丁的大約數量,執行下面的命令:
# yum updateinfo list available | wc -l
11269
想列出全部可用的安全補丁但不安裝,以下命令用來展示你係統裡已安裝和待安裝的推薦補丁:
# yum updateinfo list security all
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64
RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64
RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64
RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64
RHSA-2016:2594 Moderate/Sec. 389-ds-base-1.3.5.10-11.el7.x86_64
RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el7_3.x86_64
RHSA-2017:2569 Moderate/Sec. 389-ds-base-1.3.6.1-19.el7_4.x86_64
RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el7_4.x86_64
RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el7_4.x86_64
RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el7_5.x86_64
RHSA-2018:2757 Moderate/Sec. 389-ds-base-1.3.7.5-28.el7_5.x86_64
RHSA-2018:3127 Moderate/Sec. 389-ds-base-1.3.8.4-15.el7.x86_64
RHSA-2014:1031 Important/Sec. 389-ds-base-libs-1.3.1.6-26.el7_0.x86_64
要顯示所有待安裝的安全補丁:
# yum updateinfo list security all | grep -v "i"
RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64
RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64
RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64
RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64
RHSA-2016:2594 Moderate/Sec. 389-ds-base-1.3.5.10-11.el7.x86_64
RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el7_3.x86_64
RHSA-2017:2569 Moderate/Sec. 389-ds-base-1.3.6.1-19.el7_4.x86_64
RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el7_4.x86_64
RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el7_4.x86_64
RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el7_5.x86_64
RHSA-2018:2757 Moderate/Sec. 389-ds-base-1.3.7.5-28.el7_5.x86_64
要統計全部安全補丁的大致數量,執行下面的命令:
# yum updateinfo list security all | wc -l
3522
下面根據已裝軟體列出可更新的安全補丁。這包括 bugzilla(bug 修復)、CVE(知名漏洞資料庫)、安全更新等:
# yum updateinfo list security
或者
# yum updateinfo list sec
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
RHSA-2018:3665 Important/Sec. NetworkManager-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-adsl-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-bluetooth-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-config-server-1:1.12.0-8.el7_6.noarch
RHSA-2018:3665 Important/Sec. NetworkManager-glib-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-libnm-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-ppp-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-team-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-tui-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-wifi-1:1.12.0-8.el7_6.x86_64
RHSA-2018:3665 Important/Sec. NetworkManager-wwan-1:1.12.0-8.el7_6.x86_64
顯示所有與安全相關的更新,並且返回一個結果來告訴你是否有可用的補丁:
# yum --security check-update
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
rhel-7-server-rpms | 2.0 kB 00:00:00
--> policycoreutils-devel-2.2.5-20.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
--> smc-raghumalayalam-fonts-6.0-7.el7.noarch from rhel-7-server-rpms excluded (updateinfo)
--> amanda-server-3.3.3-17.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
--> 389-ds-base-libs-1.3.4.0-26.el7_2.x86_64 from rhel-7-server-rpms excluded (updateinfo)
--> 1:cups-devel-1.6.3-26.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
--> openwsman-client-2.6.3-3.git4391e5c.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
--> 1:emacs-24.3-18.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
--> augeas-libs-1.4.0-2.el7_4.2.i686 from rhel-7-server-rpms excluded (updateinfo)
--> samba-winbind-modules-4.2.3-10.el7.i686 from rhel-7-server-rpms excluded (updateinfo)
--> tftp-5.2-11.el7.x86_64 from rhel-7-server-rpms excluded (updateinfo)
.
.
35 package(s) needed for security, out of 115 available
NetworkManager.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
NetworkManager-adsl.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
NetworkManager-bluetooth.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
NetworkManager-config-server.noarch 1:1.12.0-10.el7_6 rhel-7-server-rpms
NetworkManager-glib.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
NetworkManager-libnm.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
NetworkManager-ppp.x86_64 1:1.12.0-10.el7_6 rhel-7-server-rpms
列出所有可用的安全補丁,並且顯示其詳細資訊:
# yum info-sec
.
.
===============================================================================
tzdata bug fix and enhancement update
===============================================================================
Update ID : RHBA-2019:0689
Release : 0
Type : bugfix
Status : final
Issued : 2019-03-28 19:27:44 UTC
Description : The tzdata packages contain data files with rules for various
: time zones.
:
: The tzdata packages have been updated to version
: 2019a, which addresses recent time zone changes.
: Notably:
:
: * The Asia/Hebron and Asia/Gaza zones will start
: DST on 2019-03-30, rather than 2019-03-23 as
: previously predicted.
: * Metlakatla rejoined Alaska time on 2019-01-20,
: ending its observances of Pacific standard time.
:
: (BZ#1692616, BZ#1692615, BZ#1692816)
:
: Users of tzdata are advised to upgrade to these
: updated packages.
Severity : None
如果你想要知道某個更新的具體內容,可以執行下面這個命令:
# yum updateinfo RHSA-2019:0163
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
rhel-7-server-rpms | 2.0 kB 00:00:00
===============================================================================
Important: kernel security, bug fix, and enhancement update
===============================================================================
Update ID : RHSA-2019:0163
Release : 0
Type : security
Status : final
Issued : 2019-01-29 15:21:23 UTC
Updated : 2019-01-29 15:23:47 UTC Bugs : 1641548 - CVE-2018-18397 kernel: userfaultfd bypasses tmpfs file permissions
: 1641878 - CVE-2018-18559 kernel: Use-after-free due to race condition in AF_PACKET implementation
CVEs : CVE-2018-18397
: CVE-2018-18559
Description : The kernel packages contain the Linux kernel, the core of any
: Linux operating system.
:
: Security Fix(es):
:
: * kernel: Use-after-free due to race condition in
: AF_PACKET implementation (CVE-2018-18559)
:
: * kernel: userfaultfd bypasses tmpfs file
: permissions (CVE-2018-18397)
:
: For more details about the security issue(s),
: including the impact, a CVSS score, and other
: related information, refer to the CVE page(s)
: listed in the References section.
:
: Bug Fix(es):
:
: These updated kernel packages include also
: numerous bug fixes and enhancements. Space
: precludes documenting all of the bug fixes in this
: advisory. See the descriptions in the related
: Knowledge Article:
: https://access.redhat.com/articles/3827321
Severity : Important
updateinfo info done
跟之前類似,你可以只查詢那些通過 CVE 釋出的系統漏洞:
# yum updateinfo list cves
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
CVE-2018-15688 Important/Sec. NetworkManager-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-adsl-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-bluetooth-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-config-server-1:1.12.0-8.el7_6.noarch
CVE-2018-15688 Important/Sec. NetworkManager-glib-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-libnm-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-ppp-1:1.12.0-8.el7_6.x86_64
CVE-2018-15688 Important/Sec. NetworkManager-team-1:1.12.0-8.el7_6.x86_64
你也可以檢視那些跟 bug 修復相關的更新,執行下面的命令:
# yum updateinfo list bugfix | less
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
RHBA-2018:3349 bugfix NetworkManager-1:1.12.0-7.el7_6.x86_64
RHBA-2019:0519 bugfix NetworkManager-1:1.12.0-10.el7_6.x86_64
RHBA-2018:3349 bugfix NetworkManager-adsl-1:1.12.0-7.el7_6.x86_64
RHBA-2019:0519 bugfix NetworkManager-adsl-1:1.12.0-10.el7_6.x86_64
RHBA-2018:3349 bugfix NetworkManager-bluetooth-1:1.12.0-7.el7_6.x86_64
RHBA-2019:0519 bugfix NetworkManager-bluetooth-1:1.12.0-10.el7_6.x86_64
RHBA-2018:3349 bugfix NetworkManager-config-server-1:1.12.0-7.el7_6.noarch
RHBA-2019:0519 bugfix NetworkManager-config-server-1:1.12.0-10.el7_6.noarch
要想得到待安裝更新的摘要資訊,執行這個:
# yum updateinfo summary
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos, subscription-manager, verify, versionlock
rhel-7-server-rpms | 2.0 kB 00:00:00
Updates Information Summary: updates
13 Security notice(s)
9 Important Security notice(s)
3 Moderate Security notice(s)
1 Low Security notice(s)
35 Bugfix notice(s)
1 Enhancement notice(s)
updateinfo summary done
如果只想列印出低階別的安全更新,執行下面這個命令。類似的,你也可以只查詢重要級別和中等級別的安全更新。
# yum updateinfo list sec | grep -i "Low"
RHSA-2019:0201 Low/Sec. libgudev1-219-62.el7_6.3.x86_64
RHSA-2019:0201 Low/Sec. systemd-219-62.el7_6.3.x86_64
RHSA-2019:0201 Low/Sec. systemd-libs-219-62.el7_6.3.x86_64
RHSA-2019:0201 Low/Sec. systemd-sysv-219-62.el7_6.3.x86_64
作者:Magesh Maruthamuthu 選題:lujun9972 譯者:jdh8383 校對:wxy
訂閱“Linux 中國”官方小程式來檢視
相關文章
- 在 RHEL 和 CentOS 上檢查或列出已安裝的安全更新的兩種方法CentOS
- CentOS /RHEL 系統更新安全補丁的方法CentOS
- CentOS系統RPM安全檢查CentOS
- 如何在 CentOS 8 和 RHEL 8 系統上安裝和使用 AnsibleCentOS
- 在 RHEL 或 CentOS 上使用 Patroni 部署 PostgreSQL 以實現高可用性CentOSSQL
- 如何在 CentOS 8 / RHEL 8 上安裝 VirtualBox 6.0CentOS
- 如何在 CentOS、RHEL 和 Fedora 上安裝 DHCP 服務CentOS
- 如何在CentOS/RHEL 7上藉助ssm管理LVM卷?CentOSSSMLVM
- 如何在 CentOS 8/RHEL 8 上安裝和使用 CockpitCentOSKPI
- 如何在 CentOS 8/RHEL 8 上安裝和配置 Nagios CoreCentOSiOS
- Win10 1903系統中如何在右鍵選單中新增檢查更新Win10
- SAP系統上線需要檢查的清單
- 在 RHEL/CentOS 系統上使用 YUM history 命令回滾升級操作CentOS
- 在 CentOS/RHEL 系統上生成補丁合規報告的 Bash 指令碼CentOS指令碼
- 如何在 CentOS 8/RHEL 8 上安裝 Ansible(自動化工具)CentOS
- 如何在 Centos 8 / RHEL 8 上安裝和配置 VNC 伺服器CentOSVNC伺服器
- 如何在 CentOS 7 / RHEL 7 終端伺服器上安裝 KVMCentOS伺服器
- 系統高可用之健康檢查和健康度量那些事
- 如何在 CentOS 8 和 RHEL 8 伺服器上啟用 EPEL 倉庫CentOS伺服器
- 教你如何在CentOS7系統上安裝postgreSQL11CentOSSQL
- 如何在CentOS 7上搭建LAMP環境(使用YUM或編譯)CentOSLAMP編譯
- 如何在 RHEL8 /CentOS8 上建立多節點 Elastic stack 叢集CentOSAST
- 如何在大促中做好系統高可用
- 檢查系統版本
- 檢查不可用的物件(轉)物件
- RHEL 5下安裝Oracle 10g報作業系統的版本檢查失敗Oracle 10g作業系統
- 檢查udp埠是否可用?UDP
- 在rhel和CentOS上安裝SQL Server的方法CentOSSQLServer
- iOS12系統圖片heic如何在電腦上檢視iOS
- 如何在系統上檢視當天Oracle log切換頻率Oracle
- AIX系統日常檢查AI
- HP系統配置檢查
- CentOS8檢視系統版本CentOS
- CentOS 7 更新軟體源和系統CentOS
- RHEL6 或CentOS 6配置共享儲存--使用iSCSICentOS
- 如何在Mac上重置列印系統?Mac
- 阿里雲ECS伺服器CentOS7上系統安全加固阿里伺服器CentOS
- 如何在 Fedora、CentOS、RHEL 中啟用 RPM Fusion 倉庫CentOS