Configure CentOS Automatic Security Updates

When running your own VPS, security updates are critical for stability. I have shown how to configure automatic security updates on Debian and now it’s time to do it for CentOS.

CentOS provide a flag for applying security updates, when combined with yum-cron we can schedule security updates to be automatically installed every day.

Configure CentOS Automatic Security Updates

The basic command for installing security updates is using the --security flag for the yum upgrade command

sudo yum upgrade --security

If you see this error Command line error: no such option: --security then you can solve it by installing the yum-security package

sudo yum install yum-security

Thanks to Casey Labs, I was informed the above --security flag only works properly on Red Hat 🙁 but luckily there is a workaround!

sudo yum install yum-plugin-changelog pcre-devel python-pip
mkdir /var/lib/centos-package-cron
pip install centos_package_cron

Once this package is installed we can upgrade with this command

centos-package-cron --output stdout --forceold | pcregrep -M 'Packages:[^:]*' | grep -o "[^* ]*" | grep -v 'Packages:' | grep -v 'References' | sort | uniq | xargs yum -y update

You can add the above command to the cron configuration below

Automatic Yum Upgrades

We’ll use the package yum-cron to run yum --security upgrade automatically.

sudo yum install yum-cron

Add the configuration to apply security updates automatically to yum-cron.conf

echo -e "update_cmd = security\napply_updates = yes" > /etc/yum/yum-cron.conf

Enable the yum-cron service and restart it

sudo systemctl enable yum-cron
sudo systemctl restart yum-cron

If you get systemctl not found then use these commands

sudo chkconfig yum-cron on
sudo service yum-cron restart

The cron configuration is in /etc/cron.daily/0yum-daily.cron.

Once a day the yum upgrade --security command will be automatically run.

Sources

Automatic Security Updates CentOS
Security Updates on CentOS