Wednesday, December 18, 2013

Inject a little security in to your CentOS repositories

There are many aspects to securing a network and many articles, essays, and books have been written on the topic. One aspect of any security checklist is updating vulnerable system packages. Every operations person deals with this and there are many tools at your disposal to make this job more manageable.

If you're using CentOS, you can leverage Redhat's spacewalk project. However, this will do more than just track errata. Spacewalk will also inventory your hardware and software, install software, provision servers and take care of some monitoring. If that suits your use-case, then spacewalk could be the option for you.

Steve Meier of the CEFS project has made the process for tracking CentOS errata via spacewalk very easy and free. He provides a parsed errata.xml file generated from the centos-announce mailing lists and the scripts you need to import them in to your spacewalk server.

However, not everyone wants to run spacewalk. There are many reasons this may be the case. If you are one of these people, you're left with tracking the centos-announce mailing list using your own processes.

We'd like to present another option. What if we want to leverage the power of yum to tell us when a package needs to be updated? We can do this by installing the yum-plugin-security package. You're now one step closer, but the CentOS repositories do not come with a updateinfo.xml file that includes the relevant data that the plugin uses.

This is where we got the idea to leverage the CEFS project data and utilize the functionality of the updateinfo.xml file. All we needed to do is convert the errata.xml data in to the appropriate updateinfo.xml format and inject it in to the applicable CentOS repositories.

VM Farms would like to announce the public release of a utility to allow anyone to generate the updateinfo.xml errata files for insertion in to their CentOS repositories. Please visit our public repository to download a copy and start scanning.


The following example illustrates how you would go about using this for a CentOS 6 repo. The assumption is that you've set the BUILD_PREFIX=/security and that your CentOS-6-Updates directory lives under /repositories/
wget -q -N -P/security /security/errata.latest.xml

/usr/bin/modifyrepo /security/updateinfo-6/updateinfo.xml /repositories/CentOS-6-Updates/repodata
Now that your repos have the data they need you can install the yum-plugin-security package and make use of it like so
yum install yum-plugin-security

yum security-list

Loaded plugins: changelog, fastestmirror, security
Loading mirror speeds from cached hostfile
CentOS-6-OS                                                 | 1.2 kB     00:00
CentOS-6-Updates                                            | 1.2 kB     00:00

CESA_2013__1764        security    ruby-
CESA_2013__1764        security    ruby-irb-
CESA_2013__1764        security    ruby-libs-
CESA_2013__1764        security    ruby-rdoc-
CESA_2013__1806        security    samba-client-3.6.9-167.el6_5.x86_64
CESA_2013__1806        security    samba-common-3.6.9-167.el6_5.x86_64
CESA_2013__1806        security    samba-winbind-3.6.9-167.el6_5.x86_64
CESA_2013__1806        security    samba-winbind-clients-3.6.9-167.el6_5.x86_64


  1. Wow thanks for making this! It's a great tool!

  2. This comment has been removed by the author.

  3. This blog talks about the local repository. any help over how to do it using internet repository?

    1. Hi 007,

      This technique will only work housing a local repository so you can inject those XML files. You may be able to do some research and circumvent the need to house all the RPMS by using a local cobbler repository that doesn't mirror the RPMs, but holds repo-metadata, but that's outside the scope of the project and left up to the reader as a cool exercise. Thanks for showing interest!

  4. Hello - thank you all for your work on this. It has been a big help so far. I have a couple of questions for you in relation to its use that might help others too. In the configuration variables within the script I have used RELEASES = ['6','other'] which produces two updateinfo.xml files, one for each directory that is built i.e. updateinfo-6 & updateinfo-other. For my local repo I have run the modify repo command for the updateinfo-6/updateinfo.xml against my local Centos Updates repo directory. But what happens with the updateinfo-other/updateinfo.xml? Which local repo channel do I modify with that one?

    Apologies in advance if I've not understood something simple! :)

    1. No apologies necessary. I'll adjust the README to add a bit of clarity. The "other" repo is there for anything that doesn't match the particular numbered repos you're tracking. It's a repo that should remain there, but you don't have to use it. It's there for debugging and legacy purposes.

  5. Hi,

    I'm very new to this and need a lot of help...

    how do you guy run the command below /security/errata.latest.xml

  6. heelo, i really need your script but when i run
    wget -q -N -P/security
    i am getting
    [root@localhost Desktop]# ./ /security/errata.latest.xml
    ./ line 5: syntax error near unexpected token `newline'
    ./ line 5: `'

    what i am missing and where should i put
    do you mean an environmental variable?

    1. This comment has been removed by the author.

  7. Security personals are selected in such incredible extent that they have dwarfed the police authorities, and with all the most recent innovation consolidated in their grasp alongside the analyst preparing given to them, they are a top rivalry for the cops in clutching the position of in control for security.
    How to remove fb virus

  8. it'd be cool if the errata.latest.xml file has a checksum so scripts (e.g., Ansible) can be written to only overwrite an existing file if the checksum changes.

  9. There is no yum-plugin-security package for CentOS 7
    What do you do?

  10. For Red Hat Enterprise Linux 7
    The plugin is already a part of yum itself, no need to install anything.


  12. The design for your site is a tad off in Epiphany. Nevertheless I like your website. I may need to use a normal browser just to enjoy it.

  13. I have successfully created my own repository and the security updates get displayed fine (CentOS 7: yum updateinfo list)

    However, now my check_yum plugin (for Icinga) is no longer working properly. Can you recommend a Icinga/Nagios compatible check script that will allow me to monitor if security updates are pending? Thanks!