With the current threats on the wild, pro-active security becomes more and more important. And in pro-active, we also need to make sure that our OS's are secured against all known threats.
On the TIM OS (based on RedHat/CentOS), there is a little feature provided by yum that can tell us what security fixes have not been installed, and specially which we should install.
We can also tell yum to install all updates tagged as security relevant.
The following examples apply to RedHat 6 and 7. For RedHat 5, the commands differ (Please check on the RedHat network)
To see which erratas exist for your current running TIM, run:
# yum updateinfo list available
To list all security related Erratas, run:
# yum updateinfo list sec
To get a list of the currently installed security updates, use:
# yum updateinfo list security installed
If you need more detailed information on the security updates, issue:
yum info-sec
So - the previous information only provided us information on all or installed packages (non Linux geeks would rather use the term "apps" for package). If however we want to install the security tagged packages, we'll use the followin:
# yum -y update --security
Now - this will install all packages that had at least one issue tagged as security relevant in their lifetime on this release.
If you want to install only the packages that have current tagged security issue, use the minimal function:
yum update-minimal --security -y
That's it - your system is secure.
If now comes a customer asking you if your system is secured against CVE-2016-0800 - you can check it by grepping the info ouf of the listing of all CVE's, or just apply all upgrades related to that CVE number by issueing:
# yum update --cve CVE-2016-0800
Now you can tell your customer that his system is secured against the known threat CVE-2016-0800.
PS: Most information were taken out of the RedHat archive - but I thought it to be important that this information is known to be usable!
PPS: Similar functionality also exist for other distributions, the way the data is accessed is different.
Check Google to have it for your distribution.