On CentOS servers, we can enable the automatic download and installation of security updates. Let's see how to protect our servers by installing the yum-cron package!### The System

See what version of CentOS we're using:

cat /etc/redhat-release

We can see I'm using CentOS 7.

We can upgrade the system using sudo yum upgrade. We can do just security updates by adding the --security option:

sudo yum --security upgrade

# Or, alternatively
sudo yum --security upgrade-minimal

Automatic Yum Upgrades

We'll use the package yum-cron to run yum --security upgrade automatically.

# Install yum-cron
sudo yum install yum-cron

# Configure yum-cron
sudo vim /etc/yum/yum-cron.conf

Set the following

update_cmd = security
apply_updates = yes

Then restart the service created by installing this package:

sudo systemctl status yum-cron
sudo systemctl enable yum-cron
# Or "restart" if already started
sudo systemctl start yum-cron

If you're curious, you can see the cron configuration used to run this by inspecting the configuration within /etc/cron.daily/0yum-daily.cron. It just runs yum upgrade based on the configuration file we used once per day. Simple!

Resources

• Here's an Ansible playbook for this setup that will work on CentOS 6 and 7