Enable Automatic Updates – Fedora/Red Hat/CentOS + Bonus Tip

As a reminder, Red Hat Enterprise Linux is based on Fedora Linux and CentOS is a 100% compatible rebuild of Red Hat Enterprise Linux. With that out of the way, lets move on. Linux server security is crucial to Linux server administration. Part of keeping Linux servers secure, is to install security updates shortly after they become available. Too often compromised servers are as a result of pending security updates awaiting manual installation.

In general, for critical servers where you cannot afford unplanned downtime should be very careful with automatic updates. While there are reasons to be cautious, it is also worth considering. Let’s have a look at how to enable automatic security updates on Fedora, Red Hat and CentOS.

 

Enable Automatic updates on RHEL 8, CentOS 8 and Fedora 29+

On Red Hat Enterprise Linux (RHEL) 8, CentOS 8 and Fedora 29+, the dnf-automatic RPM package provides a service which is started automatically for automatic updates. The package can be configured to perform automatic updates to install updated packages and/or security updates.

 

If not already installed, run the following command:

dnf install dnf-automatic

 

Next you’ll want to edit the config file:

nano /etc/dnf/automatic.conf

 

Here’s a screenshot excerpt of my dnf-automatic config file:
/etc/dnf/automatic.conf

 

Once you are finished with configuration, run the follow command:

systemctl enable --now dnf-automatic.timer

this enables and starts the systemd timer. You may also use notifyonly.timer, download.timer or install.timer to override the download_updates = yes setting.

 

Enable Automatic updates on RHEL 7, CentOS 7

On Red Hat Enterprise Linux (RHEL) 7 and CentOS 7 the yum-cron RPM package provides a service which is started automatically for automatic updates. We just need to edit the yum-cron configuration file first to enable.

 

The yum-cron RPM is not installed by default, use the command below to install:

yum install -y yum-cron

 

Next you’ll want to edit the config file:

nano /etc/yum/yum-cron.conf

 

Here’s a screenshot excerpt of my yum-cron config file:

/etc/yum/yum-cron.conf

 

In that config file, change the line:

apply_updates = no

to

apply_updates = yes

 

Also, change the line:

update_cmd = default

to

update_cmd = securty

the options available are:

# default = yum upgrade
# security = yum –security upgrade
# security-severity:Critical = yum –sec-severity=Critical upgrade
# minimal = yum –bugfix update-minimal
# minimal-security = yum –security update-minimal
# minimal-security-severity:Critical = –sec-severity=Critical update-minimal

 

Notice in both examples above, I’ve enabled automatic install of security updates only. Also, no instructions have been included for Fedora releases prior to 29, Please, make sure you upgrade to a currently supported version of Fedora server as your first step in server security!

 

Bonus tip for RHEL, CentOS and Fedora

Manage your server(s) remotely and securely via the cockpit-project. An easy-to-use, integrated, glanceable and open web-based interface for your servers:

cockpit-project storage

 

cockpit-project network

Enjoy!

 

 

Tags: , , ,