Security Patch Management and Installation Guide for RHEL
Prepared by Security Operations Team - Stay secure, stay updated
Security patches are critical to protect RHEL systems against vulnerabilities. This guide covers manual commands and automation best practices to streamline patch management securely and efficiently.
[TOC]
Basic Patch Installation
# Check for available updates
sudo dnf check-update
# Install all updates
sudo dnf update -y
Install Security Updates Only
# List available security updates
sudo dnf updateinfo list security --available
# Install all security updates
sudo dnf update --security -y
# View Update Information
sudo dnf updateinfo # List all updates
sudo dnf updateinfo list security # List security updates only
sudo dnf updateinfo info <package> # Get details for a specific package
# Automate Patch Installation with DNF
sudo dnf install -y dnf-automatic
sudo systemctl enable --now dnf-automatic.timer
Edit the configuration file /etc/dnf/automatic.conf:
upgrade_type = security
apply_updates = yes
reboot = when-needed
Pre-Update Recommendations
# Dry-Run Security Updates
sudo dnf update --security --assumeno
# Create a Snapshot (For LVM or Btrfs)
lvcreate --size 1G --snapshot --name root_snap /dev/centos/root
Rollback and System Recovery
# Rollback with DNF
sudo dnf history
sudo dnf history info <transaction_ID>
sudo dnf history rollback <previous_transaction_ID>
# Downgrade a Package
sudo dnf downgrade <package>
Bulk Patching with Ansible
---
# Basic Playbook Example (Security Updates Only)
- name: Apply security updates on RHEL systems
hosts: all
become: yes
tasks:
- name: Apply only security updates
ansible.builtin.yum:
name: '*'
security: yes
state: latest
# Dry-Run Security Updates
---
- name: Dry-run for security updates
ansible.builtin.shell: "dnf updateinfo list security --available"
# Run the Playbook
ansible-playbook -i inventory apply-security-updates.yml
YUM/DNF Repository Management
# List All Repositories
dnf repolist all
# Set Repository Priority
sudo dnf install yum-plugin-priorities
# Add the following line to the corresponding repo file:
priority=1
System Compliance Check (OpenSCAP)
# Install and Run Scan
sudo dnf install scap-security-guide openscap-scanner -y
# Run SCAP scan (example using the CIS benchmark profile)
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results scan-results.xml \
--report scan-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# View the Report
Open `scan-report.html` in your browser to review the compliance results.
Kernel Update and Reboot Strategy
# Check for Kernel Updates
dnf list kernel
# Set the Default Boot Entry
grubby --default-kernel
grub2-set-default 0
# Check if a Reboot is Required
sudo dnf install yum-utils
sudo needs-restarting -r
Appendix: Common DNF Commands
| Function | Command |
|---|---|
| Check for updates | dnf check-update |
| Install all updates | dnf update |
| Install security updates | dnf update --security |
| View update history | dnf history |
| View transaction details | dnf history info <ID> |
| Rollback a transaction | dnf history rollback <ID> |
| Downgrade a package | dnf downgrade <package> |
| Clean cache | dnf clean all |
Command Summary
The following code block consolidates all the core commands with a prefixed plus sign for quick reference:
# Basic Patch Installation
sudo dnf check-update
sudo dnf update -y
# Security Updates Only
sudo dnf updateinfo list security --available
sudo dnf update --security -y
# View Update Information
sudo dnf updateinfo # List all updates
sudo dnf updateinfo list security # List security updates
sudo dnf updateinfo info <package> # Get package details
# Automate Patching with DNF
sudo dnf install -y dnf-automatic
sudo systemctl enable --now dnf-automatic.timer
# Pre-Update Recommendations
sudo dnf update --security --assumeno
lvcreate --size 1G --snapshot --name root_snap /dev/centos/root
# Rollback and Recovery
sudo dnf history
sudo dnf history info <transaction_ID>
sudo dnf history rollback <previous_transaction_ID>
sudo dnf downgrade <package>
# Bulk Patching with Ansible
ansible-playbook -i inventory apply-security-updates.yml
# Repository Management
dnf repolist all
sudo dnf install yum-plugin-priorities # Set repository priority (priority=1)
# System Compliance (OpenSCAP)
sudo dnf install scap-security-guide openscap-scanner -y
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results scan-results.xml --report scan-report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Kernel Update and Reboot
dnf list kernel
grubby --default-kernel # or grub2-set-default 0
sudo dnf install yum-utils
sudo needs-restarting -r
Additional Tips & References
- Test patches in staging environments before production deployment.
- Review release notes for advisories for possible impact or conflicts.
- Maintain regular backups prior to applying patches.
- Combine patch management with vulnerability scanning for comprehensive security.
- Monitor patch compliance centrally with tools like Red Hat Satellite or Ansible Tower.