Monitoring software updates on CentOS – but not security updates


You might already know the yum plugins – there is a plugin that enables “downloadonly” fetching of patches before the update, or another prominent one that checks all updates whether they are security related.

Some people even have built cool Nagios checks for report the updates[*], but none of them seem to actually check if yum really reports a security update as a security update. Since I had been testing most of those plugins I had been really wary about the results. For example last year there was almost half a year delay in the CentOS updates, surely there would have to be a security update in those. But none were reported. Over the last weeks there was a few critical updates on Linux, giving a good time to test – again. The result was…

For the last time guys:

Using the yum security plugin and CentOS DO NOT COMPUTE!

The CentOS team is not adding the CVE data the plugin wants to read. Yes it will tell you “no security updates” but it is WRONG, the plugin does not handle missing security data and gives false results. GET it in your heads.

False sense of safety:

Here you can see it reporting no security updates:

-bash-3.2# yum –security check-update
Loaded plugins: downloadonly, fastestmirror, security
Loading mirror speeds from cached hostfile
* base: centos.kiewel-online.ch
* epel: ftp.uni-koeln.de
* extras: centos.kiewel-online.ch
* updates: centos.kiewel-online.ch
Limiting package lists to security relevant ones
No packages needed, for security, 10 available

Under the hood:

Adding -v we get to see the actual packages it was checking:

up:condense time: 0.000
updates time: 10.740
–> 2:libpng-1.2.10-17.el5_8.x86_64 from updates excluded (non-security)
–> openssl-devel-0.9.8e-22.el5_8.3.i386 from updates excluded (non-security)
–> openssl-0.9.8e-22.el5_8.3.x86_64 from updates excluded (non-security)
–> openssl-devel-0.9.8e-22.el5_8.3.x86_64 from updates excluded (non-security)
–> glibc-2.5-81.el5_8.2.i686 from updates excluded (non-security)
–> glibc-devel-2.5-81.el5_8.2.x86_64 from updates excluded (non-security)
–> glibc-2.5-81.el5_8.2.x86_64 from updates excluded (non-security)
–> glibc-headers-2.5-81.el5_8.2.x86_64 from updates excluded (non-security)
–> openssl-0.9.8e-22.el5_8.3.i686 from updates excluded (non-security)
–> glibc-common-2.5-81.el5_8.2.x86_64 from updates excluded (non-security)
No packages needed, for security, 10 available

Now look at that list…

LibPNG? A security fix

OpenSSL? A security fix

Summary:

Please, don’t rely on yum security on CentOS, either manually verify your updates or chose a distro where the repo data is “spiced” with the security update data and all packages are correctly referencing the CVE Ids they’re fixing.

Also, afaik none of these RH-based distros will warn you based on a security hole alone. They’ll just warn you once there is a fix for an issue.

[*] A very good howto is at  http://flakrat.blogspot.de/2012/01/how-to-configure-nagios-checkmk-to.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s