yum-security is a plugin to the Red Hat Entreprise Linux package manager yum. It helps installing only security updates (RHSA) (as opposed to bug fixes (RHBA) or enhancements (RHEA)).
Explanation of RHSA, RHBA and RHEA advisories
RHEL 7 : yum-security is part of yum
RHEL 6 :
yum install yum-plugin-security
List all available erratas without installing them :
yum updateinfo list available
List all available security updates without installing them :
yum updateinfo list security all
yum updateinfo list sec
List of the currently installed security updates :
yum updateinfo list security installed
More examples are available in this Red Hat KB article
Red Hat has been provided security information since January 2005 through different ways :
RHSA-Announce mailing list, Red Hat CVE database and Red Hat Product Errata
For a better access of their data, the Red Hat Product Security has just released a beta API. It provides more search options for accessing real-time data.
More details can be found in the post below :
Red Hat Security Blog post about their new Security Data API service
RedHat Security Data API
Two links for an in-depth explanation regarding Red Hat backporting security fixes process as well as compatibility between Red Hat security advisories and Mitre CVEs.
Backporting Security Fixes
Red Hat and CVE compatibility
Red Hat provides free access to two databases for errata and for CVE referenced in Red Hat products :
Red Hat Product Errata database
Red Hat CVE Database
Upgrade a rpm package on a couple of servers with a quick one-liner in Ansible :
ansible all -b --ask-become-pass -m yum "name=bash state=latest"
servers_list is the text file listing your servers.
Using the ANSIBLE_INVENTORY variable overrides the use of a generate inventory.
This one-liner makes use of the yum Ansible module.
Running sudo commands is possible with these options -b and –ask-become-pass
Apache HTTPD : ETag Inode Information Leakage
This is an error that occurs during PCI scans. To remediate it, disable the ETag feature in your Apache configuration file.
Add FileETag None to /etc/httpd/conf/httpd.conf and restart your Apache server :
echo 'FileETag None' >> /etc/httpd/conf/httpd.conf
service httpd restart
Check if the ETag information are present in the http headers sent by your Apache server :
curl -I https://your_server_name/ -k
How to disable CIFS NULL session permitted on a Linux server to meet compliance requirements ?
rpcclient can help retrieve details about this server. Log in with an anonymous user :
rpcclient -U "" server_name
Once logged in, run either of these commands :
To leave rpcclient, run the quit command.
If you were able to logged in and if any of the commands display details, then CIFS null session is permitted.
To disable it, add the following parameters to your smb.conf file :
guest account = nobody
restrict anonymous = 1
Check Samba configuration file syntax with :
Restart Samba daemons :
service smb restart
service nmb restart
service winbind restart
Run once again any of the commands within a new rpcclient session.
Any information should be available now.
To disable TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) in Apache in CentOS 7.2.15111, remove any DES-based ciphers in your Apache ssl configuration file :
[root@localhost:~]# cat /etc/httpd/conf.d/ssl.conf
Make sure that your httpd config file syntax is OK :
[root@localhost:~]# apachectl configtest
Restart your web server :
[root@localhost:~]# systemctl restart httpd.service
Run a nmap scan with ssl-enum-ciphers script enabled :
[root@localhost:~]# nmap --script ssl-enum-ciphers -p 443 server_fqdn |grep 3DES
No DES-based ciphers should be displayed.