So here’s the scenario: you have a CentOS 6 or 7 server all setup, and like the proactive sysadmin that you are, you’ve decided to start patching your system on a regular basis… but with security updates only and not full package upgrades, in order to avoid breaking anything.

So what do you do? Why, you google “centos automatic security updates”, and lo and behold, a whole slew of blogs recommend the same thing:

Why, just run “sudo yum upgrade –security” and your system will be all secure!

I need to be crystal clear about this advice: It. Is. Wrong.

“But!” you say, “I ran that command on my server, and look at the output. Everything’s up to date!”

Alas, it’s not. And I totally understand why you might think otherwise:

Resolving Dependencies
Limiting packages to security relevant ones
No packages needed for security

So here’s the thing: yum upgrade –security does indeed work… but only if you’re running Red Hat (RHEL) servers.

Why doesn’t it work on CentOS? The updateinfo.xml in the CentOS repositories do not include classifications for security patches. So when you run yum upgrade –security on a CentOS box, CentOS can’t find any security-only updates, and hence thinks everything is up to date.

Oops.

Fortunately, some clever folks have come up with work-around for this. My favorite is Brady Wied’s centos-package-cron.

How to install it:

sudo yum install yum-plugin-changelog pcre-devel python-pip
mkdir /var/lib/centos-package-cron
pip install centos_package_cron

And then to update your system with only security updates, run:

centos-package-cron --output stdout --forceold | pcregrep -M 'Packages:[^:]*' | grep -o "[^* ]*" | grep -v 'Packages:' | grep -v 'References' | sort | uniq | xargs yum -y update

(Credit to Paul Maunders for that last command.)

And boom, you have all of your security patches installed!