Use DNF to Maintain Security on Oracle Linux

1
0
Send lab feedback

Use DNF to Maintain Security on Oracle Linux

Introduction

The following tutorial provides practical examples of using the Dandified YUM (DNF) package manager on Oracle Linux to apply maintenance and security updates. This tutorial is targeted at users of Oracle Linux 8 or later.

DNF downloads packages from enabled repositories for install and update actions. It performs automatic dependency resolution for packages and installs all packages needed to fulfill dependency requirements. DNF also includes integrated options for managing security and errata updates available for packages installed in Oracle Linux.

A security patch is an update to fix a specific vulnerability incorporating changes in source code. These security patches usually apply to particular software components.

A bug fix is the elimination of known software errors.

CVE is short for Common Vulnerabilities and Exposures. It is a list of publicly disclosed computer security flaws. A CVE refers to a security flaw where a CVE Numbering Authority (CNA) assigns a CVE ID number. Security advisories usually refer to at least one CVE ID, with a priority ranging from negligible through low, medium, high to critical.

Enterprise Linux denotes these specific updates as:

  • ELSA : Enterprise Linux Security Advisory patches
  • ELBA : Enterprise Linux Bug Fix Advisory patches
  • ELEA : Enterprise Linux Enhancement Advisory patches

Objectives

In this lab, you'll learn:

  • The meaning of CVEs, ELSAs, and Bug Fixes
  • To use DNF for installing security updates
  • That package updates are cumulative and have dependencies
  • To clean up old packages

What Do You Need?

  • An Oracle Linux system.

Setup Lab Environment

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

Some of the dnf commands in this lab require the use of sudo to avoid the following message: Error: This command has to be run with superuser privileges (under the root user on most systems).

  1. Open a terminal and connect via SSH to the ol-node01 instance if not already connected.

    ssh oracle@<ip_address_of_instance>

  2. Confirm hostname and version of Oracle Linux.

    hostnamectl

List All Available Security Packages for the System

  1. List a summary of the types and totals of available errata.

    dnf updateinfo summary

  2. List all the errata that are available for the system.

    dnf updateinfo list

    The example output shows the enabled repositories followed by each update. The available errata are sorted in order of their IDs and identify their types.

    • Severity/Sec : Priority/Security patch

    • bugfix : Bug fix

    • enhancement : Feature enhancement

    updateinfo-list

  3. List detailed information on each of the available errata.

    dnf updateinfo info

    Example output of errata showing the dependencies, if any.

    update-depend-info

Filter the List of Security Updates

  1. You can limit the output to specific types by including various arguments after the list keyword.

    1. List all security updates installed on the host, specify the arguments security --installed.

      dnf updateinfo list security --installed

    2. List all available security updates not installed on the host, specify the arguments updates security.

      dnf updateinfo list updates security

    3. List the security errata by their Common Vulnerabilities and Exposures (CVE) IDs, specify cves as an argument.

      dnf updateinfo list cves

    4. List the bugfixes, specify bugfix as an argument.

      dnf updateinfo list bugfix

    5. List the available security upgrades, specify sec as an argument.

      dnf updateinfo list sec

    6. List the security patches according to severity level, by specify --sec-severity= as an argument and appending the severity.

      dnf updateinfo list --sec-severity=Important

      These are the available severity levels:

      • Critical
      • Important
      • Moderate
      • Low

    7. List the security errata for a specific CVE, specify the keyword --cve followed by a CVE ID as an argument.

      dnf updateinfo list --cve CVE-2023-1998

    8. List the information for a specific Advisory, specify the keyword --advisory followed by an Advisory ID as an argument.

      dnf updateinfo list --advisory ELSA-2023-3723
      dnf updateinfo list --advisory ELBA-2023-3732

Detailed Information of Security Updates

  1. The dnf updateinfo info command lists detailed information for a specific errata. You can limit the output to particular types by including various arguments after the info keyword.

    1. List detailed information for a specific Advisory, specify --advisory followed by an Advisory ID as an argument.

      dnf updateinfo info --advisory ELSA-2023-3723
      dnf updateinfo info --advisory ELBA-2023-3732

    2. List the detailed information for a specific CVE, specify --cve followed by a CVE ID as an argument.

      dnf updateinfo info --cve CVE-2023-1998

Update Packages

  1. The dnf update command updates packages to the latest version. You can limit the output to a specific errata by including various arguments after the update keyword. You can implement the updates by responding y at the prompt.

    1. Update packages for a specific CVE or erratum, specify the keyword and argument --cve CVE ID.

      sudo dnf update --cve CVE-2023-1998

      The output from the update and upgrade commands shows four sections:

      • Installing
      • Upgrading
      • Installing dependencies
      • Installing weak dependencies

      update-depend-list

    2. Update packages for a specific Advisory, specify the keyword --advisory followed by an Advisory ID as an argument.

      sudo dnf update --advisory ELSA-2023-3723

    3. Update all packages to the latest versions for which security-related errata are available, even if those packages include bug fixes or new features but not security errata.

      sudo dnf --security update --assumeno

      The --assumeno option automatically answers no for all questions. This aborts the operation allowing the texting of further dnf --security options.

    4. Update all packages to the latest versions that contain security errata while ignoring any newer packages that don't have security errata.

      sudo dnf --security upgrade-minimal --assumeno

    5. Update all kernel packages to the latest versions that contain security errata.

      sudo dnf --security upgrade-minimal kernel* -y

      The -y option automatically answers yes for all questions and, therefore, automatically applies the requested security packages.

    6. Update a system to use the latest packages that are available.

      sudo dnf upgrade

      Two dnf commands are available to update all packages: dnf update and dnf upgrade. Both commands install all available updates, but dnf update automatically runs dnf upgrade, so dnf upgrade is preferred.

Cleanup

DNF stores and persists packages it downloads on disk as part of an install action. Occassional clean up is essential to reduce the amount of used disk storage.

Running the dnf clean command removes the cache and files. You can limit the clean up to a specific area by including various arguments after the clean keyword.

  1. Remove all cache files generated from the repository metadata, specify the keyword dbcache.

    sudo dnf clean dbcache

  2. Empty the cache directory for the enabled repositories of all cached packages, specify the keyword packages.

    sudo dnf clean packages

  3. Specify the keyword ' all ' to clear all cached files from all enabled repositories.

    sudo dnf clean all

For More Information

See other related resources:

2024-05-15T04:18:54.464Z