Managing Security Risk on RHEL 8

This blog post is mainly about my practicing of managing security risk on a RHEL system, especially learning how to use the occasionally option passed to YUM command. It is probably not a good resource teaching how to properly manage security risks in general.

Identify all critical, important, and moderate security notices on this server.

[root@puppet2 ~]# yum updateinfo --security
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - Supplementary (RPMs)                                  21 kB/s | 2.1 kB     00:00
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                      27 kB/s | 2.8 kB     00:00
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                        475  B/s | 2.4 kB     00:05
EPEL8 x86_64                                                                                  28 kB/s | 2.8 kB     00:00
Updates Information Summary: available
    2 Security notice(s)
        2 Important Security notice(s)

Determine how many security-related packages are available for this machine.

[root@puppet2 ~]# yum --security list updates
...omitted...
Available Upgrades
gnutls.x86_64                                        3.6.8-11.el8_2                        rhel-8-for-x86_64-baseos-rpms
libnghttp2.x86_64                                    1.33.0-3.el8_2.1                      rhel-8-for-x86_64-baseos-rpms

Identify any RHSAs that are considered important, and available as updates for this machine.

[root@puppet2 ~]# yum updateinfo list updates --sec-severity Important
...omitted...
RHSA-2020:2637 Important/Sec. gnutls-3.6.8-11.el8_2.x86_64
RHSA-2020:2755 Important/Sec. libnghttp2-1.33.0-3.el8_2.1.x86_64

There are two RHSAs that meet the criteria: RHSA-2020:2637 and RHSA-2020:2755.

View the synopsis of one of the above important RHSAs (RHSA-2020:2637) to validate its content.

[root@puppet2 ~]# yum updateinfo --info RHSA-2020:2637
...omitted...
===============================================================================
  Important: gnutls security update
===============================================================================
  Update ID: RHSA-2020:2637
       Type: security
    Updated: 2020-06-22 16:26:44
       Bugs: 1843723 - CVE-2020-13777 gnutls: session resumption works without master key allowing MITM
       CVEs: CVE-2020-13777
Description: The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic
algorithms and protocols such as SSL, TLS, and DTLS.
           : 
           : Security Fix(es):
           : 
           : * gnutls: session resumption works without master key allowing MITM (CVE-2020-13777)
           : 
           : For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other
related information, refer to the CVE page(s) listed in the References section.
   Severity: Important
[root@puppet2 ~]#

Use YUM and CVE code to list the packages required to update this system.

[root@puppet2 ~]# yum updateinfo list --cve CVE-2020-13777
...omitted...
RHSA-2020:2637 Important/Sec. gnutls-3.6.8-11.el8_2.x86_64

This machine needs 1 package update to resolve CVE-2020-13777. Use YUM and the CVE code to update the system with necessary package that provides the security fixes.

[root@puppet2 ~]# yum update --cve CVE-2020-13777
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - Supplementary (RPMs)                                  19 kB/s | 2.1 kB     00:00
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                      28 kB/s | 2.8 kB     00:00
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                         22 kB/s | 2.4 kB     00:00
EPEL8 x86_64                                                                                  28 kB/s | 2.8 kB     00:00
Dependencies resolved.
========================================================================================================================
 Package                 Architecture            Version                    Repository                             Size
========================================================================================================================
Upgrading:
 gnutls                  x86_64                  3.6.8-11.el8_2             rhel-8-for-x86_64-baseos-rpms         915 k

Transaction Summary
========================================================================================================================
Upgrade  1 Package

Total download size: 915 k
Is this ok [y/N]: y
Downloading Packages:
gnutls-3.6.8-11.el8_2.x86_64.rpm                                                             3.1 MB/s | 915 kB     00:00
------------------------------------------------------------------------------------------------------------------------
Total                                                                                        3.1 MB/s | 915 kB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing:                                                                                                         1/1
  Upgrading        : gnutls-3.6.8-11.el8_2 x86_64                                                                    1/2
  Cleanup          : gnutls-3.6.8-10.el8_2.x86_64                                                                    2/2
  Running scriptlet: gnutls-3.6.8-10.el8_2.x86_64                                                                    2/2
  Verifying        : gnutls-3.6.8-11.el8_2.x86_64                                                                    1/2
  Verifying        : gnutls-3.6.8-10.el8_2.x86_64                                                                    2/2
Installed products updated.

Upgraded:
  gnutls-3.6.8-11.el8_2.x86_64

Complete!

Now repeat the above step for another RHSA-2020:2755.