Yumのセキュリティプラグイン
はじめに
藤本です。
みなさん、yumのことを「ヤム」と呼んでいますか?「ユム」と呼んでいますか? 私は10年間「ユム」と呼んできましたが、先日、Wikipediaを覗いたところ、 「ヤム」と記載されていて、絶賛矯正中ですが、10年の月日は長かったようです。 なかなか治りません。。
そんなことはさておき。 先日、弊社メンバーに「yum-security」というYumのsecurityプラグインの存在を教えていただき、調べてみたのでご紹介させていただきます。
概要
みなさん、ミドルウェアの脆弱性対応をどのように取り組んでいますか? 当ブログでも脆弱性情報の得方、脆弱性の対応方法についていくつかご紹介しています。
脆弱性対応は本気で取り組む場合、日々発信される脆弱性情報のウォッチ、脆弱性の対応要否判断、対応方式の検討、パッチ適用検証/影響確認、作業日程の調整、対応状況の管理などなどシステム当たりに専任の担当が必要なほど大変業務です。 だからと言って脆弱性対応を放置するとシステムがダウンしたり、情報を引きぬかれたり、最悪サーバーを乗っ取られたりというような様々なリスクがあり、無視できることではありません。 ただ闇雲にパッケージを最新化すればミドルウェアの機能拡張やバグフィックスによってプログラムや他ミドルウェアとの相性の問題で不具合を起こしますし、日々発信される多くの脆弱性情報を管理すれば運用コストが嵩みます。
今回紹介するYumのsecurityプラグインはYumでインストールされたパッケージのセキュリティパッチをベンダの判断基準に則ってサポートしてくれる素敵なプラグインです。
* 今回紹介するSecurityプラグインはあくまでもサポートしてくれる機能であり、上記で紹介したような問題を完全に解決してくれるわけではないことはご注意ください。
環境
今回確認したOSは以下となります。
- Amazon Linux
- CentOS 6
- CentOS 7
yum-plugin-security
yum-plugin-securityパッケージを導入することでyumをセキュリティ関連のアップデートのみを検索するよう制限することができます。 例えば、特定のCVEに対応したパッケージのみをアップデートしたい、脆弱性対応したパッケージのみをアップデートしたい、脆弱性対応したパッケージの中でもCriticalレベルの脆弱性対応したパッケージのみアップデートしたいといったことを叶えてくれます。
インストール
- Amazon Linux SecurityプラグインがバンドルされたYumパッケージがデフォルトインストールされているため、 追加インストールせずともSecurityプラグインを利用可能です。
-
CentOS 7 Amazon Linuxと同じく。
-
CentOS 6 別途パッケージをインストールする必要があります。 yumコマンド一発です。
# yum install yum-plugin-security -y (略) Installed: yum-plugin-security.noarch 0:1.1.30-30.el6 Complete!
使い方
上記の例で挙げたようなユースケースで利用できるコマンドを紹介します。 今回はAmazon Linux(amzn-ami-hvm-2013.09.0.x86_64-ebs (ami-0961fe08))で動作確認しています。
まずyum-plugin-securityによってyumのサブコマンド、オプションが追加されています。
# yum --help (略) update-minimal Works like upgrade, but goes to the 'newest' package match which fixes a problem that affects your system updateinfo Acts on repository update information (略) --bugfix Include bugfix relevant packages, in updates --security Include security relevant packages, in updates --advisory=ADVS, --advisories=ADVS Include packages needed to fix the given advisory, in updates --bzs=BZS Include packages needed to fix the given BZ, in updates --cves=CVES Include packages needed to fix the given CVE, in updates --sec-severity=SEVS, --secseverity=SEVS Include security relevant packages matching the severity, in updates
脆弱性対応したパッケージのみ確認
updateinfoサブコマンドでセキュリティパッチに特化したパッケージ情報を検索できます。
# yum updateinfo list Loaded plugins: priorities, update-motd, upgrade-helper ALAS-2014-281 medium/Sec. ca-certificates-2012.1.95-3.12.amzn1.noarch ALAS-2013-261 low/Sec. coreutils-8.4-31.17.amzn1.x86_64 ALAS-2013-261 low/Sec. coreutils-libs-8.4-31.17.amzn1.x86_64 ALAS-2014-338 medium/Sec. cyrus-sasl-2.1.23-13.14.amzn1.x86_64 ALAS-2014-338 medium/Sec. cyrus-sasl-lib-2.1.23-13.14.amzn1.x86_64 ALAS-2014-338 medium/Sec. cyrus-sasl-plain-2.1.23-13.14.amzn1.x86_64 ALAS-2013-257 medium/Sec. dracut-004-336.21.amzn1.noarch ALAS-2015-478 medium/Sec. e2fsprogs-1.42.12-1.34.amzn1.x86_64 ALAS-2015-542 low/Sec. e2fsprogs-1.42.12-4.35.amzn1.x86_64 ALAS-2015-478 medium/Sec. e2fsprogs-libs-1.42.12-1.34.amzn1.x86_64 ALAS-2015-542 low/Sec. e2fsprogs-libs-1.42.12-4.35.amzn1.x86_64 ALAS-2014-345 medium/Sec. elfutils-libelf-0.158-3.16.amzn1.x86_64 ALAS-2014-304 medium/Sec. file-5.11-13.14.amzn1.x86_64 ALAS-2014-323 medium/Sec. file-5.11-13.16.amzn1.x86_64 ALAS-2014-382 medium/Sec. file-5.19-1.18.amzn1.x86_64 ALAS-2014-398 medium/Sec. file-5.19-4.19.amzn1.x86_64 ALAS-2014-453 medium/Sec. file-5.19-7.24.amzn1.x86_64 ALAS-2015-497 medium/Sec. file-5.22-2.29.amzn1.x86_64 ALAS-2014-304 medium/Sec. file-libs-5.11-13.14.amzn1.x86_64 ALAS-2014-323 medium/Sec. file-libs-5.11-13.16.amzn1.x86_64 ALAS-2014-382 medium/Sec. file-libs-5.19-1.18.amzn1.x86_64 ALAS-2014-398 medium/Sec. file-libs-5.19-4.19.amzn1.x86_64 ALAS-2014-453 medium/Sec. file-libs-5.19-7.24.amzn1.x86_64 ALAS-2015-497 medium/Sec. file-libs-5.22-2.29.amzn1.x86_64 ALAS-2013-237 medium/Sec. gnupg2-2.0.22-1.24.amzn1.x86_64 ALAS-2014-379 medium/Sec. gnupg2-2.0.24-1.25.amzn1.x86_64 ALAS-2015-574 low/Sec. gnupg2-2.0.28-1.30.amzn1.x86_64 ALAS-2015-500 low/Sec. gpgme-1.4.3-5.15.amzn1.x86_64 ALAS-2013-233 medium/Sec. kernel-3.4.66-55.43.amzn1.x86_64 ALAS-2013-252 medium/Sec. kernel-3.4.71-63.98.amzn1.x86_64 ALAS-2013-258 low/Sec. kernel-3.4.73-64.112.amzn1.x86_64 ALAS-2014-289 medium/Sec. kernel-3.4.82-69.112.amzn1.x86_64 ALAS-2014-317 low/Sec. kernel-3.10.34-37.137.amzn1.x86_64 ALAS-2014-328 medium/Sec. kernel-3.10.37-47.135.amzn1.x86_64 ALAS-2014-339 medium/Sec. kernel-3.10.40-50.136.amzn1.x86_64 ALAS-2014-363 medium/Sec. kernel-3.10.42-52.145.amzn1.x86_64 ALAS-2014-368 medium/Sec. kernel-3.10.48-55.140.amzn1.x86_64 ALAS-2014-392 medium/Sec. kernel-3.10.53-56.140.amzn1.x86_64 ALAS-2014-417 medium/Sec. kernel-3.14.19-17.43.amzn1.x86_64 ALAS-2014-455 medium/Sec. kernel-3.14.26-24.46.amzn1.x86_64 ALAS-2015-476 medium/Sec. kernel-3.14.33-26.47.amzn1.x86_64 ALAS-2015-489 medium/Sec. kernel-3.14.34-27.48.amzn1.x86_64 ALAS-2015-491 low/Sec. kernel-3.14.35-28.38.amzn1.x86_64 ALAS-2015-523 medium/Sec. kernel-3.14.42-31.38.amzn1.x86_64 ALAS-2015-544 medium/Sec. kernel-3.14.44-32.39.amzn1.x86_64 ALAS-2015-565 medium/Sec. kernel-3.14.48-33.39.amzn1.x86_64 ALAS-2014-443 medium/Sec. krb5-libs-1.10.3-33.28.amzn1.x86_64 ALAS-2015-518 medium/Sec. krb5-libs-1.10.3-37.29.amzn1.x86_64 ALAS-2014-443 medium/Sec. krb5-workstation-1.10.3-33.28.amzn1.x86_64 ALAS-2015-518 medium/Sec. krb5-workstation-1.10.3-37.29.amzn1.x86_64 ALAS-2014-452 medium/Sec. libX11-1.6.0-2.2.12.amzn1.x86_64 ALAS-2014-452 medium/Sec. libX11-common-1.6.0-2.2.12.amzn1.x86_64 ALAS-2014-403 medium/Sec. libXext-1.3.1-2.9.amzn1.x86_64 ALAS-2014-452 medium/Sec. libXi-1.7.2-2.2.9.amzn1.x86_64 ALAS-2014-452 medium/Sec. libXrender-0.9.8-2.1.9.amzn1.x86_64 ALAS-2014-406 medium/Sec. libXtst-1.2.1-2.8.amzn1.x86_64 ALAS-2015-543 medium/Sec. libcap-ng-0.7.3-5.13.amzn1.x86_64 ALAS-2015-478 medium/Sec. libcom_err-1.42.12-1.34.amzn1.x86_64 ALAS-2015-542 low/Sec. libcom_err-1.42.12-4.35.amzn1.x86_64 ALAS-2015-577 medium/Sec. libgcrypt-1.5.3-12.18.amzn1.x86_64 ALAS-2013-267 medium/Sec. libjpeg-turbo-1.2.1-3.4.amzn1.x86_64 ALAS-2015-540 low/Sec. libjpeg-turbo-1.2.90-5.10.amzn1.x86_64 ALAS-2015-478 medium/Sec. libss-1.42.12-1.34.amzn1.x86_64 ALAS-2015-542 low/Sec. libss-1.42.12-4.35.amzn1.x86_64 ALAS-2014-405 medium/Sec. libxcb-1.8.1-1.15.amzn1.x86_64 ALAS-2014-402 medium/Sec. lua-5.1.4-4.1.9.amzn1.x86_64 ALAS-2014-294 medium/Sec. openldap-2.4.23-34.23.amzn1.x86_64 ALAS-2014-354 medium/Sec. pam-1.1.8-9.29.amzn1.x86_64 ALAS-2015-528 low/Sec. pcre-8.21-7.7.amzn1.x86_64 ALAS-2014-374 low/Sec. python-simplejson-3.5.3-1.7.amzn1.x86_64 ALAS-2014-357 low/Sec. readline-6.2-9.14.amzn1.x86_64 ALAS-2014-445 medium/Sec. rsyslog-5.8.10-9.26.amzn1.x86_64 ALAS-2013-259 low/Sec. sudo-1.8.6p3-12.17.amzn1.x86_64 ALAS-2015-557 medium/Sec. tcpdump-14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1.x86_64 ALAS-2015-504 medium/Sec. unzip-6.0-2.9.amzn1.x86_64 ALAS-2014-442 medium/Sec. wget-1.16-1.13.amzn1.x86_64 updateinfo list done
表示は3つの要素となり、左から以下の内容となります。
- Amazon Linux AMI Security Centerに登録された脆弱性情報を一意に示すID Amazon Linux AMI Security CenterでCVE番号と対応付けられています。
- 種別は変更がBugfixなのか、Enhancement(機能拡張)なのか、Security対応なのか、 またSecurity対応の場合、Securityリスクのレベル(critical/important/medium/low)が表示されます。
- 対象パッケージ名/バージョン
脆弱性対応したパッケージのみアップデート
--securityオプションで事前に検索したパッケージのみをアップデートできます。
# yum update --security Loaded plugins: priorities, update-motd, upgrade-helper amzn-main/latest amzn-updates/latest 38 package(s) needed (+0 related) for security, out of 204 available Resolving Dependencies --> Running transaction check ---> Package ca-certificates.noarch 0:2010.63-3.7.amzn1 will be updated ---> Package ca-certificates.noarch 0:2014.1.98-65.0.13.amzn1 will be an update --> Processing Dependency: p11-kit-trust >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.0.13.amzn1.noarch --> Processing Dependency: p11-kit >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.0.13.amzn1.noarch ---> Package coreutils.x86_64 0:8.4-19.15.amzn1 will be updated ---> Package coreutils.x86_64 0:8.21-13.31.amzn1 will be obsoleting --> Processing Dependency: util-linux >= 2.22.1-3 for package: coreutils-8.21-13.31.amzn1.x86_64 ---> Package coreutils-libs.x86_64 0:8.4-19.15.amzn1 will be obsoleted ---> Package cyrus-sasl.x86_64 0:2.1.23-13.10.amzn1 will be updated ---> Package cyrus-sasl.x86_64 0:2.1.23-13.16.amzn1 will be an update ---> Package cyrus-sasl-lib.x86_64 0:2.1.23-13.10.amzn1 will be updated ---> Package cyrus-sasl-lib.x86_64 0:2.1.23-13.16.amzn1 will be an update ---> Package cyrus-sasl-plain.x86_64 0:2.1.23-13.10.amzn1 will be updated ---> Package cyrus-sasl-plain.x86_64 0:2.1.23-13.16.amzn1 will be an update ---> Package dracut.noarch 0:004-303.18.amzn1 will be updated ---> Package dracut.noarch 0:004-336.24.amzn1 will be an update ---> Package e2fsprogs.x86_64 0:1.42.3-3.17.amzn1 will be updated ---> Package e2fsprogs.x86_64 0:1.42.12-4.35.amzn1 will be an update ---> Package e2fsprogs-libs.x86_64 0:1.42.3-3.17.amzn1 will be updated ---> Package e2fsprogs-libs.x86_64 0:1.42.12-4.35.amzn1 will be an update ---> Package elfutils-libelf.x86_64 0:0.152-1.12.amzn1 will be updated ---> Package elfutils-libelf.x86_64 0:0.158-3.16.amzn1 will be an update ---> Package file.x86_64 0:5.11-4.12.amzn1 will be updated ---> Package file.x86_64 0:5.22-2.29.amzn1 will be an update ---> Package file-libs.x86_64 0:5.11-4.12.amzn1 will be updated ---> Package file-libs.x86_64 0:5.22-2.29.amzn1 will be an update ---> Package gnupg2.x86_64 0:2.0.19-8.21.amzn1 will be updated ---> Package gnupg2.x86_64 0:2.0.28-1.30.amzn1 will be an update ---> Package gpgme.x86_64 0:1.3.2-1.13.amzn1 will be updated ---> Package gpgme.x86_64 0:1.4.3-5.15.amzn1 will be an update ---> Package kernel.x86_64 0:3.14.48-33.39.amzn1 will be installed ---> Package krb5-libs.x86_64 0:1.10.3-10.26.amzn1 will be updated ---> Package krb5-libs.x86_64 0:1.12.2-14.43.amzn1 will be an update --> Processing Dependency: keyutils-libs >= 1.5.8 for package: krb5-libs-1.12.2-14.43.amzn1.x86_64 --> Processing Dependency: libkeyutils.so.1(KEYUTILS_1.5)(64bit) for package: krb5-libs-1.12.2-14.43.amzn1.x86_64 --> Processing Dependency: libverto.so.1()(64bit) for package: krb5-libs-1.12.2-14.43.amzn1.x86_64 ---> Package krb5-workstation.x86_64 0:1.10.3-10.26.amzn1 will be updated ---> Package krb5-workstation.x86_64 0:1.12.2-14.43.amzn1 will be an update ---> Package libX11.x86_64 0:1.5.0-4.10.amzn1 will be updated ---> Package libX11.x86_64 0:1.6.0-2.2.12.amzn1 will be an update ---> Package libX11-common.x86_64 0:1.5.0-4.10.amzn1 will be updated ---> Package libX11-common.x86_64 0:1.6.0-2.2.12.amzn1 will be an update ---> Package libXext.x86_64 0:1.3.1-2.8.amzn1 will be updated ---> Package libXext.x86_64 0:1.3.2-2.1.10.amzn1 will be an update ---> Package libXi.x86_64 0:1.6.1-3.7.amzn1 will be updated ---> Package libXi.x86_64 0:1.7.2-2.2.9.amzn1 will be an update ---> Package libXrender.x86_64 0:0.9.7-2.7.amzn1 will be updated ---> Package libXrender.x86_64 0:0.9.8-2.1.9.amzn1 will be an update ---> Package libXtst.x86_64 0:1.2.1-2.7.amzn1 will be updated ---> Package libXtst.x86_64 0:1.2.2-2.1.9.amzn1 will be an update ---> Package libcap-ng.x86_64 0:0.6.4-3.8.amzn1 will be updated ---> Package libcap-ng.x86_64 0:0.7.3-5.13.amzn1 will be an update ---> Package libcom_err.x86_64 0:1.42.3-3.17.amzn1 will be updated ---> Package libcom_err.x86_64 0:1.42.12-4.35.amzn1 will be an update ---> Package libgcrypt.x86_64 0:1.4.5-9.12.amzn1 will be updated ---> Package libgcrypt.x86_64 0:1.5.3-12.18.amzn1 will be an update ---> Package libjpeg-turbo.x86_64 0:1.2.1-1.2.amzn1 will be updated ---> Package libjpeg-turbo.x86_64 0:1.2.90-5.10.amzn1 will be an update ---> Package libss.x86_64 0:1.42.3-3.17.amzn1 will be updated ---> Package libss.x86_64 0:1.42.12-4.35.amzn1 will be an update ---> Package libxcb.x86_64 0:1.8.1-1.14.amzn1 will be updated ---> Package libxcb.x86_64 0:1.8.1-1.18.amzn1 will be an update ---> Package lua.x86_64 0:5.1.4-4.1.8.amzn1 will be updated ---> Package lua.x86_64 0:5.1.4-4.1.9.amzn1 will be an update ---> Package openldap.x86_64 0:2.4.23-32.21.amzn1 will be updated ---> Package openldap.x86_64 0:2.4.23-34.23.amzn1 will be an update ---> Package pam.x86_64 0:1.1.1-13.20.amzn1 will be updated ---> Package pam.x86_64 0:1.1.8-9.31.amzn1 will be an update --> Processing Dependency: libpwquality >= 0.9.9 for package: pam-1.1.8-9.31.amzn1.x86_64 ---> Package pcre.x86_64 0:8.21-7.5.amzn1 will be updated ---> Package pcre.x86_64 0:8.21-7.7.amzn1 will be an update ---> Package readline.x86_64 0:6.0-4.12.amzn1 will be updated ---> Package readline.x86_64 0:6.2-9.14.amzn1 will be an update ---> Package rsyslog.x86_64 0:5.8.10-7.24.amzn1 will be updated ---> Package rsyslog.x86_64 0:5.8.10-9.26.amzn1 will be an update ---> Package sudo.x86_64 0:1.8.6p3-7.16.amzn1 will be updated ---> Package sudo.x86_64 0:1.8.6p3-19.19.amzn1 will be an update ---> Package tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.8.amzn1 will be updated ---> Package tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1 will be an update ---> Package unzip.x86_64 0:6.0-1.7.amzn1 will be updated ---> Package unzip.x86_64 0:6.0-2.9.amzn1 will be an update ---> Package wget.x86_64 0:1.14-8.11.amzn1 will be updated ---> Package wget.x86_64 0:1.16.1-3.18.amzn1 will be an update --> Processing Dependency: libpsl.so.0()(64bit) for package: wget-1.16.1-3.18.amzn1.x86_64 --> Running transaction check ---> Package keyutils-libs.x86_64 0:1.4-4.10.amzn1 will be updated ---> Package keyutils-libs.x86_64 0:1.5.8-3.12.amzn1 will be an update ---> Package libpsl.x86_64 0:0.6.2-1.2.amzn1 will be installed --> Processing Dependency: libicuuc.so.50()(64bit) for package: libpsl-0.6.2-1.2.amzn1.x86_64 ---> Package libpwquality.x86_64 0:1.2.3-4.8.amzn1 will be installed ---> Package libverto.x86_64 0:0.2.5-4.9.amzn1 will be installed ---> Package p11-kit.x86_64 0:0.18.5-2.3.amzn1 will be installed --> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3)(64bit) for package: p11-kit-0.18.5-2.3.amzn1.x86_64 --> Processing Dependency: libtasn1.so.3()(64bit) for package: p11-kit-0.18.5-2.3.amzn1.x86_64 ---> Package p11-kit-trust.x86_64 0:0.18.5-2.3.amzn1 will be installed ---> Package util-linux.x86_64 0:2.23.2-16.22.amzn1 will be obsoleting --> Processing Dependency: libblkid = 2.23.2-16.22.amzn1 for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libuuid = 2.23.2-16.22.amzn1 for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libmount = 2.23.2-16.22.amzn1 for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libblkid.so.1(BLKID_2.21)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libmount.so.1(MOUNT_2.21)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libmount.so.1(MOUNT_2.23)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libmount.so.1(MOUNT_2.19)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libmount.so.1(MOUNT_2.22)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libblkid.so.1(BLKID_2.20)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libmount.so.1(MOUNT_2.20)(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64 --> Processing Dependency: libmount.so.1()(64bit) for package: util-linux-2.23.2-16.22.amzn1.x86_64 ---> Package util-linux-ng.x86_64 0:2.17.2-13.16.amzn1 will be obsoleted --> Running transaction check ---> Package libblkid.x86_64 0:2.17.2-13.16.amzn1 will be updated ---> Package libblkid.x86_64 0:2.23.2-16.22.amzn1 will be an update ---> Package libicu.x86_64 0:4.2.1-9.9.amzn1 will be updated --> Processing Dependency: libicuio.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64 --> Processing Dependency: libicuuc.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64 ---> Package libicu.x86_64 0:50.1.2-11.12.amzn1 will be an update ---> Package libmount.x86_64 0:2.23.2-16.22.amzn1 will be installed ---> Package libtasn1.x86_64 0:2.3-6.6.amzn1 will be installed ---> Package libuuid.x86_64 0:2.17.2-13.16.amzn1 will be updated ---> Package libuuid.x86_64 0:2.23.2-16.22.amzn1 will be an update --> Running transaction check ---> Package gdisk.x86_64 0:0.8.7-1.3.amzn1 will be updated ---> Package gdisk.x86_64 0:0.8.10-1.5.amzn1 will be an update --> Processing Conflict: util-linux-2.23.2-16.22.amzn1.x86_64 conflicts sysvinit < 2.87-5 --> Restarting Dependency Resolution with new changes. --> Running transaction check ---> Package upstart.x86_64 0:0.6.5-12.10.amzn1 will be updated ---> Package upstart.x86_64 0:0.6.5-13.3.13.amzn1 will be an update --> Processing Conflict: util-linux-2.23.2-16.22.amzn1.x86_64 conflicts sysvinit < 2.87-5 --> Restarting Dependency Resolution with new changes. --> Running transaction check ---> Package sysvinit.x86_64 0:2.87-4.dsf.10.amzn1 will be updated ---> Package sysvinit.x86_64 0:2.87-5.dsf.14.amzn1 will be an update --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================= Installing: coreutils x86_64 8.21-13.31.amzn1 amzn-main 5.6 M replacing coreutils-libs.x86_64 8.4-19.15.amzn1 kernel x86_64 3.14.48-33.39.amzn1 amzn-updates 16 M util-linux x86_64 2.23.2-16.22.amzn1 amzn-main 2.8 M replacing util-linux-ng.x86_64 2.17.2-13.16.amzn1 Updating: ca-certificates noarch 2014.1.98-65.0.13.amzn1 amzn-main 1.2 M cyrus-sasl x86_64 2.1.23-13.16.amzn1 amzn-main 85 k cyrus-sasl-lib x86_64 2.1.23-13.16.amzn1 amzn-main 151 k cyrus-sasl-plain x86_64 2.1.23-13.16.amzn1 amzn-main 32 k dracut noarch 004-336.24.amzn1 amzn-main 122 k e2fsprogs x86_64 1.42.12-4.35.amzn1 amzn-updates 1.1 M e2fsprogs-libs x86_64 1.42.12-4.35.amzn1 amzn-updates 182 k elfutils-libelf x86_64 0.158-3.16.amzn1 amzn-main 316 k file x86_64 5.22-2.29.amzn1 amzn-main 64 k file-libs x86_64 5.22-2.29.amzn1 amzn-main 520 k gnupg2 x86_64 2.0.28-1.30.amzn1 amzn-updates 2.6 M gpgme x86_64 1.4.3-5.15.amzn1 amzn-updates 234 k krb5-libs x86_64 1.12.2-14.43.amzn1 amzn-updates 964 k krb5-workstation x86_64 1.12.2-14.43.amzn1 amzn-updates 828 k libX11 x86_64 1.6.0-2.2.12.amzn1 amzn-main 748 k libX11-common x86_64 1.6.0-2.2.12.amzn1 amzn-main 230 k libXext x86_64 1.3.2-2.1.10.amzn1 amzn-main 39 k libXi x86_64 1.7.2-2.2.9.amzn1 amzn-main 40 k libXrender x86_64 0.9.8-2.1.9.amzn1 amzn-main 26 k libXtst x86_64 1.2.2-2.1.9.amzn1 amzn-main 20 k libcap-ng x86_64 0.7.3-5.13.amzn1 amzn-updates 24 k libcom_err x86_64 1.42.12-4.35.amzn1 amzn-updates 45 k libgcrypt x86_64 1.5.3-12.18.amzn1 amzn-updates 289 k libjpeg-turbo x86_64 1.2.90-5.10.amzn1 amzn-updates 143 k libss x86_64 1.42.12-4.35.amzn1 amzn-updates 50 k libxcb x86_64 1.8.1-1.18.amzn1 amzn-main 143 k lua x86_64 5.1.4-4.1.9.amzn1 amzn-main 236 k openldap x86_64 2.4.23-34.23.amzn1 amzn-main 387 k pam x86_64 1.1.8-9.31.amzn1 amzn-main 803 k pcre x86_64 8.21-7.7.amzn1 amzn-updates 254 k readline x86_64 6.2-9.14.amzn1 amzn-main 214 k rsyslog x86_64 5.8.10-9.26.amzn1 amzn-main 774 k sudo x86_64 1.8.6p3-19.19.amzn1 amzn-updates 916 k sysvinit x86_64 2.87-5.dsf.14.amzn1 amzn-main 64 k tcpdump x86_64 14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1 amzn-updates 372 k unzip x86_64 6.0-2.9.amzn1 amzn-updates 196 k upstart x86_64 0.6.5-13.3.13.amzn1 amzn-main 225 k wget x86_64 1.16.1-3.18.amzn1 amzn-main 729 k Installing for dependencies: libmount x86_64 2.23.2-16.22.amzn1 amzn-main 173 k libpsl x86_64 0.6.2-1.2.amzn1 amzn-main 52 k libpwquality x86_64 1.2.3-4.8.amzn1 amzn-main 89 k libtasn1 x86_64 2.3-6.6.amzn1 amzn-main 246 k libverto x86_64 0.2.5-4.9.amzn1 amzn-updates 16 k p11-kit x86_64 0.18.5-2.3.amzn1 amzn-main 123 k p11-kit-trust x86_64 0.18.5-2.3.amzn1 amzn-main 79 k Updating for dependencies: gdisk x86_64 0.8.10-1.5.amzn1 amzn-main 302 k keyutils-libs x86_64 1.5.8-3.12.amzn1 amzn-main 25 k libblkid x86_64 2.23.2-16.22.amzn1 amzn-main 168 k libicu x86_64 50.1.2-11.12.amzn1 amzn-main 9.6 M libuuid x86_64 2.23.2-16.22.amzn1 amzn-main 71 k Transaction Summary ======================================================================================================================================= Install 3 Packages (+7 Dependent packages) Upgrade 38 Packages (+5 Dependent packages) Total download size: 50 M Is this ok [y/d/N]:
依存関係で上がってしまうパッケージもありますが、概ね事前に確認したパッケージ群が表示されました。
脆弱性対応したパッケージの中でもSecurityリスクがmediumレベルの脆弱性対応したパッケージのみアップデート
--sec-severityオプションでSecurityリスクのレベルを指定できます。
# yum update --sec-severity=medium Loaded plugins: priorities, update-motd, upgrade-helper 33 package(s) needed (+0 related) for security, out of 204 available Resolving Dependencies --> Running transaction check ---> Package ca-certificates.noarch 0:2010.63-3.7.amzn1 will be updated ---> Package ca-certificates.noarch 0:2014.1.98-65.0.13.amzn1 will be an update --> Processing Dependency: p11-kit-trust >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.0.13.amzn1.noarch --> Processing Dependency: p11-kit >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.0.13.amzn1.noarch ---> Package cyrus-sasl.x86_64 0:2.1.23-13.10.amzn1 will be updated ---> Package cyrus-sasl.x86_64 0:2.1.23-13.16.amzn1 will be an update ---> Package cyrus-sasl-lib.x86_64 0:2.1.23-13.10.amzn1 will be updated ---> Package cyrus-sasl-lib.x86_64 0:2.1.23-13.16.amzn1 will be an update ---> Package cyrus-sasl-plain.x86_64 0:2.1.23-13.10.amzn1 will be updated ---> Package cyrus-sasl-plain.x86_64 0:2.1.23-13.16.amzn1 will be an update ---> Package dracut.noarch 0:004-303.18.amzn1 will be updated ---> Package dracut.noarch 0:004-336.24.amzn1 will be an update ---> Package e2fsprogs.x86_64 0:1.42.3-3.17.amzn1 will be updated ---> Package e2fsprogs.x86_64 0:1.42.12-4.35.amzn1 will be an update ---> Package e2fsprogs-libs.x86_64 0:1.42.3-3.17.amzn1 will be updated ---> Package e2fsprogs-libs.x86_64 0:1.42.12-4.35.amzn1 will be an update ---> Package elfutils-libelf.x86_64 0:0.152-1.12.amzn1 will be updated ---> Package elfutils-libelf.x86_64 0:0.158-3.16.amzn1 will be an update ---> Package file.x86_64 0:5.11-4.12.amzn1 will be updated ---> Package file.x86_64 0:5.22-2.29.amzn1 will be an update ---> Package file-libs.x86_64 0:5.11-4.12.amzn1 will be updated ---> Package file-libs.x86_64 0:5.22-2.29.amzn1 will be an update ---> Package gnupg2.x86_64 0:2.0.19-8.21.amzn1 will be updated ---> Package gnupg2.x86_64 0:2.0.28-1.30.amzn1 will be an update ---> Package kernel.x86_64 0:3.14.48-33.39.amzn1 will be installed ---> Package krb5-libs.x86_64 0:1.10.3-10.26.amzn1 will be updated ---> Package krb5-libs.x86_64 0:1.12.2-14.43.amzn1 will be an update --> Processing Dependency: keyutils-libs >= 1.5.8 for package: krb5-libs-1.12.2-14.43.amzn1.x86_64 --> Processing Dependency: libkeyutils.so.1(KEYUTILS_1.5)(64bit) for package: krb5-libs-1.12.2-14.43.amzn1.x86_64 --> Processing Dependency: libverto.so.1()(64bit) for package: krb5-libs-1.12.2-14.43.amzn1.x86_64 ---> Package krb5-workstation.x86_64 0:1.10.3-10.26.amzn1 will be updated ---> Package krb5-workstation.x86_64 0:1.12.2-14.43.amzn1 will be an update ---> Package libX11.x86_64 0:1.5.0-4.10.amzn1 will be updated ---> Package libX11.x86_64 0:1.6.0-2.2.12.amzn1 will be an update ---> Package libX11-common.x86_64 0:1.5.0-4.10.amzn1 will be updated ---> Package libX11-common.x86_64 0:1.6.0-2.2.12.amzn1 will be an update ---> Package libXext.x86_64 0:1.3.1-2.8.amzn1 will be updated ---> Package libXext.x86_64 0:1.3.2-2.1.10.amzn1 will be an update ---> Package libXi.x86_64 0:1.6.1-3.7.amzn1 will be updated ---> Package libXi.x86_64 0:1.7.2-2.2.9.amzn1 will be an update ---> Package libXrender.x86_64 0:0.9.7-2.7.amzn1 will be updated ---> Package libXrender.x86_64 0:0.9.8-2.1.9.amzn1 will be an update ---> Package libXtst.x86_64 0:1.2.1-2.7.amzn1 will be updated ---> Package libXtst.x86_64 0:1.2.2-2.1.9.amzn1 will be an update ---> Package libcap-ng.x86_64 0:0.6.4-3.8.amzn1 will be updated ---> Package libcap-ng.x86_64 0:0.7.3-5.13.amzn1 will be an update ---> Package libcom_err.x86_64 0:1.42.3-3.17.amzn1 will be updated ---> Package libcom_err.x86_64 0:1.42.12-4.35.amzn1 will be an update ---> Package libgcrypt.x86_64 0:1.4.5-9.12.amzn1 will be updated ---> Package libgcrypt.x86_64 0:1.5.3-12.18.amzn1 will be an update ---> Package libjpeg-turbo.x86_64 0:1.2.1-1.2.amzn1 will be updated ---> Package libjpeg-turbo.x86_64 0:1.2.90-5.10.amzn1 will be an update ---> Package libss.x86_64 0:1.42.3-3.17.amzn1 will be updated ---> Package libss.x86_64 0:1.42.12-4.35.amzn1 will be an update ---> Package libxcb.x86_64 0:1.8.1-1.14.amzn1 will be updated ---> Package libxcb.x86_64 0:1.8.1-1.18.amzn1 will be an update ---> Package lua.x86_64 0:5.1.4-4.1.8.amzn1 will be updated ---> Package lua.x86_64 0:5.1.4-4.1.9.amzn1 will be an update ---> Package openldap.x86_64 0:2.4.23-32.21.amzn1 will be updated ---> Package openldap.x86_64 0:2.4.23-34.23.amzn1 will be an update ---> Package pam.x86_64 0:1.1.1-13.20.amzn1 will be updated ---> Package pam.x86_64 0:1.1.8-9.31.amzn1 will be an update --> Processing Dependency: libpwquality >= 0.9.9 for package: pam-1.1.8-9.31.amzn1.x86_64 ---> Package rsyslog.x86_64 0:5.8.10-7.24.amzn1 will be updated ---> Package rsyslog.x86_64 0:5.8.10-9.26.amzn1 will be an update ---> Package tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.8.amzn1 will be updated ---> Package tcpdump.x86_64 14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1 will be an update ---> Package unzip.x86_64 0:6.0-1.7.amzn1 will be updated ---> Package unzip.x86_64 0:6.0-2.9.amzn1 will be an update ---> Package wget.x86_64 0:1.14-8.11.amzn1 will be updated ---> Package wget.x86_64 0:1.16.1-3.18.amzn1 will be an update --> Processing Dependency: libpsl.so.0()(64bit) for package: wget-1.16.1-3.18.amzn1.x86_64 --> Running transaction check ---> Package keyutils-libs.x86_64 0:1.4-4.10.amzn1 will be updated ---> Package keyutils-libs.x86_64 0:1.5.8-3.12.amzn1 will be an update ---> Package libpsl.x86_64 0:0.6.2-1.2.amzn1 will be installed --> Processing Dependency: libicuuc.so.50()(64bit) for package: libpsl-0.6.2-1.2.amzn1.x86_64 ---> Package libpwquality.x86_64 0:1.2.3-4.8.amzn1 will be installed ---> Package libverto.x86_64 0:0.2.5-4.9.amzn1 will be installed ---> Package p11-kit.x86_64 0:0.18.5-2.3.amzn1 will be installed --> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3)(64bit) for package: p11-kit-0.18.5-2.3.amzn1.x86_64 --> Processing Dependency: libtasn1.so.3()(64bit) for package: p11-kit-0.18.5-2.3.amzn1.x86_64 ---> Package p11-kit-trust.x86_64 0:0.18.5-2.3.amzn1 will be installed --> Running transaction check ---> Package libicu.x86_64 0:4.2.1-9.9.amzn1 will be updated --> Processing Dependency: libicuio.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64 --> Processing Dependency: libicuuc.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64 ---> Package libicu.x86_64 0:50.1.2-11.12.amzn1 will be an update ---> Package libtasn1.x86_64 0:2.3-6.6.amzn1 will be installed --> Running transaction check ---> Package gdisk.x86_64 0:0.8.7-1.3.amzn1 will be updated ---> Package gdisk.x86_64 0:0.8.10-1.5.amzn1 will be an update --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================= Installing: kernel x86_64 3.14.48-33.39.amzn1 amzn-updates 16 M Updating: ca-certificates noarch 2014.1.98-65.0.13.amzn1 amzn-main 1.2 M cyrus-sasl x86_64 2.1.23-13.16.amzn1 amzn-main 85 k cyrus-sasl-lib x86_64 2.1.23-13.16.amzn1 amzn-main 151 k cyrus-sasl-plain x86_64 2.1.23-13.16.amzn1 amzn-main 32 k dracut noarch 004-336.24.amzn1 amzn-main 122 k e2fsprogs x86_64 1.42.12-4.35.amzn1 amzn-updates 1.1 M e2fsprogs-libs x86_64 1.42.12-4.35.amzn1 amzn-updates 182 k elfutils-libelf x86_64 0.158-3.16.amzn1 amzn-main 316 k file x86_64 5.22-2.29.amzn1 amzn-main 64 k file-libs x86_64 5.22-2.29.amzn1 amzn-main 520 k gnupg2 x86_64 2.0.28-1.30.amzn1 amzn-updates 2.6 M krb5-libs x86_64 1.12.2-14.43.amzn1 amzn-updates 964 k krb5-workstation x86_64 1.12.2-14.43.amzn1 amzn-updates 828 k libX11 x86_64 1.6.0-2.2.12.amzn1 amzn-main 748 k libX11-common x86_64 1.6.0-2.2.12.amzn1 amzn-main 230 k libXext x86_64 1.3.2-2.1.10.amzn1 amzn-main 39 k libXi x86_64 1.7.2-2.2.9.amzn1 amzn-main 40 k libXrender x86_64 0.9.8-2.1.9.amzn1 amzn-main 26 k libXtst x86_64 1.2.2-2.1.9.amzn1 amzn-main 20 k libcap-ng x86_64 0.7.3-5.13.amzn1 amzn-updates 24 k libcom_err x86_64 1.42.12-4.35.amzn1 amzn-updates 45 k libgcrypt x86_64 1.5.3-12.18.amzn1 amzn-updates 289 k libjpeg-turbo x86_64 1.2.90-5.10.amzn1 amzn-updates 143 k libss x86_64 1.42.12-4.35.amzn1 amzn-updates 50 k libxcb x86_64 1.8.1-1.18.amzn1 amzn-main 143 k lua x86_64 5.1.4-4.1.9.amzn1 amzn-main 236 k openldap x86_64 2.4.23-34.23.amzn1 amzn-main 387 k pam x86_64 1.1.8-9.31.amzn1 amzn-main 803 k rsyslog x86_64 5.8.10-9.26.amzn1 amzn-main 774 k tcpdump x86_64 14:4.0.0-3.20090921gitdf3cb4.2.10.amzn1 amzn-updates 372 k unzip x86_64 6.0-2.9.amzn1 amzn-updates 196 k wget x86_64 1.16.1-3.18.amzn1 amzn-main 729 k Installing for dependencies: libpsl x86_64 0.6.2-1.2.amzn1 amzn-main 52 k libpwquality x86_64 1.2.3-4.8.amzn1 amzn-main 89 k libtasn1 x86_64 2.3-6.6.amzn1 amzn-main 246 k libverto x86_64 0.2.5-4.9.amzn1 amzn-updates 16 k p11-kit x86_64 0.18.5-2.3.amzn1 amzn-main 123 k p11-kit-trust x86_64 0.18.5-2.3.amzn1 amzn-main 79 k Updating for dependencies: gdisk x86_64 0.8.10-1.5.amzn1 amzn-main 302 k keyutils-libs x86_64 1.5.8-3.12.amzn1 amzn-main 25 k libicu x86_64 50.1.2-11.12.amzn1 amzn-main 9.6 M Transaction Summary ======================================================================================================================================= Install 1 Package (+6 Dependent packages) Upgrade 32 Packages (+3 Dependent packages) Total download size: 39 M Is this ok [y/d/N]:
CVE番号を指定したパッケージアップデート
--cvesオプションでCVE番号を指定可能です。
# yum updateinfo all (略) =============================================================================== Amazon Linux AMI 2014.03 - ALAS-2014-442: medium priority package update for wget =============================================================================== Update ID : ALAS-2014-442 Release : Type : security Status : final Issued : 2014-11-05 12:19 Updated : 2014-11-05 14:40 CVEs : CVE-2014-4877 Description : Package updates are available for Amazon Linux AMI that fix the : following vulnerabilities: CVE-2014-4877: : 1139181: : CVE-2014-4877 wget: FTP symlink arbitrary : filesystem access Absolute path traversal : vulnerability in GNU Wget before 1.16, when : recursion is enabled, allows remote FTP servers to : write to arbitrary files, and consequently execute : arbitrary code, via a LIST response that : references the same filename within two entries, : one of which indicates that the filename is for a : symlink. Severity : medium Installed : false # yum update --cves=CVE-2014-4877 Loaded plugins: priorities, update-motd, upgrade-helper 1 package(s) needed (+0 related) for security, out of 204 available Resolving Dependencies --> Running transaction check ---> Package wget.x86_64 0:1.14-8.11.amzn1 will be updated ---> Package wget.x86_64 0:1.16.1-3.18.amzn1 will be an update --> Processing Dependency: libpsl.so.0()(64bit) for package: wget-1.16.1-3.18.amzn1.x86_64 --> Running transaction check ---> Package libpsl.x86_64 0:0.6.2-1.2.amzn1 will be installed --> Processing Dependency: libicuuc.so.50()(64bit) for package: libpsl-0.6.2-1.2.amzn1.x86_64 --> Running transaction check ---> Package libicu.x86_64 0:4.2.1-9.9.amzn1 will be updated --> Processing Dependency: libicuio.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64 --> Processing Dependency: libicuuc.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64 ---> Package libicu.x86_64 0:50.1.2-11.12.amzn1 will be an update --> Running transaction check ---> Package gdisk.x86_64 0:0.8.7-1.3.amzn1 will be updated ---> Package gdisk.x86_64 0:0.8.10-1.5.amzn1 will be an update --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================= Updating: wget x86_64 1.16.1-3.18.amzn1 amzn-main 729 k Installing for dependencies: libpsl x86_64 0.6.2-1.2.amzn1 amzn-main 52 k Updating for dependencies: gdisk x86_64 0.8.10-1.5.amzn1 amzn-main 302 k libicu x86_64 50.1.2-11.12.amzn1 amzn-main 9.6 M Transaction Summary ======================================================================================================================================= Install ( 1 Dependent package) Upgrade 1 Package (+2 Dependent packages) Total download size: 11 M Is this ok [y/d/N]:
ALAS番号を指定したパッケージアップデート
--advisoryオプションでALAS番号を指定可能です。
# yum updateinfo all (略) =============================================================================== Amazon Linux AMI 2014.03 - ALAS-2014-442: medium priority package update for wget =============================================================================== Update ID : ALAS-2014-442 Release : Type : security Status : final Issued : 2014-11-05 12:19 Updated : 2014-11-05 14:40 CVEs : CVE-2014-4877 Description : Package updates are available for Amazon Linux AMI that fix the : following vulnerabilities: CVE-2014-4877: : 1139181: : CVE-2014-4877 wget: FTP symlink arbitrary : filesystem access Absolute path traversal : vulnerability in GNU Wget before 1.16, when : recursion is enabled, allows remote FTP servers to : write to arbitrary files, and consequently execute : arbitrary code, via a LIST response that : references the same filename within two entries, : one of which indicates that the filename is for a : symlink. Severity : medium Installed : false # yum update --advisory=ALAS-2014-442 Loaded plugins: priorities, update-motd, upgrade-helper 1 package(s) needed (+0 related) for security, out of 204 available Resolving Dependencies --> Running transaction check ---> Package wget.x86_64 0:1.14-8.11.amzn1 will be updated ---> Package wget.x86_64 0:1.16.1-3.18.amzn1 will be an update --> Processing Dependency: libpsl.so.0()(64bit) for package: wget-1.16.1-3.18.amzn1.x86_64 --> Running transaction check ---> Package libpsl.x86_64 0:0.6.2-1.2.amzn1 will be installed --> Processing Dependency: libicuuc.so.50()(64bit) for package: libpsl-0.6.2-1.2.amzn1.x86_64 --> Running transaction check ---> Package libicu.x86_64 0:4.2.1-9.9.amzn1 will be updated --> Processing Dependency: libicuio.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64 --> Processing Dependency: libicuuc.so.42()(64bit) for package: gdisk-0.8.7-1.3.amzn1.x86_64 ---> Package libicu.x86_64 0:50.1.2-11.12.amzn1 will be an update --> Running transaction check ---> Package gdisk.x86_64 0:0.8.7-1.3.amzn1 will be updated ---> Package gdisk.x86_64 0:0.8.10-1.5.amzn1 will be an update --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================= Updating: wget x86_64 1.16.1-3.18.amzn1 amzn-main 729 k Installing for dependencies: libpsl x86_64 0.6.2-1.2.amzn1 amzn-main 52 k Updating for dependencies: gdisk x86_64 0.8.10-1.5.amzn1 amzn-main 302 k libicu x86_64 50.1.2-11.12.amzn1 amzn-main 9.6 M Transaction Summary ======================================================================================================================================= Install ( 1 Dependent package) Upgrade 1 Package (+2 Dependent packages) Total download size: 11 M Is this ok [y/d/N]:
まとめ
いかがでしょうか? 大事なことなので繰り返し伝えますが、このプラグインを使ったからと言って脆弱性対応との戦いが解決するわけではありません。 システムを運用する上で脆弱性対応する体制は必要です。 ただ、このプラグインによって特定CVEへの確実なアップデート対応を行ったり、セキュリティパッチのアップデートだけに特化することで不要な機能拡張によるシステム不具合へのリスクを低減することができます。
参考サイト
Is it possible to limit yum so that it lists or installs only security updates? 7.2. yum-plugin-security の使い方