Note:
- This tutorial is available in an Oracle-provided free lab environment.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Use DNF to Maintain Security on Oracle Linux
Introduction
The following tutorial provides practical examples of using the Dandified YUM (DNF) package manager on Oracle Linux to apply maintenance and security updates. This tutorial is targeted at users of Oracle Linux 8 or later.
DNF downloads packages from enabled repositories for install and update actions. It performs automatic dependency resolution for packages and installs all packages needed to fulfill dependency requirements. DNF also includes integrated options for managing security and errata updates available for packages installed in Oracle Linux.
A security patch is an update to fix a specific vulnerability incorporating changes in source code. These security patches usually apply to particular software components.
A bug fix is the elimination of known software errors.
CVE is short for Common Vulnerabilities and Exposures. It is a list of publicly disclosed computer security flaws. A CVE refers to a security flaw where a CVE Numbering Authority (CNA) assigns a CVE ID number. Security advisories usually refer to at least one CVE ID, with a priority ranging from negligible through low, medium, high to critical.
Enterprise Linux denotes these specific updates as:
ELSA
: Enterprise Linux Security Advisory patchesELBA
: Enterprise Linux Bug Fix Advisory patchesELEA
: Enterprise Linux Enhancement Advisory patches
Objectives
In this lab, you’ll learn:
- The meaning of CVEs, ELSAs, and Bug Fixes
- To use DNF for installing security updates
- That package updates are cumulative and have dependencies
- To clean up old packages
What Do You Need?
- An Oracle Linux system.
Setup Lab Environment
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
Some of the dnf
commands in this lab require the use of sudo
to avoid the following message: Error: This command has to be run with superuser privileges (under the root user on most systems).
-
Open a terminal and connect via SSH to the ol-node01 instance if not already connected.
ssh oracle@<ip_address_of_instance>
-
Confirm hostname and version of Oracle Linux.
hostnamectl
List All Available Security Packages for the System
-
List a summary of the types and totals of available errata.
dnf updateinfo summary
-
List all the errata that are available for the system.
dnf updateinfo list
The example output shows the enabled repositories followed by each update. The available errata are sorted in order of their IDs and identify their types.
Severity/Sec
: Priority/Security patchbugfix
: Bug fixenhancement
: Feature enhancement
-
List detailed information on each of the available errata.
dnf updateinfo info
Example output of errata showing the dependencies, if any.
Filter the List of Security Updates
-
You can limit the output to specific types by including various arguments after the
list
keyword.-
List all security updates installed on the host, specify the arguments
security --installed
.dnf updateinfo list security --installed
-
List all available security updates not installed on the host, specify the arguments
updates security
.dnf updateinfo list updates security
-
List the security errata by their Common Vulnerabilities and Exposures (CVE) IDs, specify
cves
as an argument.dnf updateinfo list cves
-
List the bugfixes, specify
bugfix
as an argument.dnf updateinfo list bugfix
-
List the available security upgrades, specify
sec
as an argument.dnf updateinfo list sec
-
List the security patches according to severity level, by specify
--sec-severity=
as an argument and appending the severity.dnf updateinfo list --sec-severity=Important
These are the available severity levels:
Critical
Important
Moderate
Low
-
List the security errata for a specific CVE, specify the keyword
--cve
followed by a CVE ID as an argument.dnf updateinfo list --cve CVE-2023-1998
-
List the information for a specific Advisory, specify the keyword
--advisory
followed by an Advisory ID as an argument.dnf updateinfo list --advisory ELSA-2023-3723
dnf updateinfo list --advisory ELBA-2023-3732
-
Detailed Information of Security Updates
-
The
dnf updateinfo info
command lists detailed information for a specific errata. You can limit the output to particular types by including various arguments after theinfo
keyword.-
List detailed information for a specific Advisory, specify
--advisory
followed by an Advisory ID as an argument.dnf updateinfo info --advisory ELSA-2023-3723
dnf updateinfo info --advisory ELBA-2023-3732
-
List the detailed information for a specific CVE, specify
--cve
followed by a CVE ID as an argument.dnf updateinfo info --cve CVE-2023-1998
-
Update Packages
-
The
dnf update
command updates packages to the latest version. You can limit the output to a specific errata by including various arguments after theupdate
keyword. You can implement the updates by respondingy
at the prompt.-
Update packages for a specific CVE or erratum, specify the keyword and argument
--cve CVE ID
.sudo dnf update --cve CVE-2023-1998
The output from the update and upgrade commands shows four sections:
Installing
Upgrading
Installing dependencies
Installing weak dependencies
-
Update packages for a specific Advisory, specify the keyword
--advisory
followed by an Advisory ID as an argument.sudo dnf update --advisory ELSA-2023-3723
-
Update all packages to the latest versions for which security-related errata are available, even if those packages include bug fixes or new features but not security errata.
sudo dnf --security update --assumeno
The
--assumeno
option automatically answers no for all questions. This aborts the operation allowing the texting of furtherdnf --security
options. -
Update all packages to the latest versions that contain security errata while ignoring any newer packages that don’t have security errata.
sudo dnf --security upgrade-minimal --assumeno
-
Update all kernel packages to the latest versions that contain security errata.
sudo dnf --security upgrade-minimal kernel* -y
The
-y
option automatically answers yes for all questions and, therefore, automatically applies the requested security packages. -
Update a system to use the latest packages that are available.
sudo dnf upgrade
Two dnf commands are available to update all packages:
dnf update
anddnf upgrade
. Both commands install all available updates, butdnf update
automatically runsdnf upgrade
, sodnf upgrade
is preferred.
-
Cleanup
DNF stores and persists packages it downloads on disk as part of an install action. Occassional clean up is essential to reduce the amount of used disk storage.
Running the dnf clean
command removes the cache and files. You can limit the clean up to a specific area by including various arguments after the clean
keyword.
-
Remove all cache files generated from the repository metadata, specify the keyword
dbcache
.sudo dnf clean dbcache
-
Empty the cache directory for the enabled repositories of all cached packages, specify the keyword
packages
.sudo dnf clean packages
-
Specify the keyword ‘ all ‘ to clear all cached files from all enabled repositories.
sudo dnf clean all
For More Information
See other related resources:
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Use DNF to Maintain Security on Oracle Linux
F87900-01
October 2023
Copyright © 2023, Oracle and/or its affiliates.