CentOS 7.3 and Nessus report

[steve.harder]

Hi all,
I'm a newbie in Linux and received a task in my work place to check the security report made by Nessus on our CentOS 7.3
The aim of the company is to avoid CentOS upgrade to higher version as it will involve a lot of applications testing and upgrade of Vertica DB for example.

The report show in critical -CentOS 7 : kernel (CESA-2020:0374) which leads to - https://lists.centos.org/pipermail/cent ... 35645.html

From this URL I'm unable to download the packages manually nor can I find it on the internet, for example "kernel-3.10.0-1062.12.1.el7.centos.plus.src.rpm"

We would like to try not use yum update as it will update the CentOS all the way to 7.8
I don't know if the required kernel Nessus report ask to install can be installed on 7.3 or CentOS must be updated as well for "kernel-3.10.0-1062.12.1.el7" to be installed

Thanks in advance for any help and directions,

Steve

[TrevorH]

No, really, just update. It'll be easier and safer in the long run.

CentOS 7.3 is from 2016 so is already 4 years out of date and has numerous high severity updates that are already fixed in later versions. The current security errata you are looking at is just one of very many. If you look at the Red Hat errata page here and select Security Advisories and you can see there are 62 entries there since Nov 2016 that are marked as Critical updates and 400 more that are Important. So that's going on for 500 security problems that you have now. Are you going to track down each one of those and put it on manually?

Also please bear in mind that CentOS/RHEL is an enterprise distro and does not do gratuitous version upgrades and strives to maintain backwards compatibility. The entire idea of it is that it's easy for you to run yum update and not break things.

[steve.harder]

No, really, just update. It'll be easier and safer in the long run.

CentOS 7.3 is from 2016 so is already 4 years out of date and has numerous high severity updates that are already fixed in later versions. The current security errata you are looking at is just one of very many. If you look at the Red Hat errata page here and select Security Advisories and you can see there are 62 entries there since Nov 2016 that are marked as Critical updates and 400 more that are Important. So that's going on for 500 security problems that you have now. Are you going to track down each one of those and put it on manually?

Also please bear in mind that CentOS/RHEL is an enterprise distro and does not do gratuitous version upgrades and strives to maintain backwards compatibility. The entire idea of it is that it's easy for you to run yum update and not break things.

Hi TrevorH,

Thank you for your reply.
If I do yum update it will automatically update the OS to the latest.
Can I instruct the yum to update to a specific OS for example to stop at 7.6?

See the report below from Nessus, we are trying to "fix" only the critical first (two of them) and than I'll continue with 17 important ones in the Nessus report. When trying to install kernel rpm 1062.x.x. I get error with linux-firmware dependencies
This is hard to follow.

How can I know that the kernel below is suited for what CentOS version?

Remote package installed : kernel-3.10.0-957.21.3.el7
Should be : kernel-3.10.0-1062.12.1.el7

Remote package installed : kernel-devel-3.10.0-957.21.3.el7
Should be : kernel-devel-3.10.0-1062.12.1.el7

Remote package installed : kernel-headers-3.10.0-957.21.3.el7
Should be : kernel-headers-3.10.0-1062.12.1.el7

Remote package installed : kernel-tools-3.10.0-957.21.3.el7
Should be : kernel-tools-3.10.0-1062.12.1.el7

Remote package installed : kernel-tools-libs-3.10.0-957.21.3.el7
Should be : kernel-tools-libs-3.10.0-1062.12.1.el7

Remote package installed : python-perf-3.10.0-957.21.3.el7.centos.plus
Should be : python-perf-3.10.0-1062.12.1.el7

[TrevorH]

Can I instruct the yum to update to a specific OS for example to stop at 7.6?

Only the current version is supported, 7.8 this week, likely to be 7.9 very soon since RHEL 7.9 came out last week. Sticking to a particular point release and still getting security updates is one of the features that Red Hat like to keep for RHEL and their EUS subscription option.

we are trying to "fix" only the critical first (two of them) and than I'll continue with 17 important ones

I don't think you should rely on Nessus for this since it appears to be missing the other 440 security updates that are listed on the errata page. It's also recommending that you update to packages that also have their own security problems so as soon as you do that, will it change its story and start recommending the next set of updates? Kernels starting 3.10.0-1062 are all part of 7.7 so are already prehistoric. 7.8 uses 3.10.0-1127 kernels and 7.9 will use 3.10.0-1160.

There are caveats to running CentOS and among those are the fact that you cannot use yum --security (since CentOS does not supply the necessary yum metadata to allow that to work) and that you stay current across all packages since there is no way to tell what are security updates and what are not. For that reason you should treat ALL CentOS updates as potential security updates and apply them ASAP.

Looking at the kernel package in particular since that's the one you are looking at upgrading now. Using rpm -q --changelog kernel-3.10.0-1160.el7.x86_64 | less I checked to see what line number the first mention of -1062 occured and it was on line 3409, so then I run rpm -q --changelog kernel-3.10.0-1160.el7.x86_64 | head -3409 | grep -c CVE and get 175. So that is 175 mentions of "CVE" in the kernel that you are attempting to upgrade to that are fixed in the latest one.

[steve.harder]

Can I instruct the yum to update to a specific OS for example to stop at 7.6?

Only the current version is supported, 7.8 this week, likely to be 7.9 very soon since RHEL 7.9 came out last week. Sticking to a particular point release and still getting security updates is one of the features that Red Hat like to keep for RHEL and their EUS subscription option.

we are trying to "fix" only the critical first (two of them) and than I'll continue with 17 important ones

I don't think you should rely on Nessus for this since it appears to be missing the other 440 security updates that are listed on the errata page. It's also recommending that you update to packages that also have their own security problems so as soon as you do that, will it change its story and start recommending the next set of updates? Kernels starting 3.10.0-1062 are all part of 7.7 so are already prehistoric. 7.8 uses 3.10.0-1127 kernels and 7.9 will use 3.10.0-1160.

There are caveats to running CentOS and among those are the fact that you cannot use yum --security (since CentOS does not supply the necessary yum metadata to allow that to work) and that you stay current across all packages since there is no way to tell what are security updates and what are not. For that reason you should treat ALL CentOS updates as potential security updates and apply them ASAP.

Looking at the kernel package in particular since that's the one you are looking at upgrading now. Using rpm -q --changelog kernel-3.10.0-1160.el7.x86_64 | less I checked to see what line number the first mention of -1062 occured and it was on line 3409, so then I run rpm -q --changelog kernel-3.10.0-1160.el7.x86_64 | head -3409 | grep -c CVE and get 175. So that is 175 mentions of "CVE" in the kernel that you are attempting to upgrade to that are fixed in the latest one.

Thanks you so much for the feedback and insight.
I appreciate it TrevorH