How to Configure Automatic Security Updates on RHEL 7

Keeping a RHEL 7 server patched against known vulnerabilities is one of the most impactful things you can do to improve its security posture. While manual patching is reliable, it requires discipline and can be delayed during busy operational periods. Automating security updates ensures that critical CVE patches are applied promptly without requiring manual intervention every time Red Hat publishes a security advisory. On RHEL 7, the yum-cron package provides a built-in mechanism to schedule automatic updates, with fine-grained control over which update types to apply and how to handle notifications. This tutorial covers installing and configuring yum-cron for automatic security-only updates on RHEL 7.

Prerequisites

  • RHEL 7 system with root or sudo access
  • Active Red Hat subscription or configured yum repository
  • A working mail system (optional, but recommended for email notifications)
  • Basic understanding of the yum package manager and systemd services

Step 1: Install yum-cron

The yum-cron package is available in the RHEL 7 base repositories. Install it with:

sudo yum install yum-cron -y

After installation, several key files will be present on the system:

  • /etc/yum/yum-cron.conf — Main configuration for daily runs
  • /etc/yum/yum-cron-hourly.conf — Configuration for hourly runs
  • /etc/cron.daily/0yum-daily.cron — Daily cron script
  • /etc/cron.hourly/0yum-hourly.cron — Hourly cron script

For most production servers, you will only need to configure the daily cron job.

Step 2: Configure /etc/yum/yum-cron.conf for Security Updates

Open the main configuration file:

sudo vi /etc/yum/yum-cron.conf

The default file is well-commented. Here are the key directives to configure:

Set the update type to security only

The update_cmd directive controls which packages are considered for updates. The default is default, which updates all packages. For security-only patching, change this to security:

[commands]
#  What kind of update to use:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix update-minimal
# minimal-security                   = yum --security update-minimal
# minimal-security-severity:Critical = yum --sec-severity=Critical update-minimal
update_cmd = security

The security value limits updates to packages that address Red Hat Security Advisories (RHSAs), ensuring only CVE-related patches are applied automatically. Use minimal-security if you want the smallest possible change (only patching the exact vulnerable binary rather than updating the entire package).

Enable automatic application of updates

By default, yum-cron only downloads updates but does not apply them (apply_updates = no). Change this to yes to enable automatic installation:

[commands]
update_messages = yes
download_updates = yes
apply_updates = yes

Important: Before enabling apply_updates = yes on a production system, consider the implications. Security updates can occasionally require service restarts or, in rare cases, cause compatibility issues. Evaluate this against your change management policies. Some organizations prefer to download automatically and apply only after a brief review window.

Configure email notifications

Configure who receives notification emails when updates are applied:

[emitters]
system_name = webserver01.example.com
output = stdio

[email]
email_from = root@localhost
email_to = [email protected]
email_host = localhost

If your server does not have a local mail relay configured, set output = stdio only (notifications go to syslog instead of email).

A complete recommended configuration

[commands]
update_cmd = security
update_messages = yes
download_updates = yes
apply_updates = yes
random_sleep = 360

[emitters]
system_name = None
output = stdio
emit_via = stdio

[email]
email_from = root@localhost
email_to = root
email_host = localhost

[groups]
group_list = None
group_package_types = mandatory, default

[base]
debuglevel = -2
mdpolicy = group:main

The random_sleep = 360 setting (in minutes) tells yum-cron to wait a random interval up to 6 hours before running. This prevents thundering-herd issues if you manage many servers — they will not all hit the package mirror simultaneously.

Step 3: Enable and Start the yum-cron Service

Enable the yum-cron service with systemd so it starts at boot and persists across reboots:

sudo systemctl enable yum-cron
sudo systemctl start yum-cron

Verify the service is running:

sudo systemctl status yum-cron

Expected output:

● yum-cron.service - Run automatic yum updates as a cron job
   Loaded: loaded (/usr/lib/systemd/system/yum-cron.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2026-05-17 10:00:00 UTC; 10s ago
 Main PID: 4567 (bash)
   CGroup: /system.slice/yum-cron.service
           └─4567 /bin/bash /usr/sbin/yum-cron

Step 4: Test Security Update Detection Manually

Before relying on the automated system, test that your configuration correctly identifies available security updates. Use the yum command with the --security flag to check without installing anything:

sudo yum --security check-update

This lists all packages with pending security advisories. The exit code is meaningful: 0 means no updates available, 100 means updates are available.

To simulate what yum-cron will do (download only, no install):

sudo yum --security update --downloadonly

To perform a dry run and see what would be updated:

sudo yum --security update --assumeno

To immediately trigger the yum-cron daily script for testing:

sudo /etc/cron.daily/0yum-daily.cron

Check the output in /var/log/yum.log after the run:

sudo tail -50 /var/log/yum.log

Step 5: Schedule Additional Patching with Cron (Optional)

While yum-cron handles daily runs, you may want more control over the exact schedule — for example, applying updates during a specific maintenance window. You can create a custom cron job that runs the yum security update command directly:

sudo crontab -e

Add a line to run security updates every Tuesday at 2:00 AM:

# Apply security updates every Tuesday at 02:00
0 2 * * 2 /usr/bin/yum --security update -y >> /var/log/yum-auto-security.log 2>&1

If using this approach instead of yum-cron, ensure you have only one automated patching mechanism active to avoid conflicts.

Step 6: Check SELinux Context for yum-cron Logs

On RHEL 7 with SELinux enforcing, yum-cron log operations are covered by standard SELinux policies. Verify SELinux is not blocking operations by checking the audit log after a run:

sudo ausearch -m AVC -ts recent | grep yum

If denials appear, use audit2why to diagnose:

sudo ausearch -m AVC -ts recent | audit2why

In most cases, the default SELinux policy for yum-cron on RHEL 7 is permissive enough that no custom policy modules are needed. The standard rpm_t and yum_t domains have the necessary permissions.

Step 7: Monitor Update History

Review what updates have been applied automatically using yum history:

# List recent yum transactions
sudo yum history list

# View details of a specific transaction by ID
sudo yum history info 42

# Show all packages updated in a specific transaction
sudo yum history packages-info 42

Also review the yum log directly:

sudo grep "Updated" /var/log/yum.log | tail -30

Automatic security updates via yum-cron strike an excellent balance between operational simplicity and security discipline on RHEL 7. By limiting update_cmd to security, you avoid unexpected behavior changes from non-security upgrades while ensuring your system remains protected against known vulnerabilities. Combined with regular manual review of yum history and security advisory notifications from Red Hat, this gives you a robust, low-overhead patching strategy suitable for production environments.