先看下今天的任务,一台redhat 8.4,nessus扫出一百多个漏洞,且绝大多数都是高危漏洞,今天看看能修复多少。
通过对这些漏洞分析,大部分为需要更新package version,所以虽然多,但是还是不是很难。因为OS是redhat,但是因为还没有购买官方的订阅,所以无法在线更新。所以要先解决更新源的问题。
关闭redhat默认订阅,并修改为centos源作为更新源。
sudo vi /etc/yum.repos.d/centos-vault.repo
[BaseOS]
name=Redhat84 - 163 - Base
baseurl=https://mirrors.163.com/centos/8-stream/BaseOS/x86_64/os/
#baseurl=https://mirrors.163.com/centos/8.4.2105/BaseOS/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.2.2004&arch=x86_64&repo=BaseOS&infra=$infra
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
[AppStream]
name=Redhat84 - 163 - AppStream
baseurl=https://mirrors.163.com/centos/8-stream/AppStream/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=AppStream&infra=$infra
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
[PowerTools]
name=Redhat84 - 163 - PowerTools
baseurl=https://mirrors.163.com/centos/8-stream/PowerTools/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=PowerTools&infra=$infra
enabled=0
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
#additional packages that may be useful
[extras]
name=Redhat84 - 163 - Extras
baseurl=https://mirrors.163.com/centos/8-stream/extras/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=extras
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
#additional packages that extend functionality of existing packages
[centosplus]
name=Redhat84 - 163 - Plus
baseurl=https://mirrors.163.com/centos/8-stream/centosplus/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=centosplus
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
测试更新是否成功,注意gpgcheck=1代表关闭校验,如果校验开启,可能会更新失败。
改漏洞主要需要更新六个package,List如下:
Remote package installed : python3-rpm-4.14.3-13.el8
Should be : python3-rpm-4.14.3-14.el8_4.2
Remote package installed : rpm-4.14.3-13.el8
Should be : rpm-4.14.3-14.el8_4.2
Remote package installed : rpm-build-libs-4.14.3-13.el8
Should be : rpm-build-libs-4.14.3-14.el8_4.2
Remote package installed : rpm-libs-4.14.3-13.el8
Should be : rpm-libs-4.14.3-14.el8_4.2
Remote package installed : rpm-plugin-selinux-4.14.3-13.el8
Should be : rpm-plugin-selinux-4.14.3-14.el8_4.2
Remote package installed : rpm-plugin-systemd-inhibit-4.14.3-13.el8
Should be : rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.2
我们可以使用更新指令:
sudo yum update python3-rpm-4.14.3
同时完成六个package的更新。
从更新结果来看,总计Upgraded:
python3-rpm-4.14.3-23.el8.x86_64 rpm-4.14.3-23.el8.x86_64 rpm-build-libs-4.14.3-23.el8.x86_64 rpm-libs-4.14.3-23.el8.x86_64
rpm-plugin-selinux-4.14.3-23.el8.x86_64 rpm-plugin-systemd-inhibit-4.14.3-23.el8.x86_64
这个漏洞修复时,需要注意update的方法,否则可能无法成功。
sudo yum update vim-filesystem-8.0.1763
sudo yum update vim-minimal.x86_64
这个漏洞需要处理的内容较多,更新包汇总如下:
sudo yum update conmon
sudo yum update cockpit-podman
sudo yum update buildah
sudo yum update slirp4netns
sudo yum update podman
sudo yum update libslirp
sudo yum update fuse-overlayfs
特别注意:kernel漏洞修复,注意update后需要重启才会生效。
Installed package kernel-4.18.0-383. el8 is greater than kernel-4.18.0-305.28.1.el8_4.
However, according to uname -r, the current running kernel level is 4.18.0-305.el8.
This system requires a reboot to begin using the patched kernel level.