先看下今天的任务,一台redhat 8.4,nessus扫出一百多个漏洞,且绝大多数都是高危漏洞,今天看看能修复多少。
通过对这些漏洞分析,大部分为需要更新package version,所以虽然多,但是还是不是很难。因为OS是redhat,但是因为还没有购买官方的订阅,所以无法在线更新。所以要先解决更新源的问题。
关闭redhat默认订阅,并修改为centos源作为更新源。
- sudo vi /etc/yum.repos.d/centos-vault.repo
-
- [BaseOS]
- name=Redhat84 - 163 - Base
- baseurl=https://mirrors.163.com/centos/8-stream/BaseOS/x86_64/os/
- #baseurl=https://mirrors.163.com/centos/8.4.2105/BaseOS/x86_64/os/
- #mirrorlist=http://mirrorlist.centos.org/?release=8.2.2004&arch=x86_64&repo=BaseOS&infra=$infra
- enabled=1
- gpgcheck=0
- gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-
- [AppStream]
- name=Redhat84 - 163 - AppStream
- baseurl=https://mirrors.163.com/centos/8-stream/AppStream/x86_64/os/
- #mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=AppStream&infra=$infra
- enabled=1
- gpgcheck=0
- gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-
- [PowerTools]
- name=Redhat84 - 163 - PowerTools
- baseurl=https://mirrors.163.com/centos/8-stream/PowerTools/x86_64/os/
- #mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=PowerTools&infra=$infra
- enabled=0
- gpgcheck=0
- gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-
- #additional packages that may be useful
- [extras]
- name=Redhat84 - 163 - Extras
- baseurl=https://mirrors.163.com/centos/8-stream/extras/x86_64/os/
- #mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=extras
- enabled=1
- gpgcheck=0
- gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-
- #additional packages that extend functionality of existing packages
- [centosplus]
- name=Redhat84 - 163 - Plus
- baseurl=https://mirrors.163.com/centos/8-stream/centosplus/x86_64/os/
- #mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=centosplus
- gpgcheck=1
- enabled=0
- gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-
测试更新是否成功,注意gpgcheck=1代表关闭校验,如果校验开启,可能会更新失败。
改漏洞主要需要更新六个package,List如下:
Remote package installed : python3-rpm-4.14.3-13.el8
Should be : python3-rpm-4.14.3-14.el8_4.2
Remote package installed : rpm-4.14.3-13.el8
Should be : rpm-4.14.3-14.el8_4.2
Remote package installed : rpm-build-libs-4.14.3-13.el8
Should be : rpm-build-libs-4.14.3-14.el8_4.2
Remote package installed : rpm-libs-4.14.3-13.el8
Should be : rpm-libs-4.14.3-14.el8_4.2
Remote package installed : rpm-plugin-selinux-4.14.3-13.el8
Should be : rpm-plugin-selinux-4.14.3-14.el8_4.2
Remote package installed : rpm-plugin-systemd-inhibit-4.14.3-13.el8
Should be : rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.2
我们可以使用更新指令:
- sudo yum update python3-rpm-4.14.3
-
同时完成六个package的更新。
从更新结果来看,总计Upgraded:
python3-rpm-4.14.3-23.el8.x86_64 rpm-4.14.3-23.el8.x86_64 rpm-build-libs-4.14.3-23.el8.x86_64 rpm-libs-4.14.3-23.el8.x86_64
rpm-plugin-selinux-4.14.3-23.el8.x86_64 rpm-plugin-systemd-inhibit-4.14.3-23.el8.x86_64
这个漏洞修复时,需要注意update的方法,否则可能无法成功。
- sudo yum update vim-filesystem-8.0.1763
- sudo yum update vim-minimal.x86_64
-
这个漏洞需要处理的内容较多,更新包汇总如下:
- sudo yum update conmon
- sudo yum update cockpit-podman
- sudo yum update buildah
- sudo yum update slirp4netns
- sudo yum update podman
- sudo yum update libslirp
- sudo yum update fuse-overlayfs
-
特别注意:kernel漏洞修复,注意update后需要重启才会生效。
Installed package kernel-4.18.0-383. el8 is greater than kernel-4.18.0-305.28.1.el8_4.
However, according to uname -r, the current running kernel level is 4.18.0-305.el8.
This system requires a reboot to begin using the patched kernel level.
湘公网安备 43102202000103号
