Back to Learn

Auto-Update CentOS Packages with Yum-Cron | NOC.org

Why Automatic Updates Matter

Unpatched servers are the leading cause of security breaches. When a vulnerability is publicly disclosed, attackers begin scanning for and exploiting vulnerable systems within hours. Manual patching — even on a disciplined weekly schedule — leaves a window of exposure that automatic updates can close. For production servers that run CentOS or RHEL, yum-cron (CentOS 7) and dnf-automatic (CentOS 8+/RHEL 8+) provide reliable, configurable automatic update mechanisms.

This is a fundamental step in any Linux security checklist. Automatic updates can be configured to apply only security patches, notify administrators before applying, or download updates without installing them — giving you control over the balance between security and stability.

Installing Yum-Cron on CentOS 7

Yum-cron is available in the CentOS 7 base repository:

sudo yum install yum-cron -y

After installation, two systemd services are available:

  • yum-cron — runs daily, configured via /etc/yum/yum-cron.conf
  • yum-cron-hourly — runs hourly, configured via /etc/yum/yum-cron-hourly.conf

For security updates, the daily service is typically sufficient. Enable and start it:

sudo systemctl enable yum-cron
sudo systemctl start yum-cron

Configuring /etc/yum/yum-cron.conf

The main configuration file controls what updates are applied and how notifications are handled. Here is a detailed breakdown of each section:

[commands] Section

[commands]
# What kind of updates to apply:
#   default                = yum upgrade
#   security               = yum --security upgrade
#   security-severity:Critical = only critical security updates
#   minimal                = yum --bugfix update-minimal
#   minimal-security       = yum --security update-minimal
#   minimal-security-severity:Critical = critical security minimal
update_cmd = security

# Whether to download updates
download_updates = yes

# Whether to apply (install) downloaded updates
apply_updates = yes

# Maximum random delay (in minutes) before running
random_sleep = 360

The update_cmd setting is the most important configuration choice:

  • default: Applies all available updates (feature updates, bug fixes, and security patches). Most aggressive option — may change application behavior.
  • security: Applies only updates classified as security fixes. Recommended for production servers where stability is critical.
  • security-severity:Critical: Applies only critical security updates. The most conservative option, but may miss important security fixes rated "Important" or "Moderate."
  • minimal-security: Applies the minimum package versions needed to resolve security issues, avoiding unnecessary feature updates within the security update. Best balance of security and stability.

[emitters] Section

[emitters]
# How to send notifications
system_name = None
emit_via = email

# Output type: number of updates or list of update names
output_width = 80

[email] Section

[email]
email_from = root@localhost
email_to = admin@example.com
email_host = localhost

For email notifications to work, you need a functioning mail transfer agent (MTA) on the server — typically Postfix or sendmail. If your server does not send email directly, configure email_host to point to your mail relay.

Complete Recommended Configuration

For a production server that should automatically apply security updates and notify the administrator:

[commands]
update_cmd = security
download_updates = yes
apply_updates = yes
random_sleep = 360

[emitters]
system_name = webserver01
emit_via = email
output_width = 80

[email]
email_from = yum-cron@webserver01.example.com
email_to = admin@example.com
email_host = localhost

[groups]
group_list = None
group_package_types = mandatory, default

[base]
debuglevel = -2
mdpolicy = group:main

Download-Only Mode

If you want to review updates before they are installed, configure yum-cron to download but not apply updates:

[commands]
update_cmd = security
download_updates = yes
apply_updates = no

Updates are downloaded to the yum cache, and you receive an email notification listing the available updates. You can then log in and install them manually:

# See what's cached and ready to install
sudo yum --security check-update

# Apply the cached updates
sudo yum --security update -y

This approach gives you visibility and control while ensuring updates are pre-downloaded and ready for rapid deployment.

Checking Yum-Cron Logs

Yum-cron logs its activity to the standard yum log file:

# View recent yum-cron activity
sudo tail -100 /var/log/yum.log

# Check if yum-cron ran today
sudo journalctl -u yum-cron --since today

# Check the cron execution log
sudo grep yum /var/log/cron

If yum-cron is not running as expected, check that the service is enabled and the timer is active:

sudo systemctl status yum-cron
sudo systemctl list-timers | grep yum

Excluding Packages from Updates

Some packages should not be updated automatically — particularly the kernel, database servers, or application runtimes where updates could cause downtime or compatibility issues:

# /etc/yum.conf — add to [main] section
exclude=kernel* mysql* php*

Alternatively, add exclusions to the yum-cron configuration itself in the [base] section:

[base]
exclude = kernel* mysql-server*

Excluded packages still appear in notification emails as available updates, reminding you to apply them manually during scheduled maintenance windows.

Comparison: dnf-automatic for CentOS 8+ / RHEL 8+

CentOS 8, CentOS Stream, RHEL 8, and newer distributions use dnf instead of yum, and the automatic update tool is dnf-automatic:

# Install dnf-automatic
sudo dnf install dnf-automatic -y

# Configuration file
sudo vi /etc/dnf/automatic.conf

The configuration is similar but uses a different structure:

# /etc/dnf/automatic.conf
[commands]
upgrade_type = security
download_updates = yes
apply_updates = yes

[emitters]
system_name = webserver01
emit_via = email

[email]
email_from = dnf-automatic@webserver01.example.com
email_to = admin@example.com
email_host = localhost

[command_email]
email_from = dnf-automatic@webserver01.example.com
email_to = admin@example.com

Enable the timer (dnf-automatic uses systemd timers rather than cron):

# For download and install
sudo systemctl enable --now dnf-automatic-install.timer

# For download only (with notification)
sudo systemctl enable --now dnf-automatic-notifyavail.timer

# Verify the timer is active
sudo systemctl list-timers | grep dnf

Key Differences Between yum-cron and dnf-automatic

Feature yum-cron (CentOS 7) dnf-automatic (CentOS 8+)
Scheduling cron systemd timers
Config file /etc/yum/yum-cron.conf /etc/dnf/automatic.conf
Security-only mode update_cmd = security upgrade_type = security
Modular content Not supported Supported
Performance Standard Faster (dnf improvements)

Testing Your Configuration

Before relying on automatic updates in production, verify the configuration:

# Dry run — see what would be updated
sudo yum --security check-update

# Run yum-cron manually to test
sudo /usr/sbin/yum-cron /etc/yum/yum-cron.conf

# For dnf-automatic:
sudo dnf-automatic /etc/dnf/automatic.conf

# Verify email delivery
echo "Test email from $(hostname)" | mail -s "Yum-cron test" admin@example.com

Keep Your Servers Patched and Protected

Automatic security updates are a foundational layer of server protection, ensuring vulnerabilities are patched before attackers can exploit them. Combine automatic patching with the other controls in your Linux security checklistfirewalls, SSH hardening, and intrusion detection — for comprehensive protection. For application-layer security and DDoS mitigation, explore NOC.org's infrastructure protection plans.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started