Yum plugins: Available plugins and built-in security support

Enhancing yum

Determine available plugins and built-in security support

To enhance the support in our auditing tool Lynis, we wanted to know if yum supports security related functions by using a plugin or having it as built-in functionality.

Yum

Yum, or Yellowdog Updater Modified, is a software management tool for Linux based systems. Usually it is used on systems running SuSE or Red Hat based (like RHEL, Fedora or CentOS). Plugins extend the functionality of yum, to improve its functionality.

One plugin may select the fastest software mirror, so you don’t have to benchmark them manually. Another great plugin helps with security and shows what security related updates are available. Nowadays, this functionality is built-in, as the demand for this functionality is huge.

In our case we want to audit the yum tool set and determine if we have the plugin available, or dealing with the built-in functions. Let’s start with the plugins..

Yum plugins

We can query the repository for packages which put files in the /usr/lib/yum-plugins directory. We have two options for that, using yum provides, or the repoquery utility.

Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile

  • base: ftp.tudelft.nl
  • extras: archive.cs.uu.nl
  • updates: archive.cs.uu.nl PackageKit-yum-plugin-0.8.9-11.el7.centos.x86_64 : Tell PackageKit to check for updates when yum exits Repo        : base Matched from: Filename    : /usr/lib/yum-plugins/refresh-packagekit.py Filename    : /usr/lib/yum-plugins/refresh-packagekit.pyo Filename    : /usr/lib/yum-plugins/refresh-packagekit.pyc kabi-yum-plugins-1.0-2.el7.centos.noarch : The CentOS Linux kernel ABI yum plugin Repo        : base Matched from: Filename    : /usr/lib/yum-plugins/kabi.py Filename    : /usr/lib/yum-plugins/kabi.pyo Filename    : /usr/lib/yum-plugins/kabi.pyc subscription-manager-1.10.14-7.el7.centos.x86_64 : Tools and libraries for subscription and repository management Repo        : base Matched from: Filename    : /usr/lib/yum-plugins/subscription-manager.pyc Filename    : /usr/lib/yum-plugins/subscription-manager.pyo Filename    : /usr/lib/yum-plugins/subscription-manager.py Filename    : /usr/lib/yum-plugins/product-id.pyc Filename    : /usr/lib/yum-plugins/product-id.py Filename    : /usr/lib/yum-plugins/product-id.pyo

Besides the interesting file paths, it doesn’t give much more pointers at this moment. Lets try repoquery:

kabi-yum-plugins-0:1.0-2.el7.centos.noarch PackageKit-yum-plugin-0:0.8.9-11.el7.centos.x86_64 subscription-manager-0:1.10.14-7.el7.centos.x86_64 subscription-manager-0:1.10.14-8.el7.centos.x86_64 subscription-manager-0:1.10.14-9.el7.centos.x86_64 yum-langpacks-0:0.4.2-3.el7.noarch yum-plugin-aliases-0:1.1.31-24.el7.noarch yum-plugin-aliases-0:1.1.31-25.el7_0.noarch yum-plugin-auto-update-debug-info-0:1.1.31-24.el7.noarch yum-plugin-auto-update-debug-info-0:1.1.31-25.el7_0.noarch yum-plugin-changelog-0:1.1.31-24.el7.noarch yum-plugin-changelog-0:1.1.31-25.el7_0.noarch yum-plugin-fastestmirror-0:1.1.31-24.el7.noarch yum-plugin-fastestmirror-0:1.1.31-25.el7_0.noarch yum-plugin-filter-data-0:1.1.31-24.el7.noarch yum-plugin-filter-data-0:1.1.31-25.el7_0.noarch yum-plugin-fs-snapshot-0:1.1.31-24.el7.noarch yum-plugin-fs-snapshot-0:1.1.31-25.el7_0.noarch <snip>

Built-in support

Since the security plugin does not show up in any of these listings, we use the discovered file path. Searching in this directory shows the existing yum plugins:

/usr/lib/yum-plugins/ /usr/lib/yum-plugins/fastestmirror.py /usr/lib/yum-plugins/fastestmirror.pyc /usr/lib/yum-plugins/fastestmirror.pyo

It is clear only fastestmirror is available. Let’s analyze the yum binary.

No hit, so we have to look inside the Python script:

#!/usr/bin/python import sys try:     import yum except ImportError:     print >> sys.stderr, “”"
There was a problem importing one of the Python modules required to run yum. The error leading to this problem was:

   %s

Please install a package which provides this module, or verify that the module is installed correctly.

It’s possible that the above module doesn’t match the current version of Python, which is: %s

If you cannot solve this problem yourself, please go to the yum faq at:   http://yum.baseurl.org/wiki/Faq

""" % (sys.exc_value, sys.version)     sys.exit(1)

sys.path.insert(0, ‘/usr/share/yum-cli’) try:     import yummain     yummain.user_main(sys.argv[1:], exit_code=True) except KeyboardInterrupt, e:     print >> sys.stderr, “\n\nExiting on user cancel.”     sys.exit(1)

By catting the file we can see it includes the /usr/share/yum-cli directory. Grepping through this directory quickly shows one pointer on how to detect if we have security support built-in.

/usr/share/yum-cli/cli.py:            self.base.updateinfo_filters[‘security’] = opts.security /usr/share/yum-cli/cli.py:        group.add_option("–security", action=“store_true”, /usr/share/yum-cli/cli.py:                help=(“Include security relevant packages, in updates”)) /usr/share/yum-cli/cli.py:                help=(“Include security relevant packages matching the severity, in updates”)) Binary file /usr/share/yum-cli/cli.pyc matches /usr/share/yum-cli/yumcommands.py:                   ’list-security’      : ’list’, /usr/share/yum-cli/yumcommands.py:                   ‘info-security’      : ‘info’, /usr/share/yum-cli/yumcommands.py:        return “[info|list|…] [security|…] [installed|available|all] [pkgs|id]” /usr/share/yum-cli/yumcommands.py:            if tn == ‘security’ and notice[‘severity’]: /usr/share/yum-cli/yumcommands.py:            if tn == ‘security’ and notice[‘severity’]: /usr/share/yum-cli/yumcommands.py:            if notice[’type’] == ‘security’: /usr/share/yum-cli/yumcommands.py:        for T in (’newpackage’, ‘security’, ‘bugfix’, ’enhancement’): /usr/share/yum-cli/yumcommands.py:                ‘security’ : ‘Security’, /usr/share/yum-cli/yumcommands.py:        for T in (’newpackage’, ‘security’, ‘bugfix’, ’enhancement’): /usr/share/yum-cli/yumcommands.py:            if T == ‘security’ and len(sev_counts) == 1: /usr/share/yum-cli/yumcommands.py:            if T == ‘security’ and len(sev_counts) != 1: /usr/share/yum-cli/yumcommands.py:                    args = (maxsize, sev_counts[sn],sn or ‘?’, outT[‘security’]) /usr/share/yum-cli/yumcommands.py:                 “sec” : “security”, Binary file /usr/share/yum-cli/yumcommands.pyc matches

Great, this provides at least some guidance. For now we use the line with group.add_option to determine that support is built into the yum toolset itself. This enables checking for yum plugins and built-in support.

Screenshot of Lynis security tool

Take the next step!

Want to learn more about Linux security? Have a look at the open source tool Lynis and become a Linux expert yourself.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page