Yum plugins: Available plugins and built-in security support

Enhancing yum

Determine available plugins and built-in security support

To enhance the support in our auditing tool Lynis, we wanted to know if yum supports security related functions by using a plugin or having it as built-in functionality.


Yum, or Yellowdog Updater Modified, is a software management tool for Linux based systems. Usually it is used on systems running SuSE or Red Hat based (like RHEL, Fedora or CentOS). Plugins extend the functionality of yum, to improve its functionality.

One plugin may select the fastest software mirror, so you don’t have to benchmark them manually. Another great plugin helps with security and shows what security related updates are available. Nowadays, this functionality is built-in, as the demand for this functionality is huge.

In our case we want to audit the yum tool set and determine if we have the plugin available, or dealing with the built-in functions. Let’s start with the plugins..

Yum plugins

We can query the repository for packages which put files in the /usr/lib/yum-plugins directory. We have two options for that, using yum provides, or the repoquery utility.

yum provides "/usr/lib/yum-plugins/*"
 Loaded plugins: fastestmirror
 Loading mirror speeds from cached hostfile
 * base: ftp.tudelft.nl
 * extras: archive.cs.uu.nl
 * updates: archive.cs.uu.nl
 PackageKit-yum-plugin-0.8.9-11.el7.centos.x86_64 : Tell PackageKit to check for updates when yum exits
 Repo        : base
 Matched from:
 Filename    : /usr/lib/yum-plugins/refresh-packagekit.py
 Filename    : /usr/lib/yum-plugins/refresh-packagekit.pyo
 Filename    : /usr/lib/yum-plugins/refresh-packagekit.pyc
kabi-yum-plugins-1.0-2.el7.centos.noarch : The CentOS Linux kernel ABI yum plugin
 Repo        : base
 Matched from:
 Filename    : /usr/lib/yum-plugins/kabi.py
 Filename    : /usr/lib/yum-plugins/kabi.pyo
 Filename    : /usr/lib/yum-plugins/kabi.pyc
subscription-manager-1.10.14-7.el7.centos.x86_64 : Tools and libraries for subscription and repository management
 Repo        : base
 Matched from:
 Filename    : /usr/lib/yum-plugins/subscription-manager.pyc
 Filename    : /usr/lib/yum-plugins/subscription-manager.pyo
 Filename    : /usr/lib/yum-plugins/subscription-manager.py
 Filename    : /usr/lib/yum-plugins/product-id.pyc
 Filename    : /usr/lib/yum-plugins/product-id.py
 Filename    : /usr/lib/yum-plugins/product-id.pyo

Besides the interesting file paths, it doesn’t give much more pointers at this moment. Lets try repoquery:

[root@localhost Lynis]# repoquery -f "/usr/lib/yum-plugins/*" | sort | uniq

Built-in support

Since the security plugin does not show up in any of these listings, we use the discovered file path. Searching in this directory shows the existing yum plugins:

[root@localhost Lynis]# find /usr/lib/yum-plugins/

It is clear only fastestmirror is available. Let’s analyze the yum binary.

[root@localhost Lynis]# file /usr/bin/yum
 /usr/bin/yum: Python script, ASCII text executable
[root@localhost Lynis]# grep -i security /usr/bin/yum

No hit, so we have to look inside the Python script:

[root@localhost Lynis]# cat /usr/bin/yum
import sys
    import yum
except ImportError:
    print >> sys.stderr, """\
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:


Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:

If you cannot solve this problem yourself, please go to
the yum faq at:

""" % (sys.exc_value, sys.version)

sys.path.insert(0, '/usr/share/yum-cli')
    import yummain
    yummain.user_main(sys.argv[1:], exit_code=True)
except KeyboardInterrupt, e:
    print >> sys.stderr, "\n\nExiting on user cancel."

By catting the file we can see it includes the /usr/share/yum-cli directory. Grepping through this directory quickly shows one pointer on how to detect if we have security support built-in.

[root@localhost Lynis]# grep -r security /usr/share/yum-cli
 /usr/share/yum-cli/cli.py:            self.base.updateinfo_filters['security'] = opts.security
 /usr/share/yum-cli/cli.py:        group.add_option("--security", action="store_true",
 /usr/share/yum-cli/cli.py:                help=_("Include security relevant packages, in updates"))
 /usr/share/yum-cli/cli.py:                help=_("Include security relevant packages matching the severity, in updates"))
 Binary file /usr/share/yum-cli/cli.pyc matches
 /usr/share/yum-cli/yumcommands.py:                   'list-security'      : 'list',
 /usr/share/yum-cli/yumcommands.py:                   'info-security'      : 'info',
 /usr/share/yum-cli/yumcommands.py:        return "[info|list|...] [security|...] [installed|available|all] [pkgs|id]"
 /usr/share/yum-cli/yumcommands.py:            if tn == 'security' and notice['severity']:
 /usr/share/yum-cli/yumcommands.py:            if tn == 'security' and notice['severity']:
 /usr/share/yum-cli/yumcommands.py:            if notice['type'] == 'security':
 /usr/share/yum-cli/yumcommands.py:        for T in ('newpackage', 'security', 'bugfix', 'enhancement'):
 /usr/share/yum-cli/yumcommands.py:                'security' : 'Security',
 /usr/share/yum-cli/yumcommands.py:        for T in ('newpackage', 'security', 'bugfix', 'enhancement'):
 /usr/share/yum-cli/yumcommands.py:            if T == 'security' and len(sev_counts) == 1:
 /usr/share/yum-cli/yumcommands.py:            if T == 'security' and len(sev_counts) != 1:
 /usr/share/yum-cli/yumcommands.py:                    args = (maxsize, sev_counts[sn],sn or '?', outT['security'])
 /usr/share/yum-cli/yumcommands.py:                 "sec" : "security",
 Binary file /usr/share/yum-cli/yumcommands.pyc matches

Great, this provides at least some guidance. For now we use the line with group.add_option to determine that support is built into the yum toolset itself. This enables checking for yum plugins and built-in support.

Automate security audits and know your risks
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux and Unix-based systems more secure.

Is system hardening taking a lot of time for you? Don't know where to start? We solved that problem: Lynis Enterprise.

Leave a Reply

Your email address will not be published. Required fields are marked *