Yum plugins: Available plugins and built-in security support

Enhancing yum

Determine available plugins and built-in security support

To enhance the support in our auditing tool Lynis, we wanted to know if yum supports security related functions by using a plugin or having it as built-in functionality.

Yum

Yum, or Yellowdog Updater Modified, is a software management tool for Linux based systems. Usually it is used on systems running SuSE or Red Hat based (like RHEL, Fedora or CentOS). Plugins extend the functionality of yum, to improve its functionality.

One plugin may select the fastest software mirror, so you don’t have to benchmark them manually. Another great plugin helps with security and shows what security related updates are available. Nowadays, this functionality is built-in, as the demand for this functionality is huge.

In our case we want to audit the yum tool set and determine if we have the plugin available, or dealing with the built-in functions. Let’s start with the plugins..

Yum plugins

We can query the repository for packages which put files in the /usr/lib/yum-plugins directory. We have two options for that, using yum provides, or the repoquery utility.

# yum provides "/usr/lib/yum-plugins/*"
 Loaded plugins: fastestmirror
 Loading mirror speeds from cached hostfile
 * base: ftp.tudelft.nl
 * extras: archive.cs.uu.nl
 * updates: archive.cs.uu.nl
 PackageKit-yum-plugin-0.8.9-11.el7.centos.x86_64 : Tell PackageKit to check for updates when yum exits
 Repo        : base
 Matched from:
 Filename    : /usr/lib/yum-plugins/refresh-packagekit.py
 Filename    : /usr/lib/yum-plugins/refresh-packagekit.pyo
 Filename    : /usr/lib/yum-plugins/refresh-packagekit.pyc
kabi-yum-plugins-1.0-2.el7.centos.noarch : The CentOS Linux kernel ABI yum plugin
 Repo        : base
 Matched from:
 Filename    : /usr/lib/yum-plugins/kabi.py
 Filename    : /usr/lib/yum-plugins/kabi.pyo
 Filename    : /usr/lib/yum-plugins/kabi.pyc
subscription-manager-1.10.14-7.el7.centos.x86_64 : Tools and libraries for subscription and repository management
 Repo        : base
 Matched from:
 Filename    : /usr/lib/yum-plugins/subscription-manager.pyc
 Filename    : /usr/lib/yum-plugins/subscription-manager.pyo
 Filename    : /usr/lib/yum-plugins/subscription-manager.py
 Filename    : /usr/lib/yum-plugins/product-id.pyc
 Filename    : /usr/lib/yum-plugins/product-id.py
 Filename    : /usr/lib/yum-plugins/product-id.pyo

Besides the interesting file paths, it doesn’t give much more pointers at this moment. Lets try repoquery:

# repoquery -f "/usr/lib/yum-plugins/*" | sort | uniq
kabi-yum-plugins-0:1.0-2.el7.centos.noarch
PackageKit-yum-plugin-0:0.8.9-11.el7.centos.x86_64
subscription-manager-0:1.10.14-7.el7.centos.x86_64
subscription-manager-0:1.10.14-8.el7.centos.x86_64
subscription-manager-0:1.10.14-9.el7.centos.x86_64
yum-langpacks-0:0.4.2-3.el7.noarch
yum-plugin-aliases-0:1.1.31-24.el7.noarch
yum-plugin-aliases-0:1.1.31-25.el7_0.noarch
yum-plugin-auto-update-debug-info-0:1.1.31-24.el7.noarch
yum-plugin-auto-update-debug-info-0:1.1.31-25.el7_0.noarch
yum-plugin-changelog-0:1.1.31-24.el7.noarch
yum-plugin-changelog-0:1.1.31-25.el7_0.noarch
yum-plugin-fastestmirror-0:1.1.31-24.el7.noarch
yum-plugin-fastestmirror-0:1.1.31-25.el7_0.noarch
yum-plugin-filter-data-0:1.1.31-24.el7.noarch
yum-plugin-filter-data-0:1.1.31-25.el7_0.noarch
yum-plugin-fs-snapshot-0:1.1.31-24.el7.noarch
yum-plugin-fs-snapshot-0:1.1.31-25.el7_0.noarch

Built-in support

Since the security plugin does not show up in any of these listings, we use the discovered file path. Searching in this directory shows the existing yum plugins:

# find /usr/lib/yum-plugins/
/usr/lib/yum-plugins/
/usr/lib/yum-plugins/fastestmirror.py
/usr/lib/yum-plugins/fastestmirror.pyc
/usr/lib/yum-plugins/fastestmirror.pyo

It is clear only fastestmirror is available. Let’s analyze the yum binary.

# file /usr/bin/yum
/usr/bin/yum: Python script, ASCII text executable
# grep -i security /usr/bin/yum

No hit, so we have to look inside the Python script:

# cat /usr/bin/yum
#!/usr/bin/python
import sys
try:
    import yum
except ImportError:
    print >> sys.stderr, """\
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

   %s

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
%s

If you cannot solve this problem yourself, please go to
the yum faq at:
  http://yum.baseurl.org/wiki/Faq

""" % (sys.exc_value, sys.version)
    sys.exit(1)

sys.path.insert(0, '<strong>/usr/share/yum-cli</strong>')
try:
    import yummain
    yummain.user_main(sys.argv[1:], exit_code=True)
except KeyboardInterrupt, e:
    print &gt;&gt; sys.stderr, "\n\nExiting on user cancel."
    sys.exit(1)

By catting the file we can see it includes the /usr/share/yum-cli directory. Grepping through this directory quickly shows one pointer on how to detect if we have security support built-in.

# grep -r security /usr/share/yum-cli
/usr/share/yum-cli/cli.py:            self.base.updateinfo_filters['security'] = opts.security
/usr/share/yum-cli/cli.py:        group.add_option("--security", action="store_true",
/usr/share/yum-cli/cli.py:                help=_("Include security relevant packages, in updates"))
/usr/share/yum-cli/cli.py:                help=_("Include security relevant packages matching the severity, in updates"))
Binary file /usr/share/yum-cli/cli.pyc matches
/usr/share/yum-cli/yumcommands.py:                   'list-security'      : 'list',
/usr/share/yum-cli/yumcommands.py:                   'info-security'      : 'info',
/usr/share/yum-cli/yumcommands.py:        return "[info|list|...] [security|...] [installed|available|all] [pkgs|id]"
/usr/share/yum-cli/yumcommands.py:            if tn == 'security' and notice['severity']:
/usr/share/yum-cli/yumcommands.py:            if tn == 'security' and notice['severity']:
/usr/share/yum-cli/yumcommands.py:            if notice['type'] == 'security':
/usr/share/yum-cli/yumcommands.py:        for T in ('newpackage', 'security', 'bugfix', 'enhancement'):
/usr/share/yum-cli/yumcommands.py:                'security' : 'Security',
/usr/share/yum-cli/yumcommands.py:        for T in ('newpackage', 'security', 'bugfix', 'enhancement'):
/usr/share/yum-cli/yumcommands.py:            if T == 'security' and len(sev_counts) == 1:
/usr/share/yum-cli/yumcommands.py:            if T == 'security' and len(sev_counts) != 1:
/usr/share/yum-cli/yumcommands.py:                    args = (maxsize, sev_counts[sn],sn or '?', outT['security'])
/usr/share/yum-cli/yumcommands.py:                 "sec" : "security",
Binary file /usr/share/yum-cli/yumcommands.pyc matches

Great, this provides at least some guidance. For now we use the line with group.add_option to determine that support is built into the yum toolset itself. This enables checking for yum plugins and built-in support.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon