{"id":14358,"date":"2025-12-17T15:14:31","date_gmt":"2025-12-17T09:44:31","guid":{"rendered":"https:\/\/www.youstable.com\/blog\/?p=14358"},"modified":"2025-12-24T16:13:14","modified_gmt":"2025-12-24T10:43:14","slug":"how-to-monitor-secure-yum-on-linux","status":"publish","type":"post","link":"https:\/\/www.youstable.com\/blog\/how-to-monitor-secure-yum-on-linux","title":{"rendered":"How to Monitor &#038; Secure YUM on Linux Server"},"content":{"rendered":"\n<p>To monitor and secure YUM on a Linux server, lock down repositories with GPG and TLS, enable repo and metadata verification, restrict sudo access to YUM\/DNF, log and audit all package actions, automate security updates with notifications, and verify integrity and roll back safely using yum\/dnf history, version locking, and file integrity tools.<\/p>\n\n\n\n<p>Managing patches is one of the highest-impact security tasks on RHEL, CentOS, AlmaLinux, and Rocky Linux. In this guide, you\u2019ll learn how to monitor and secure YUM on Linux server environments (and DNF, which replaces YUM on newer releases) using practical, production-tested steps that reduce supply chain risk and keep systems compliant.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"what-yum-dnf-is-and-why-securing-it-matters\"><strong>What YUM\/DNF Is and Why Securing It Matters<\/strong><\/h2>\n\n\n\n<p>YUM (Yellowdog Updater, Modified) is the classic package manager on RHEL-based distributions. On RHEL 8+ and recent CentOS Stream, AlmaLinux, and Rocky Linux, YUM is a compatibility wrapper for DNF. Both manage repositories, metadata, dependencies, and updates\u2014making them critical to your patch and security posture.<\/p>\n\n\n\n<p>Compromised repositories, unsigned packages, accidental downgrades, or untracked updates can create outages and security gaps. The goal: only trust signed sources, keep tamper-proof logs, automate security advisories, and limit who can change packages.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"quick-hardening-checklist-do-this-first\"><strong>Quick Hardening Checklist (Do This First)<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Turn on GPG checks for packages and metadata: <code>gpgcheck=1<\/code>, <code>repo_gpgcheck=1<\/code>.<\/li>\n\n\n\n<li>Use HTTPS for repos and verify certificates: <code>sslverify=1<\/code>, pin CA where possible.<\/li>\n\n\n\n<li>Disable unknown\/unused repos; set repo priorities to avoid collisions.<\/li>\n\n\n\n<li>Automate security-only updates and alerts with <code>dnf-automatic<\/code> or <code>yum-cron<\/code>.<\/li>\n\n\n\n<li>Audit YUM\/DNF and repo config changes with <code>auditd<\/code>; centralize logs.<\/li>\n\n\n\n<li>Restrict sudo to specific YUM\/DNF commands; require change tickets for repo edits.<\/li>\n\n\n\n<li>Lock critical versions and protect kernels; plan rollbacks with <code>yum\/dnf history<\/code>.<\/li>\n\n\n\n<li>Verify system integrity regularly with <code>rpm -Va<\/code> and file integrity tools.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"secure-and-trust-only-verified-repositories\"><strong>Secure and Trust Only Verified Repositories<\/strong><\/h2>\n\n\n\n<p>Start by enforcing signature and TLS verification globally, then harden each repository definition in <code>\/etc\/yum.conf<\/code> and <code>\/etc\/yum.repos.d\/*.repo<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \/etc\/yum.conf or \/etc\/dnf\/dnf.conf (DNF)\ngpgcheck=1\nclean_requirements_on_remove=1\nmetadata_expire=6h\n# Protect kernels from being removed; keep last 3 installed\ninstallonly_limit=3\ninstallonlypkgs=kernel kernel-core kernel-modules<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># Example: \/etc\/yum.repos.d\/baseos.repo\n&#91;baseos]\nname=BaseOS\nbaseurl=https:\/\/mirror.stream.example\/os\/$releasever\/BaseOS\/$basearch\/os\/\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=1\ngpgkey=file:\/\/\/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-redhat-release\nsslverify=1\n# For private repos, pin a trusted CA or client cert\n# ssllcacert=\/etc\/pki\/ca-trust\/source\/anchors\/org-ca.crt\n# sslclientcert=\/etc\/pki\/tls\/certs\/repo-client.crt\n# sslclientkey=\/etc\/pki\/tls\/private\/repo-client.key\npriority=1<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"import-and-verify-gpg-keys\"><strong>Import and Verify GPG Keys<\/strong><\/h3>\n\n\n\n<p>Always import GPG keys from the vendor\u2019s official source (prefer a file path or pinned URL) and verify fingerprints against vendor documentation.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Import key (RPM-based)\nrpm --import \/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-redhat-release\n\n# Show installed keys and verify fingerprints\nrpm -qa gpg-pubkey*\nrpm -qi gpg-pubkey-*&nbsp;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"enforce-tls-and-disable-weak-unknown-repos\"><strong>Enforce TLS and Disable Weak\/Unknown Repos<\/strong><\/h3>\n\n\n\n<p>Ensure all repos use HTTPS and verify certificates. Disable anything you don\u2019t explicitly trust or need, and prefer vendor-provided metalinks when available.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># List all repos and their status\nyum repolist all\ndnf repolist all\n\n# Disable a repo you don't use\nyum-config-manager --disable some-repo\ndnf config-manager --set-disabled some-repo\n\n# Set explicit priorities (lower is higher priority)\n# In .repo files: priority=1..99 (DNF supports \"priority\" natively)\n# On CentOS\/RHEL 7, install yum-plugin-priorities:\nyum install -y yum-plugin-priorities<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"monitor-yum-dnf-activity-and-build-an-audit-trail\"><strong>Monitor YUM\/DNF Activity and Build an Audit Trail<\/strong><\/h2>\n\n\n\n<p>Track who updated what and when. Centralize logs to detect unauthorized changes and prove compliance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"where-to-find-logs\"><strong>Where to Find Logs<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>YUM (CentOS\/RHEL 7): <code>\/var\/log\/yum.log<\/code><\/li>\n\n\n\n<li>DNF (RHEL 8+\/Alma\/Rocky): <code>\/var\/log\/dnf.log<\/code> and <code>journalctl -u dnf*<\/code><\/li>\n\n\n\n<li>Transaction history: <code>yum history<\/code> or <code>dnf history<\/code><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># View recent transactions\nyum history | head\ndnf history | head\n\n# Inspect a specific transaction ID\nyum history info 25\ndnf history info 25\n\n# Follow logs in real-time\ntail -f \/var\/log\/yum.log\ntail -f \/var\/log\/dnf.log\njournalctl -fu dnf-automatic.timer<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"add-auditd-watches-for-yum-dnf-and-repo-changes\"><strong>Add auditd Watches for YUM\/DNF and Repo Changes<\/strong><\/h3>\n\n\n\n<p>Use auditd to log executions and file modifications related to package management and repositories.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Temporary rules (until next reboot)\nauditctl -w \/usr\/bin\/yum -p x -k pkg-mgr\nauditctl -w \/usr\/bin\/dnf -p x -k pkg-mgr\nauditctl -w \/etc\/yum.repos.d -p wa -k repo-change\nauditctl -w \/etc\/yum.conf -p wa -k repo-change\nauditctl -w \/etc\/dnf\/dnf.conf -p wa -k repo-change\n\n# Review audit events\nausearch -k pkg-mgr\nausearch -k repo-change | aureport -f -i<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"email-or-chat-alerts-on-changes\"><strong>Email or Chat Alerts on Changes<\/strong><\/h3>\n\n\n\n<p>Automate notifications for updates and advisories. Use built-in tools or a simple log-watching script integrated with your alerting system.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Install and configure automatic updates (choose one)\n\n# RHEL 8+\/DNF:\ndnf install -y dnf-automatic\nsed -i 's\/^apply_updates = .*\/apply_updates = no\/' \/etc\/dnf\/automatic.conf\nsed -i 's\/^emit_via = .*\/emit_via = email\/' \/etc\/dnf\/automatic.conf\nsystemctl enable --now dnf-automatic.timer\n\n# RHEL\/CentOS 7\/YUM:\nyum install -y yum-cron\nsed -i 's\/update_cmd = default\/update_cmd = security\/' \/etc\/yum\/yum-cron.conf\nsed -i 's\/apply_updates = no\/apply_updates = no\/' \/etc\/yum\/yum-cron.conf\nsystemctl enable --now yum-cron<\/code><\/pre>\n\n\n\n<p>Set <code>apply_updates = no<\/code> if you want a human-in-the-loop approval workflow, or <code>yes<\/code> for fully automatic security patching during a maintenance window.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"apply-security-only-updates-and-track-cves\"><strong>Apply Security-Only Updates and Track CVEs<\/strong><\/h2>\n\n\n\n<p>Security advisories help you prioritize risk. Use updateinfo metadata to list and apply only packages with <a href=\"https:\/\/www.youstable.com\/blog\/fix-safaris-cannot-establish-a-secure-connection\/\">security fixes<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Show available security advisories\ndnf updateinfo list security all\nyum updateinfo list security all   # Requires yum-plugin-security on EL7\n\n# Apply only security fixes (minimal changes)\ndnf upgrade --security --advisory=&lt;ADVISORY&gt;\ndnf upgrade --security --sec-severity=Critical,Important\nyum --security update-minimal       # EL7 with yum-plugin-security<\/code><\/pre>\n\n\n\n<p>Before approval, review changelogs and CVE mappings:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rpm -q --changelog openssl | head -n 40\ndnf updateinfo info --advisory RHSA-2025:1234\nyum updateinfo info --advisory RHSA-2025:1234<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"control-privileges-and-changes\"><strong>Control Privileges and Changes<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"restrict-sudo-to-safe-commands\"><strong>Restrict Sudo to Safe Commands<\/strong><\/h3>\n\n\n\n<p>Limit who can update packages and block repo edits except for administrators. Use sudoers with command aliasing and logging.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \/etc\/sudoers.d\/yum-dnf\nCmnd_Alias PKG_SAFE = \/usr\/bin\/yum update, \/usr\/bin\/yum check-update, \/usr\/bin\/dnf upgrade, \/usr\/bin\/dnf check-update\nCmnd_Alias PKG_READONLY = \/usr\/bin\/yum list *, \/usr\/bin\/dnf list *\n\n%ops-patchers ALL=(root) NOPASSWD: PKG_SAFE, PKG_READONLY\n# Do NOT include editors or config tools like yum-config-manager for non-admins<\/code><\/pre>\n\n\n\n<p>Combine with session recording and MFA on privileged accounts to strengthen accountability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"version-locking-and-kernel-protection\"><strong>Version Locking and Kernel Protection<\/strong><\/h3>\n\n\n\n<p>Pin critical packages to prevent unexpected upgrades and control kernel lifecycle.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Version lock a package (DNF)\ndnf install -y 'dnf-command(versionlock)'\ndnf versionlock add nginx-1.24.*\n\n# EL7: yum-plugin-versionlock\nyum install -y yum-plugin-versionlock\nyum versionlock add nginx-1.24.*\n\n# Kernel protection (already recommended in dnf.conf\/yum.conf)\n# installonly_limit=3 retains last 3 kernels for safe rollback<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"verify-integrity-and-plan-rollbacks\"><strong>Verify Integrity and Plan Rollbacks<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"verify-package-and-file-integrity\"><strong>Verify Package and File Integrity<\/strong><\/h3>\n\n\n\n<p>Validate that installed files match package signatures and hashes. Investigate any missing files, changed permissions, or altered digests.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Verify all installed packages against RPM database\nrpm -Va | less\n\n# Look for broken dependencies or unsatisfied requirements\ndnf repoquery --unsatisfied\ndnf repoquery --duplicates\nyum check<\/code><\/pre>\n\n\n\n<p>For system-wide integrity, deploy AIDE or a similar file integrity monitoring tool and alert on critical path changes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"use-history-and-snapshots-for-safe-rollback\"><strong>Use History and Snapshots for Safe Rollback<\/strong><\/h3>\n\n\n\n<p>Every change should be reversible. Use YUM\/DNF history to undo a transaction, and leverage LVM or VM snapshots before large patch sets.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Rollback a specific transaction\ndnf history undo 25\nyum history undo 25\n\n# See what will change before applying\ndnf history info 25\nyum history info 25<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"common-pitfalls-to-avoid\"><strong>Common Pitfalls to Avoid<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disabling <code>gpgcheck<\/code> to \u201cfix\u201d errors instead of fixing keys or repo config.<\/li>\n\n\n\n<li>Using HTTP mirrors without TLS or certificate verification.<\/li>\n\n\n\n<li>Leaving old or experimental repos enabled across environments.<\/li>\n\n\n\n<li>Letting anyone with sudo run arbitrary YUM\/DNF or edit repo files.<\/li>\n\n\n\n<li>Applying all updates blindly during business hours without rollback plans.<\/li>\n\n\n\n<li>Ignoring advisory metadata; not prioritizing Critical\/Important CVEs.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"secure-defaults-reusable-config-snippets\"><strong>Secure Defaults: Reusable Config Snippets<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code># \/etc\/dnf\/automatic.conf (RHEL 8+\/DNF)\n&#91;commands]\nupgrade_type = security\nrandom_sleep = 0\ndownload_updates = yes\napply_updates = no\n\n&#91;emitters]\nemit_via = email\n\n&#91;email]\nemail_from = root@server.example\nemail_to = ops@company.example\nemail_host = localhost<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># \/etc\/yum\/yum-cron.conf (EL7 example)\nupdate_cmd = security\nupdate_messages = yes\ndownload_updates = yes\napply_updates = no\nemit_via = email\nemail_from = root@server.example\nemail_to = ops@company.example<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"real-world-workflow-for-production-servers\"><strong>Real-World Workflow for Production Servers<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dev\/test: Apply all updates weekly; validate app compatibility.<\/li>\n\n\n\n<li>Staging: Apply security-only updates; run smoke and performance tests.<\/li>\n\n\n\n<li>Production: Approve Critical\/Important advisories first; schedule windows and snapshot; apply with <code>dnf --security<\/code>; verify services; monitor.<\/li>\n\n\n\n<li>Rollback: Use <code>dnf\/yum history undo<\/code> or boot previous kernel if required.<\/li>\n\n\n\n<li>Audit: Export history, advisories, and change tickets to your SIEM.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"how-youstable-helps\"><strong>How YouStable Helps<\/strong><\/h2>\n\n\n\n<p>At YouStable, our managed Linux servers ship with hardened YUM\/DNF defaults, signed and prioritized repositories, dnf-automatic or yum-cron tuned for your risk profile, centralized logging, and audit-ready change controls. If you need hands-off patching with SLAs and rollback assurance, our team can implement and monitor this stack for you.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"faqs-monitor-and-secure-yum-on-linux-server\"><strong>FAQs: Monitor and Secure YUM on Linux Server<\/strong><\/h2>\n\n\n\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"is-yum-different-from-dnf-and-which-commands-should-i-use\">Is YUM different from DNF, and which commands should I use?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>On RHEL 8+ and modern forks, YUM is a wrapper around DNF. Prefer DNF commands (<code>dnf upgrade<\/code>, <code>dnf updateinfo<\/code>) for better performance and features. On RHEL\/CentOS 7, use YUM commands and the relevant plugins (e.g., <code>yum-plugin-security<\/code>).<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"how-do-i-ensure-packages-come-from-trusted-sources\">How do I ensure packages come from trusted sources?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Enable <code>gpgcheck=1<\/code> and <code>repo_gpgcheck=1<\/code>, import official GPG keys, require HTTPS with <code>sslverify=1<\/code>, and disable unknown repos. Set priorities to favor vendor repos and verify key fingerprints against vendor documentation.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"can-i-apply-only-security-updates-automatically\">Can I apply only security updates automatically?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Yes. Use <code>dnf-automatic<\/code> (RHEL 8+) or <code>yum-cron<\/code> (EL7) and configure security-only updates. You can choose to download only, notify, or auto-apply during maintenance windows.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"how-do-i-track-who-ran-yum-dnf-and-what-changed\">How do I track who ran YUM\/DNF and what changed?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Enable auditd watches on <code>\/usr\/bin\/yum<\/code>, <code>\/usr\/bin\/dnf<\/code>, and repo config directories. Use <code>ausearch<\/code> to correlate with user sessions. Also review <code>\/var\/log\/yum.log<\/code>, <code>\/var\/log\/dnf.log<\/code>, and <code>yum\/dnf history<\/code> for transaction details.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"whats-the-safest-way-to-roll-back-a-bad-update\">What\u2019s the safest way to roll back a bad update?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Use <code>dnf history undo &lt;ID><\/code> or <code>yum history undo &lt;ID><\/code>. For kernel issues, boot the previous kernel (kept via <code>installonly_limit<\/code>). For major changes, snapshot the system (LVM\/VM) before patching for instant recovery.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\n<script type=\"application\/ld+json\">\n\t{\n\t\t\"@context\": \"https:\/\/schema.org\",\n\t\t\"@type\": \"FAQPage\",\n\t\t\"mainEntity\": [\n\t\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"Is YUM different from DNF, and which commands should I use?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>On RHEL 8+ and modern forks, YUM is a wrapper around DNF. Prefer DNF commands (dnf upgrade, dnf updateinfo) for better performance and features. On RHEL\/CentOS 7, use YUM commands and the relevant plugins (e.g., yum-plugin-security).<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"How do I ensure packages come from trusted sources?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Enable gpgcheck=1 and repo_gpgcheck=1, import official GPG keys, require HTTPS with sslverify=1, and disable unknown repos. Set priorities to favor vendor repos and verify key fingerprints against vendor documentation.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"Can I apply only security updates automatically?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Yes. Use dnf-automatic (RHEL 8+) or yum-cron (EL7) and configure security-only updates. You can choose to download only, notify, or auto-apply during maintenance windows.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"How do I track who ran YUM\/DNF and what changed?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Enable auditd watches on \/usr\/bin\/yum, \/usr\/bin\/dnf, and repo config directories. Use ausearch to correlate with user sessions. Also review \/var\/log\/yum.log, \/var\/log\/dnf.log, and yum\/dnf history for transaction details.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"What\u2019s the safest way to roll back a bad update?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Use dnf history undo &lt;ID> or yum history undo &lt;ID>. For kernel issues, boot the previous kernel (kept via installonly_limit). For major changes, snapshot the system (LVM\/VM) before patching for instant recovery.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t\t\t\t]\n\t}\n<\/script>\n","protected":false},"excerpt":{"rendered":"<p>To monitor and secure YUM on a Linux server, lock down repositories with GPG and TLS, enable repo and metadata [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":14507,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[350],"tags":[2193,2141],"class_list":["post-14358","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase","tag-how-to-monitor-secure-yum-on-linux","tag-linux-server"],"acf":[],"featured_image_src":"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/How-to-Monitor-Secure-YUM-on-Linux-Server.jpg","author_info":{"display_name":"Prahlad Prajapati","author_link":"https:\/\/www.youstable.com\/blog\/author\/prahladblog"},"_links":{"self":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/14358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/comments?post=14358"}],"version-history":[{"count":2,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/14358\/revisions"}],"predecessor-version":[{"id":14585,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/14358\/revisions\/14585"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media\/14507"}],"wp:attachment":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media?parent=14358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/categories?post=14358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/tags?post=14358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}