How to Setup Automatic Security Updates on CentOS 7

Security updates, as most of you'd agree, are very important. On Linux, it's always advisable to keep the installed packages up to date, especially when it comes to security. In general, users should apply security updates to their Linux systems within 30 days of being released.

In this tutorial, we will discuss how you can configure a CentOS 7 server for automatic security updates. This will make sure the system automatically downloads packages and applies all security updates without any manual intervention.

What we will discuss:

  1. How to Install yum-cron on CentOS 7
  2. How to configure yum-cron for automatic security updates
  3. How to exclude specific packages from automatic updates
  4. How to check yum-cron logs


  • CentOS 7 server
  • Root privileges

Step 1 - Install yum-cron on CentOS 7

Yum-cron is a command-line tool to manage system and package updates on CentOS systems.

The utility is available in the CentOS 7 repository. You can install it using the command below.

yum -y install yum-cron

After the installation is complete, start the yum-cron service, and then make sure it starts automatically at system boot from now on. All this can be done using the following commands:

systemctl start yum-cron
systemctl enable yum-cron

Install yum-cron on CentOS 7

That's it. Yum-cron is now properly installed on your CentOS 7 server.

Step 2 - Configure Yum-Cron for automatic updates

After installing the yum-cron package, we need to configure it for automatic updates. By default, yum-cron provides three kinds of updates: default update using yum upgrade command, minimal update, and security update.

Note that in this tutorial, we will configure yum-cron for security updates (related to both system and packages). So let's begin.

As a first step, go to the 'yum' configuration directory and edit the 'yum-cron.conf' file using the Vim editor.

cd /etc/yum/
vim yum-cron.conf

Note: Of course, you can use any other editor of your choice. And for those who want to learn Vim, check out our comprehensive tutorial here.

In the file, head to the line beginning with the string 'update_cmd', and define the kind of update you want to use. For example, in this tutorial, we are focusing only on security updates, so change the value from 'default' to 'security'.

update_cmd = security

Similarly, head to the line beginning with the 'update_messages' string, and make sure its value is 'yes'.

update_messages = yes

Then do the same for 'download_updates' and 'apply_updates' lines.

download_updates = yes
apply_updates = yes

So whenever there's a security update available, the system will now automatically download the required packages and then apply all the updates.

Configure Yum-Cron for automatic updates

Next up is message notification configuration. Basically, Yum-cron provides two ways: either you can have notifications displayed on STDIO, or have them sent to an email address. For this tutorial, we will be going with the second option, which is email.

So change the value of 'emit_via' to 'email' as shown below.

emit_via = email

There are a handful of other related changes that you have to do, including specifying from and to email addresses and email host. Here're the values that we've set:

email_from = [email protected]
email_to = [email protected]
email_host = hakase-labs

email configuration

That's it. Now save the file and exit the editor.

The final step is to restart the yum-cron service, which you can do using the following command:

systemctl restart yum-cron

At this stage, any security updates on the system will be automatically downloaded and applied using yum-cron on daily basis.

Step 3 - Configure exclude packages

Sometimes, for whatever reason, we don't want to apply automatic updates on some packages, including kernel. In this step, we will discuss the configuration that'll let you disable updates for select packages.

So the first step here is to edit the configuration file yum-cron.conf, which resides in the yum configuration directory.

cd /etc/yum/
vim yum-cron.conf

Towards the bottom of the file, you will see the '[base]' section. Add the a new line under this section containing names of packages you want to exclude. For example, something similar to the following:

exclude = mysql* kernel*

Now just save the changes and exit.

Configure exclude packages

Yeah, you guessed it right, now you'll have to restart the yum-cron service.

systemctl restart yum-cron

So in our case, all packages with names beginning with 'mysql' or 'kernel' will be disabled for automatic updates.

Step 4 - Check yum-cron logs

Yum-cron uses a cronjob for automatic security updates, and all logs for this cron is available under the '/var/log' directory.

So you need to head to the '/var/log' directory to access the 'cron' log file.

cd /var/log/
cat cron | grep yum-daily

And in case you want to see the packages that have been updated, you can check the yum.log file.

cat yum.log | grep Updated


Share this page:

Suggested articles

8 Comment(s)

Add comment


By: Nagarajan

yum security will not work in centos 7. The yum repos for Centos 7 does not provide the metadata required for yum security update. It won't install all the security packages.


By: Jackie M

grep yum-daily /var/log/cron


grep Update /vat/log/yum.log


using cat is redundant and just using grep is easier to cut and paste as well

By: Tom

These instructions are for a real RHEL server. For CentOS they do not apply as Nagarajan points out in previous comment.

By: Bilal

The crons under cron.daily/ cron.hourly/ cron.monthly/ cron.weekly/ using /etc/yum/yum-cron-hourly.conf. Any additional changes after installed yum-cron will not effect crons behavior. So we need to run below command i guess.

[[email protected] ~]#  yes | cp -f /etc/yum/yum-cron.conf /etc/yum/yum-cron-hourly.conf

By: Steve Alder

It is aways a better option to configure a service prior to starting it the first time.  Particularly when you are configuring a service that have the ability/intent to change/update packages.

Also you can simplify the process of enabling and starting it by using this syntax. 'systemctl enable --now yum-cron'

By: no reply

All of you nay-sayers out there are incompetent and are undereducated (if educated at all). Security updates ARE supported in CentOS. Any system administrator can rebuild a repository and add the associated tags and metadata entries necessary for CentOS to process security-only updates.

However, as this article doesn’t discuss this pre-requisite activity it is a bit lacking.

By: Nigel

As others have pointed out, this doen't work on CentOS 7:

"No package yum-cron available.


Error: Nothing to do"

By: till

I don't see any other comment that claims that there is no yum-cron package. The package is there on any normal CentOS 7 system, see:


Resolving Dependencies

--> Running transaction check

---> Package yum-cron.noarch 0:3.4.3-168.el7.centos will be installed

--> Finished Dependency Resolution


Dependencies Resolved



 Package                                     Arch                                      Version                                                 Repository                               Size



 yum-cron                                    noarch                                    3.4.3-168.el7.centos                                    base                                     66 k


Transaction Summary


Install  1 Package

Total download size: 66 k

Installed size: 51 k