How to setup Automatic Security Updates on CentOS

Learn how to set up your CentOS to automatically receive the security updates by using Yum-Cron job.

In this tutorial, I will be discussing when you should or shouldn’t apply automatic security updates on CentOS. Once complete I’ll guide you on how to set up automatic security updates and exclude certain packages.

If you’ve already decided that you would like to set up automatic updates, you can scroll down to the installing and configuring automatic updates on CentOS section.

When to apply Automatic Security Updates?

For some, such as the general computer user, automatic security updates are a great feature. They allow you to stay on top of Cybersecurity threats. However, for others, such as System Administrators, they can be the bane of existence.

Personally, I choose to opt-in to Automatic Security updates for personal use and opt-out in my Server Administration life.

Below is a list of some of the benefits and downsides to Automatic Security Updates.

Benefits – Automatic Security Updates

  • Cybersecurity is a growing concern and automatic security updates keep you on top of real-world threats.
  • Increased user experience, you no longer need to worry about manually checking for updates.

Downside – Automatic Security Updates

  • Security updates can cause issues with network packages.
  • You don’t always know what’s being installed.
  • Uses internet bandwidth you may not have.

Installing and configuring Automatic Security Updates using Yum-Cron on CentOS

In order to setup Automatic Security Updates, we will need to install and configure Yum-Cron. Yum-Cron is a Yum module that allows you to configure an automated task(Cron jobs) specifically for the Yum package manager.

To install yum-cron type the below command into the terminal:

sudo yum install yum-cron

Once Yum-cron is installed, the below message will be displayed.

Yum-Cron installation confirmation
Yum-Cron installation confirmation.

You will now be able to configure Yum-Cron using your chosen text editor, throughout this tutorial I’ll be using Nano. Type the below command to open the Yum-Cron configuration file with Nano.

sudo nano /etc/yum/yum-cron.conf

You will be welcomed with the following file. If you’re new to Linux, this may be a bit daunting, but don’t worry, I will guide you through what to change.

yum-cron. configuration file.
yum-cron configuration file.

Change the value of the ‘update_cmd’ property from ‘default’ to ‘security’, as per below example.

update_cmd = security

If you don’t want to be warned about an update before it takes place, you’ll also need to change the value of the below line from ‘yes’ to ‘no’.

update_messages = yes

Now you’ll need to make sure that Yum-Cron is configured to download updates, make sure the value of the below line is ‘yes’.

download_updates = yes

Lastly, you will need to make sure that Yum-Cron is configured to install the updates, make sure the value of the below line is ‘yes’.

apply_updates = yes

Now use {Ctrl+X} to exit out of the Yum-Cron configuration file. You will be asked whether you would like to save, tap ‘y’, followed by the ‘enter’ key to overwrite the default configuration file.

Exclude packages from Automatically Updating

In this section of the tutorial, I am going to guide you on how to exclude certain software packages from Automatically downloading security updates.

If you want to exclude a particular package you will first need to know the full name of that package. If however, you would like to exclude a group of packages, such as any package with PHP in the title you can use the ‘*’(Wildcard) symbol.

If you don’t know the full name of the package you want to exclude, run the following command to list all currently installed packages and look for the particular package/s that you would like to exclude.

yum list installed

If there are multiple packages to exclude, I would recommend snapping 2 terminal sessions side by side for reference, as per below screenshot.

Snapping windows.
Snapping windows.

Run the below command to open the yum configuration file.

sudo nano /etc/yum.conf

You will be welcomed with the below configuration file. Move the text cursor to the bottom of this section of code.

Yum configuration file.
Yum configuration file.

Add the following line to the configuration file.


Type the packages separated by spaces as the value to the ‘exclude=’ property using the below example as a guide. If you want to exclude multiple related packages, you may be able to do them in batch by using the wildcard ‘*’ symbol. In the below example I am excluding all packages that have ‘libre’ anywhere in the title along with brasero.x86_64.

exclude=*libre* brasero.x86_64

Press {Ctrl + x} and save the configuration file.

Now you’re ready to start the yum-cron service. To do this, type the below command.

service yum-cron start

If successful the below message will be returned.

Starting the yum-cron service.
Starting the yum-cron service.

Now Yum-Cron is configured to perform weekly checks for Security Updates and will download/ install them automatically.

Philip Davies
Hello, I'm Philip Davies, I'm a Service Desk Analyst and System Administrator trying to break into the Linux Administration world. My operating system of choice is Ubuntu, but I regularly find myself experimenting with other Linux Distributions in my spare time. needless to say, I enjoy the flexibility of writing for FOSS Linux.


Please enter your comment!
Please enter your name here