【Linux】Redhat 8使用非官方源修复漏洞及关键案例分享

先看下今天的任务，一台redhat 8.4，nessus扫出一百多个漏洞，且绝大多数都是高危漏洞，今天看看能修复多少。

通过对这些漏洞分析，大部分为需要更新package version，所以虽然多，但是还是不是很难。因为OS是redhat，但是因为还没有购买官方的订阅，所以无法在线更新。所以要先解决更新源的问题。

一、解决redhat更新源

关闭redhat默认订阅，并修改为centos源作为更新源。

sudo vi /etc/yum.repos.d/centos-vault.repo

[BaseOS]
name=Redhat84 - 163 - Base
baseurl=https://mirrors.163.com/centos/8-stream/BaseOS/x86_64/os/
#baseurl=https://mirrors.163.com/centos/8.4.2105/BaseOS/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.2.2004&arch=x86_64&repo=BaseOS&infra=$infra
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

[AppStream]
name=Redhat84 - 163 - AppStream
baseurl=https://mirrors.163.com/centos/8-stream/AppStream/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=AppStream&infra=$infra
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

[PowerTools]
name=Redhat84 - 163 - PowerTools
baseurl=https://mirrors.163.com/centos/8-stream/PowerTools/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=PowerTools&infra=$infra
enabled=0
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

#additional packages that may be useful
[extras]
name=Redhat84 - 163 - Extras
baseurl=https://mirrors.163.com/centos/8-stream/extras/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=extras
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

#additional packages that extend functionality of existing packages
[centosplus]
name=Redhat84 - 163 - Plus
baseurl=https://mirrors.163.com/centos/8-stream/centosplus/x86_64/os/
#mirrorlist=http://mirrorlist.centos.org/?release=8.4.2105&arch=x86_64&repo=centosplus
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

测试更新是否成功，注意gpgcheck=1代表关闭校验，如果校验开启，可能会更新失败。

二、复杂漏洞修复案例

1，RHEL 8 : rpm (RHSA-2022:0254)漏洞修复

改漏洞主要需要更新六个package，List如下：

Remote package installed : python3-rpm-4.14.3-13.el8

Should be : python3-rpm-4.14.3-14.el8_4.2

Remote package installed : rpm-4.14.3-13.el8

Should be : rpm-4.14.3-14.el8_4.2

Remote package installed : rpm-build-libs-4.14.3-13.el8

Should be : rpm-build-libs-4.14.3-14.el8_4.2

Remote package installed : rpm-libs-4.14.3-13.el8

Should be : rpm-libs-4.14.3-14.el8_4.2

Remote package installed : rpm-plugin-selinux-4.14.3-13.el8

Should be : rpm-plugin-selinux-4.14.3-14.el8_4.2

Remote package installed : rpm-plugin-systemd-inhibit-4.14.3-13.el8

Should be : rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.2

我们可以使用更新指令：

sudo yum update python3-rpm-4.14.3

同时完成六个package的更新。

从更新结果来看，总计Upgraded:

python3-rpm-4.14.3-23.el8.x86_64 rpm-4.14.3-23.el8.x86_64 rpm-build-libs-4.14.3-23.el8.x86_64 rpm-libs-4.14.3-23.el8.x86_64

rpm-plugin-selinux-4.14.3-23.el8.x86_64 rpm-plugin-systemd-inhibit-4.14.3-23.el8.x86_64

2，RHEL 8 : vim (RHSA-2022:0894)

这个漏洞修复时，需要注意update的方法，否则可能无法成功。

sudo yum update vim-filesystem-8.0.1763
sudo yum update vim-minimal.x86_64

3，RHEL 8 : container-tools:3.0 (RHSA-2021:2370)

这个漏洞需要处理的内容较多，更新包汇总如下：

sudo yum update conmon
sudo yum update cockpit-podman
sudo yum update buildah
sudo yum update slirp4netns
sudo yum update podman
sudo yum update libslirp
sudo yum update fuse-overlayfs

特别注意：kernel漏洞修复，注意update后需要重启才会生效。

Installed package kernel-4.18.0-383. el8 is greater than kernel-4.18.0-305.28.1.el8_4.

However, according to uname -r, the current running kernel level is 4.18.0-305.el8.

This system requires a reboot to begin using the patched kernel level.