CentOS 8.5系统更新与安全补丁管理最佳实践

# 检查可用更新
yum check-update

# 执行系统更新
yum update -y

# 查看更新历史

yum install -y yum-cron && systemctl enable yum-cron

# CentOS/RHEL回滚
yum history
yum history undo ID

# Ubuntu/Debian回滚
cat /var/log/apt/history.log

# 内核回滚
grub2-set-default '旧内核名称'
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot

# 除更新外，内核参数也能提升安全性
cat >> /etc/sysctl.d/99-security.conf << 'EOF'
# 防止IP欺骗
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# 禁用IP转发
net.ipv4.ip_forward = 0

# 禁用心跳检测
net.ipv4.tcp_timestamps = 0

# 限制内核日志访问
kernel.dmesg_restrict = 1

# 限制ptrace
kernel.yama.ptrace_scope = 1

# 启用地址空间布局随机化
kernel.randomize_va_space = 2

# TCP SYN Cookie防护
net.ipv4.tcp_syncookies = 1

# 忽略ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0

# 忽略ICMP Echo广播
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 禁用source route
net.ipv4.conf.all.accept_source_route = 0
EOF
sysctl --system

#!/bin/bash
# /usr/local/bin/update-check.sh
# 自动检查并报告更新状态

echo "===== 系统更新检查 ====="
echo "检查时间: $(date)"

echo ""
echo "--- 安全更新 ---"
yum updateinfo list security 2>/dev/null | head -20
# 或 Ubuntu: apt list --upgradable 2>/dev/null | grep security

echo ""
echo "--- 内核版本 ---"
uname -r

echo ""
echo "--- 系统运行时间 ---"
uptime

echo ""
echo "--- 需要重启？---"
if [ -f /var/run/reboot-required ]; then
    echo "需要重启以完成更新！"
    cat /var/run/reboot-required
else
    echo "无需重启"
fi