tune the metadata expiry or rather turn it off and use cron to keep it updated out of band
yum makecache fast
fetch regular quick updates to make good use of cache yum-cron can also be asked to play well?
lesson from apt/apk/pkg
mind you this has no data in centos, and will simply report "everything is fine", no matter if you have some outstanding security patches. mind you it will also not tell you if any of your packages have an open vulnerability there is no patch for.
plugin for check_mk to alert works.
They'll be happy once you patched, but you'll likely need to do more. kernel: reboot to update your kernel, or the hole stays in place. glibc: need to restart all affected services ssl: need to restart all affected services systemd: normally a systemctl daemon-reload is enough, but there have been bugs with poisonous results to be aware of. applications:
(LSOF magic)
Will only fetch the minimal version to get of an update need, not the most recent version possible. Can be useful, but comes with a small risk of not 100% identical patch results if different systems have different software installed and so certain dependency packages are patched at different times.
http://confluence.wartungsfenster.de/pages/viewpage.action?pageId=19988497
go here, still missing
- kernel
- openssl
- clustered software
defer reboots so you don't end up with random reboots of everything :)
automatic snapshots when software is installed. needs sed scripting to make sure only the core filesystems (i.e. /, /usr, /var) are snapshotted.
A plugin that safely commits /etc changes to git if you install packages - or nightly.
[root@cobbler yum]# ls -l
total 16
drwxr-xr-x 3 root root 95 Oct 27 2015 history
drwxr-xr-x 3 root root 19 Oct 27 2015 repos
drwxr-xr-x 2 root root 80 Apr 13 15:32 rpmdb-indexes
-rw-r--r-- 1 root root 1690 Feb 17 2016 transaction-all.2016-02-17.00:06.24
-rw-r--r-- 1 root root 740 Feb 17 2016 transaction-done.2016-02-17.00:06.24
-rw-r--r-- 1 root root 36 Oct 27 2015 uuid
drwxr-xr-x 34 root root 4096 Nov 4 2015 yumdb
-> use file age / file groups check to monitor for any unfinished transaction older than a day.