It happens to us that we upgrade f.i, nginx, and the RPM sits there but the daemon is not restarted and the old, vulnerable version keeps running.
This is easy to achieve with Yum's post-transaction-actions plugin. With this we can even have services restarted when their dependencies require so. For instance, changes in OpenSSL should restart httpd and nginx, changes in OpenJDK shuold restart logstash, elasticsearch and tomcat.
It happens to us that we upgrade f.i, nginx, and the RPM sits there but the daemon is not restarted and the old, vulnerable version keeps running.
This is easy to achieve with Yum's post-transaction-actions plugin. With this we can even have services restarted when their dependencies require so. For instance, changes in OpenSSL should restart httpd and nginx, changes in OpenJDK shuold restart logstash, elasticsearch and tomcat.