Friday, March 13, 2009

Patch Reporting Tool for Solaris

Problem: Our recent security assessment found that no patch monitoring or patch notification system was in place. The Security Team is pressuring us to come up with a solution. The solution must include the following: (1) patch notification, (2) patch monitoring, and, if possible (3) patch deployment. Sun's xVM Ops Center would be perfect for this, so I asked for budget restrictions. Our manager said it would be best to fit this just below $0.*

Analysis: We already have a Sun support contract, which is good because it gives us access to patches from sunsolve.sun.com. The Linux support contract was not renewed, which is bad, because it disallows us access to the up2date repositories. We'll concentrate on the Sun area for now. Let's look into our current software implementations and see if there's anything available that can help us.

We already implement Webmin, but there doesn't look to be any Patch Monitoring or Notification modules available. Checking Google doesn't help; I just find patches for Webmin. We also have Altiris, but it's bulky and has a very steep learning curve. As a last step, we'll try Daddy Google.

The first page that comes up is from Sun. Under the section "Intelligent Patch Management," we see some reference to scripting.


Three options for patches:
1. Individual download from SunSolve - login required
2. Automatic system updates - Activate the "Patch Update Manager" feature in Solaris 10 with a valid Solaris Subscription
3. Life Cycle Management - Sun xVM Ops Center has an intelligent patch management tool for Solaris and Linux.

Sun Update Tools
Knowledge-based software update services for Solaris and Linux
Free Scripted Patch Tools

Auxiliary Files

Great! It says there are three options. Option 1 is a decent option for downloading patches, but it doesn't really help me know which patches I need. Option 2 isn't a viable option for our servers, as we don't want to automatically update our production [Oracle] servers, but it may be a good solution for our workstations. Option 3 is ideal because it also updates Linux, but it's not affordable within our budget.

Looking on... "Enterprise" usually implies $$$, so we're not going to look at that. We register our inventory, so I'll spend a little time looking at that. The GUI is java-based, which seems slow and buggy. I can run individual reports, but I can't find a way to automate this or really tell me what patches I need.

"Free Scripted Patch Tools" sounds like the perfect place for me. The link sends me to a page that only demonstrates how to use wget to download patches, not what patches I need. Oddly, it tells you how to use blastwave's wget, but if you have Solaris 10, you already have wget in /usr/sfw/bin.

Patchdiag.xref shows me what patches I need, but I still need a tool that will cross-reference this with my running systems and let me know which patches I need. Well, because Patchdiag.xref is a cross-reference file for patchdiag, let's see if Sun's Patchdiag tool is still available. Patchdiag is sitll available and still free, but its report is ugly. Despite its flaws, this looks like the place to start.

Testing: To automate our process, we need to check if the patchdiag.xref is publicly available and accessible from our systems. Using what we learned about wget, we use wget to download the patchdiag.xref file.

Also, we want to have a cached copy of a patchdiag.xref. I created an /opt/SUNWpatchdiag directory and subdirectories bin/, doc/, man/ and etc/ for the patchdiag.xref. We install our Patchdiag files appropriately.

A simple run of 'patchdiag -h' to look at the options shows that we can use a different copy of the patchdiag.xref file using the -x option, and -l for a more detailed (long) listing; however, both seem to give me the extent of detail that I want. We want the -x option so that we can download the latest patchdiag.xref from Sunsolve and use it. We can also do this on a remote host, but have to specify the file containing its "showrev -p" output. We'll avoid this option for now, but keep it in mind for later. The drawback for this is that you can't get the long output.

Conclusion: Using this and what I know of awk, I can hack together a simple script that allows me to reformat the output to either csv, text, or html. Now that I have this script, I can put it into cron and have it mail me the server reports periodically so I can know if they are up to date. The next step is to add it to Webmin so that the Security Team has access to run a report on-the-fly. Webmin uses perl, and I suddenly realize that I should have written the script in perl to begin with! I have a new project.

*Story of my life.

No comments:

Post a Comment