**Linux Patch Script**

In an effort to help fill the gap we currently have with monthly patch reporting on Linux, a script has been written to automate the process of patch reporting on a monthly basis. The main script utilizes pexpect and key exchanges between the realops dev server and customer servers.

Patch Reporting Script (patch.py)

• Pulls together patch reports per customer based on files populated with all the customers linux hostnames and/or IP's. This script can be set to run at whatever interval is best for your customer. A 4-6 week cycle is the preferred frequency.

Mailing Script (mail.py)

Yes, the first question you may be asking is why two scripts. Well, I couldn't fit it all into one cleanly.

• Sends emails to the selected customer mailing list based on the name of the report generated. Example: duality-int.txt being the name of the report. The mail script trims the .txt off and adds @opsource.net and sends the email with attached report.

Adding/Updating Customers

In order to implement new customers for monthly patching, follow these steps:

• ssh to ashopspatch01.ood.ops ip 10.182.70.25 ILO address 10.182.100.80
• login with your AD account.
• Once logged in, become the realops user. (sudo su - realops)
• cd customers (/home/realops/customers)
• Create a file using your customer name: 'etology' for instance. (touch %name%)
• populate that file with the ip's of your customers servers (each IP on a new line)
• save and quit
• Edit the realops crontab - ***NOTE - Everything is organized first by Team, then alphabetically
• crontab -e
• Find the appropriate section for your customer and add the following entry, replacing your customer name, using the same name of the filename you created for their their hosts IP's.

00 3 10 * * /home/realops/customers/patch.py -r /home/realops/customers/tricipher /home/realops/customers/tricipher-int.txt >> /dev/null 2>&1

• Please make sure only 4 jobs run at any given time, and each group of 4 jobs are staggered by 15 minutes from one another. Also, ensure that your end time does not pass the start time of the jobs at the bottom of the crontab shown below:

1. Space for cleanup and mail scripts
   00 5 10 * * /home/realops/customers/cleanup.sh >> /dev/null 2>&1
   30 5 10 * * /home/realops/customers/mail.py >> /dev/null 2>&1

Please contact Scott Stokes with any questions.

Configuration to be done on customer servers to pull the patch List:

1) Verify if realops user account is available on the server

id realops
Example Output :
root@ashopspatch01 ~# id realops
uid=512(realops) gid=512(realops) groups=512(realops)

2) If realops user account is not available , Create the account on the server.

sudo /usr/sbin/useradd realops

3) Switch to realops user:

su - realops

4) create a directory .ssh

mkdir .ssh

5) Change the permissoion to .ssh to 700.

chmod 700 .ssh/

6) Change the directory to .ssh

cd .ssh/

7) Create authorized_keys file as below and add the key given below note that the key should be single line.

vi authorized_keys

8) Change the permissoion to authorized_keys to 600.

chmod 600 authorized_keys

9) Search for "Cmnd_Alias", if it is not added then Add the following lines in sudoers file.

10) Add the below line under ## Allow root to run any commands anywhere in sudoers.

visudo or vi /etc/sudoers

11) Please verify if we are able to generate the patch list without any errors. if so please fix the errors before enabling for patch script.

a) RHEL4 : up2date -l
b) RHEL5 : yum check-update