Linux Patch Management
10:13 PM**Linux Patch Script**
In an effort to help fill the gap we currently have with monthly patch reporting on Linux, a script has been written to automate the process of patch reporting on a monthly basis. The main script utilizes pexpect and key exchanges between the realops dev server and customer servers.Patch Reporting Script (patch.py)
- Pulls together patch reports per customer based on files populated with all the customers linux hostnames and/or IP's. This script can be set to run at whatever interval is best for your customer. A 4-6 week cycle is the preferred frequency.
Usage: patch.py -r custname logname *** The report itself is really just a dump of the output from up2date or yum for each host. |
Mailing Script (mail.py)
Yes, the first question you may be asking is why two scripts. Well, I couldn't fit it all into one cleanly.- Sends emails to the selected customer mailing list based on the name of the report generated. Example: duality-int.txt being the name of the report. The mail script trims the .txt off and adds @opsource.net and sends the email with attached report.
Adding/Updating Customers
In order to implement new customers for monthly patching, follow these steps:- ssh to ashopspatch01.ood.ops ip 10.182.70.25 ILO address 10.182.100.80
- login with your AD account.
- Once logged in, become the realops user. (sudo su - realops)
- cd customers (/home/realops/customers)
- Create a file using your customer name: 'etology' for instance. (touch %name%)
- populate that file with the ip's of your customers servers (each IP on a new line)
- save and quit
- Edit the realops crontab - ***NOTE - Everything is organized first by Team, then alphabetically
- crontab -e
- Find the appropriate section for your customer and add the following entry, replacing your customer name, using the same name of the filename you created for their their hosts IP's.
- Please make sure only 4 jobs run at any given time, and each group of 4 jobs are staggered by 15 minutes from one another. Also, ensure that your end time does not pass the start time of the jobs at the bottom of the crontab shown below:
- Space for cleanup and mail scripts
00 5 10 * * /home/realops/customers/cleanup.sh >> /dev/null 2>&1
30 5 10 * * /home/realops/customers/mail.py >> /dev/null 2>&1
Configuration to be done on customer servers to pull the patch List:
1) Verify if realops user account is available on the server
id realopsExample Output :
root@ashopspatch01 ~# id realops
uid=512(realops) gid=512(realops) groups=512(realops)
2) If realops user account is not available , Create the account on the server.
sudo /usr/sbin/useradd realops3) Switch to realops user:
su - realops4) create a directory .ssh
mkdir .ssh5) Change the permissoion to .ssh to 700.
chmod 700 .ssh/6) Change the directory to .ssh
cd .ssh/7) Create authorized_keys file as below and add the key given below note that the key should be single line.
vi authorized_keysssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt0G1tLIgYixYybSvxTy367GhkWHtE9NVJcF2/G+gm69veUfOOsIR6S6/7B6UldQOZvJbMtRGvlq5eGGkwG6+TNxagvQTJbUTBpWIhzk4nEqFJsWd6uWnl/y5ilpflkTuMr36YXfEoJTxnRtS+c7BmkJwjhhHnRzz6RbJicKJqrIZJn43E4wAQ1HWYJd5F6CZ5yESPwmAKuFswkwmqD/HsW0U1MBGIaaWDvIa24ClbpqEezV1WDDBlw6sUsnJLGksFpI3SOhZ11ZJVtBGWe16BnCKQdhxl8MzRzqOrLxWZr+IMIWdZypWJVmhF4WUh+MaRhdF85rJUND+hs+DFcbHzw== root @ashopspatch01 .ood.ops |
8) Change the permissoion to authorized_keys to 600.
chmod 600 authorized_keys9) Search for "Cmnd_Alias", if it is not added then Add the following lines in sudoers file.
Cmnd_Alias DONTDO = /bin/su, /usr/bin/su, /bin/sh, /bin/ash, /bin/bsh, /bin/bash, /bin/csh, /bin/ksh, /bin/tcsh, /usr/bin/rsh, /bin/zsh, /usr/kerberos/bin/rsh, /bin/tcsh, /usr/bin/rsh, /bin/zsh, /usr/kerberos/bin/rsh, /usr/bin/passwd, /bin/login, /usr/bin/login |
10) Add the below line under ## Allow root to run any commands anywhere in sudoers.
visudo or vi /etc/sudoersrealops ALL=(ALL) NOPASSWD: ALL, !DONTDO |
11) Please verify if we are able to generate the patch list without any errors. if so please fix the errors before enabling for patch script.
a) RHEL4 : up2date -lb) RHEL5 : yum check-update
0 comments