OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: Keeping Solaris up-to-date

Keeping Solaris up-to-date

John RIddoch (jrSCMS.RGU.AC.UK)
Mon, 11 Jan 1999 09:46:02 +0000

To carry on the thread of keeping Solaris patched, I wrote a script to
automatically update a systems patches overnight via cron.

The script uses perl and runs under 5.0004, although it should work under most
new versions (it certainly doesn't use any wierd perl calls).

The script (and associated patches) should reside in an NFS-mounted directory
so that they can be updated centrally (that was the reason for writing the
script in the first place).  I chose /var/spool/pkg, but it is easily changed
in the script.  Under that directory, OS versions and architecture specific
versions can be placed.  It uses uname -m for the architecture (eg, sun4m)
since some patches are specific to the sun4u platform (and presumably some are
specific to other architectures, although I haven't noticed them).  If you
don't care about that, simply change to uname -p (sparc/i386) or symlink the
directories.

The script has no output unless an error occurs, so you don't get the entire
patchadd output from 50 machines every time you add a patch.

If you have any comments/modifications, mail them to me and I'll post a
summary to the list.

Ok, here's the script:

#!/usr/local/bin/perl
use strict

# Script to automatically update patches on solaris machines
# Designed to be run automatically through cron every night
# and only report when there is a problem.

# Copyright (c) 1998 John Riddoch (jrscms.rgu.ac.uk)
# Feel free to redistribute/modify with attribution

# Set location for logging
$PATCHLOG="/var/log/patchupdate";

# select OS version and architecture for patches:
$OS=`uname -s`;
chomp $OS;
$OSVER=`uname -r`;
chomp $OSVER;
$ARCH=`uname -m`;
chomp $ARCH;

$patchdir="/var/spool/pkg/" . $OS . "-" . $OSVER . "/" . $ARCH;
$patchlist=$patchdir . "/patch_list";

# Get a list of currently installed patches:
# Sort these so that the newest patch rev. will be last.
open ( SHOWREV, "/usr/bin/showrev -p|/usr/bin/sort|" ) ||\
    die "Can't read patch list\n";

while ( <SHOWREV> ) {
    ( $patch ) = ( split / / ) [1];
    ( $patchid, $rev ) = split ( "-", $patch );
    $installed{$patchid} = $rev;
}

close (SHOWREV);

# Now go through list of patches we want installed

open (PATCHLIST, $patchlist) || die "Cannot open list of required patches";

while ( $patch = <PATCHLIST> ) {
    chomp $patch;
    ( $patchid, $rev ) = split ( "-", $patch );
    if ( $installed{$patchid} eq "" || $installed{$patchid} < $rev ) {
        system ( "/usr/sbin/patchadd -M $patchdir $patch >> $PATCHLOG" ) &&\
print "Installation of patch $patch failed!\n";
    }
}

close (PATCHLIST);



--
John Riddoch    Email: jrscms.rgu.ac.uk        Telephone: (01224)262730
Room C4, School of Computer and Mathematical Science
Robert Gordon University, Aberdeen, AB25 1HG
Any sufficiently advanced technology is indistinguishable from a rigged demo.