monitoring patch status?
list Dan McDonald
I got hit up with the task of using xymon to monitor whether our windows servers are patched. I saw a plugin on deadcat that requires licensed software from shavlik.com, (and being over 4 years old, I have no idea if it works with bbwin, or if shavlik's api was still the same) but wondered if there were any other solutions out there. Minimum functionality is a list of applied patches that would show up on the client data link. For our linux boxes, I could probably just rpm -qa --last | head and check the date that an RPM was last installed - if it's more than a month, there is probably a problem... But I don't know enough about windows to come up with a simple solution for those boxes. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
list Asif Iqbal
I would love to use it for solaris as well. What has anyone done on that venue? I can see pca as a good tool for that. On Fri, Nov 14, 2008 at 5:38 PM, McDonald, Dan
▸
<user-290ce4e24e19@xymon.invalid> wrote:I got hit up with the task of using xymon to monitor whether our windows servers are patched. I saw a plugin on deadcat that requires licensed software from shavlik.com, (and being over 4 years old, I have no idea if it works with bbwin, or if shavlik's api was still the same) but wondered if there were any other solutions out there. Minimum functionality is a list of applied patches that would show up on the client data link. For our linux boxes, I could probably just rpm -qa --last | head and check the date that an RPM was last installed - if it's more than a month, there is probably a problem... But I don't know enough about windows to come up with a simple solution for those boxes. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
list Graeme A Shea
The way I get around it is to us WSUS and not Xymon. I monitor WSUS periodically and print up a report. I can think of several ways of getting Xymon (rather BBWin) doing this but they all involve some scripting. Its not much use just checking for the last patch installed because it does not mean that the previous ones have been installed. The easiest way I can see to get it into Xymon is to check the folders in the windows directory. The patches will leave a folder with the uninstall information there. If the folder is there it means the install of the patch at least nearly completed, it's likely but not %100 certain that install completed. You could script access to the WSUS database and pull up a report automatically or trigger Xymon on the contents. That last two is to check for the existence of the registry keys that means it is installed or even better the date and size of the files them selves. This can be scripted and the info passed to Xymon (BBWin). With all these methods you need to have a list of the updates you want to check for. This can be a long list and they all have to be there or else a change to the installed windows components (e.g. add/remove DHCP) could remove or require a previous update. WSUS does this for you automatically but I haven't looked at how to give a status report to Xymon Hoe this helps Graeme
▸
-----Original Message----- From: McDonald, Dan [mailto:user-290ce4e24e19@xymon.invalid] Sent: Saturday, 15 November 2008 9:39 AM To: user-ae9b8668bcde@xymon.invalid Subject: [hobbit] monitoring patch status? I got hit up with the task of using xymon to monitor whether our windows servers are patched. I saw a plugin on deadcat that requires licensed software from shavlik.com, (and being over 4 years old, I have no idea if it works with bbwin, or if shavlik's api was still the same) but wondered if there were any other solutions out there. Minimum functionality is a list of applied patches that would show up on the client data link. For our linux boxes, I could probably just rpm -qa --last | head and check the date that an RPM was last installed - if it's more than a month, there is probably a problem... But I don't know enough about windows to come up with a simple solution for those boxes. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education and Early Childhood Development.
list T.J. Yang
▸
From: "Asif Iqbal" <user-6f4b51ac2a40@xymon.invalid> Sent: Friday, November 14, 2008 6:24 PM To: <user-ae9b8668bcde@xymon.invalid> Subject: Re: [hobbit] monitoring patch status?
I would love to use it for solaris as well. What has anyone done on that venue? I can see pca as a good tool for that.
Thanks for pca pointer, this is definitely a very-nice-to-have xymon module. I am checking it out by implementing it on my test xymon environment.
pca - analyze, download and install patches for Sun Solaris
"pca --xymon" is what I am looking to implement. it won't download and install patch just alert the missing patches on xymon server under pca column. tj
▸
On Fri, Nov 14, 2008 at 5:38 PM, McDonald, Dan <user-290ce4e24e19@xymon.invalid> wrote:I got hit up with the task of using xymon to monitor whether our windows servers are patched. I saw a plugin on deadcat that requires licensed software from shavlik.com, (and being over 4 years old, I have no idea if it works with bbwin, or if shavlik's api was still the same) but wondered if there were any other solutions out there. Minimum functionality is a list of applied patches that would show up on the client data link. For our linux boxes, I could probably just rpm -qa --last | head and check the date that an RPM was last installed - if it's more than a month, there is probably a problem... But I don't know enough about windows to come up with a simple solution for those boxes. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
list Martin Flemming
Yep, somedays ago i've "found" pca too, and a xymon-module for it will be great ! .. maybe for redhat-clones there will be yum to use, has got somebody work for it ? :-) cheers, martin
▸
On Sat, 15 Nov 2008, T.J. Yang wrote:
From: "Asif Iqbal" <user-6f4b51ac2a40@xymon.invalid> Sent: Friday, November 14, 2008 6:24 PM To: <user-ae9b8668bcde@xymon.invalid> Subject: Re: [hobbit] monitoring patch status?I would love to use it for solaris as well. What has anyone done on that venue? I can see pca as a good tool for that.Thanks for pca pointer, this is definitely a very-nice-to-have xymon module. I am checking it out by implementing it on my test xymon environment.pca - analyze, download and install patches for Sun Solaris"pca --xymon" is what I am looking to implement. it won't download and install patch just alert the missing patches on xymon server under pca column. tjOn Fri, Nov 14, 2008 at 5:38 PM, McDonald, Dan <user-290ce4e24e19@xymon.invalid> wrote:I got hit up with the task of using xymon to monitor whether our windows servers are patched. I saw a plugin on deadcat that requires licensed software from shavlik.com, (and being over 4 years old, I have no idea if it works with bbwin, or if shavlik's api was still the same) but wondered if there were any other solutions out there. Minimum functionality is a list of applied patches that would show up on the client data link. For our linux boxes, I could probably just rpm -qa --last | head and check the date that an RPM was last installed - if it's more than a month, there is probably a problem... But I don't know enough about windows to come up with a simple solution for those boxes. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
list Alexander Bech
Hi,
i have configured alerts in hobbit-alerts.cfg:
HOST=%.*
MAIL user-88549a31d887@xymon.invalid DURATION>3 DURATION<10 REPEAT=1
This works fine.
Hobbit sent me 7 mails after 3 minutes each minute and after that no more.
But i can't see anything in the "Stop after" column in the info-page.
Any help?
Alex
list T.J. Yang
For my understanding, there is no patch concept for Linux OS. Solaris and HP-UX are two Unix OS that I need to deal with have OS patches. Windows has patch also but is there an open source pca script doing patch report ? tj
▸
From: "Martin Flemming" <user-f286aaa49a76@xymon.invalid>
Sent: Saturday, November 15, 2008 5:59 AM
To: <user-ae9b8668bcde@xymon.invalid>
Subject: Re: [hobbit] monitoring patch status?
Yep, somedays ago i've "found" pca too, and a xymon-module for it will be great ! .. maybe for redhat-clones there will be yum to use, has got somebody work for it ? :-) cheers, martin On Sat, 15 Nov 2008, T.J. Yang wrote:From: "Asif Iqbal" <user-6f4b51ac2a40@xymon.invalid> Sent: Friday, November 14, 2008 6:24 PM To: <user-ae9b8668bcde@xymon.invalid> Subject: Re: [hobbit] monitoring patch status?I would love to use it for solaris as well. What has anyone done on that venue? I can see pca as a good tool for that.Thanks for pca pointer, this is definitely a very-nice-to-have xymon module. I am checking it out by implementing it on my test xymon environment.pca - analyze, download and install patches for Sun Solaris"pca --xymon" is what I am looking to implement. it won't download and install patch just alert the missing patches on xymon server under pca column. tjOn Fri, Nov 14, 2008 at 5:38 PM, McDonald, Dan <user-290ce4e24e19@xymon.invalid> wrote:I got hit up with the task of using xymon to monitor whether our windows servers are patched. I saw a plugin on deadcat that requires licensed software from shavlik.com, (and being over 4 years old, I have no idea if it works with bbwin, or if shavlik's api was still the same) but wondered if there were any other solutions out there. Minimum functionality is a list of applied patches that would show up on the client data link. For our linux boxes, I could probably just rpm -qa --last | head and check the date that an RPM was last installed - if it's more than a month, there is probably a problem... But I don't know enough about windows to come up with a simple solution for those boxes. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
list Rich Smrcina
▸
T.J. Yang wrote:
For my understanding, there is no patch concept for Linux OS. Solaris and HP-UX are two Unix OS that I need to deal with have OS patches. Windows has patch also but is there an open source pca script doing patch report ? tj
The enterprise or server versions of major distros (like SLES) have regular patch distribution and notification processes. If specific people in an installation sign up for notification of patches, they are sent emails that patches are available. Patch servers can also be set up that can download these patches so that the internal servers can have the patches available without having to all fetch them from the distributor (Novell in this case). I'm going to guess that RedHat Satellite does something similar. -- Rich Smrcina VM Assist, Inc. Phone: XXX-XXX-XXXX Ans Service: XXX-XXX-XXXX http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009
list Martin Flemming
Ok, my fault ... it's only a update not a patch-mechanism ..
▸
martin
On Sat, 15 Nov 2008, Rich Smrcina wrote:
T.J. Yang wrote:For my understanding, there is no patch concept for Linux OS. Solaris and HP-UX are two Unix OS that I need to deal with have OS patches. Windows has patch also but is there an open source pca script doing patch report ? tjThe enterprise or server versions of major distros (like SLES) have regular patch distribution and notification processes. If specific people in an installation sign up for notification of patches, they are sent emails that patches are available. Patch servers can also be set up that can download these patches so that the internal servers can have the patches available without having to all fetch them from the distributor (Novell in this case). I'm going to guess that RedHat Satellite does something similar. -- Rich Smrcina VM Assist, Inc. Phone: XXX-XXX-XXXX Ans Service: XXX-XXX-XXXX http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009
Gruss
Martin Flemming
Martin Flemming
DESY / IT office : Building 2b / 008a
Notkestr. 85 phone : XXX - XXXX - XXXX
22603 Hamburg mail : user-f286aaa49a76@xymon.invalid
list Tracy di Marco White
On Sat, Nov 15, 2008 at 5:59 AM, Martin Flemming
▸
<user-f286aaa49a76@xymon.invalid> wrote:Yep, somedays ago i've "found" pca too, and a xymon-module for it will be great ! .. maybe for redhat-clones there will be yum to use, has got somebody work for it ? :-)
I had one of our students write a package auditing script for RHEL
5.1, something to match the NetBSD pkgsrc security auditing script we
use on all our NetBSD machines. The RHEL version requires 'yum
install yum-security' and consists of:
yum-audit - checks security status of yum installed packages on RHEL 5.1
and greater
yum-get-audit-script - to be set up as a root cron job to pull the security
statuses from yum
yum-cve.ignore - an example CVE ignore file to tell the script with CVE's
to mark as green
- its location is specified in the yum-audit script
If others are interested, I'll see about making them available.
-Tracy
list Vernon Everett
Hi Guys
I have used this small report to assist us (Solaris mob) and the Wintel guys to determine kernel update/revision level, which we use an an indication of patch level.
I have created a directory, /usr/lib/hobbit/custom where I put this sort of script.
#!/bin/ksh
export BBHOME=/usr/lib/hobbit
typeset -L20 HOST
mkdir -p /usr/lib/hobbit/custom/data
cd /usr/lib/hobbit/custom/data
INCLUDES=$(grep ^include /etc/hobbit/bb-hosts | awk '{ print $2 }')
cat /etc/hobbit/bb-hosts $INCLUDES | egrep -h -v "^#|^page|^$|^subpage|^group|^include" | awk '{ print $2 }' \
| while read HOSTNAME
do
wget -O $HOSTNAME -o /dev/null http://hobbit/hobbit-cgi/bb-hostsvc.sh\?HOST\=$HOSTNAME\&SERVICE\=info &
done
wait
for HOSTNAME in /usr/lib/hobbit/custom/data/*
do
OSVER=$(grep OS: $HOSTNAME | sed 's/OS://g'| sed -e :a -e 's/<[^>]*>//g;/</N;//ba')
HOST=$(basename $HOSTNAME)
echo "$HOST $OSVER"
done
rm /usr/lib/hobbit/custom/data/*
It works for us, but your mileage may vary.
Cheers
V
▸
-----Original Message-----
From: Martin Flemming [mailto:user-f286aaa49a76@xymon.invalid]
Sent: Saturday, 15 November 2008 11:19 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] monitoring patch status?
Ok, my fault ... it's only a update not a patch-mechanism ..
martin
On Sat, 15 Nov 2008, Rich Smrcina wrote:
T.J. Yang wrote:For my understanding, there is no patch concept for Linux OS. Solaris and HP-UX are two Unix OS that I need to deal with have OS patches. Windows has patch also but is there an open source pca script doing patch report ? tjThe enterprise or server versions of major distros (like SLES) have regular patch distribution and notification processes. If specific people in an installation sign up for notification of patches, they are sent emails that patches are available. Patch servers can also be set up that can download these patches so that the internal servers can have the patches available without having to all fetch them from the distributor (Novell in this case). I'm going to guess that RedHat Satellite does something similar. -- Rich Smrcina VM Assist, Inc. Phone: XXX-XXX-XXXX Ans Service: XXX-XXX-XXXX http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009
Gruss
Martin Flemming
Martin Flemming
DESY / IT office : Building 2b / 008a
Notkestr. 85 phone : XXX - XXXX - XXXX
22603 Hamburg mail : user-f286aaa49a76@xymon.invalid
NOTICE: This email and any attachments are confidential.
They may contain legally privileged information or
copyright material. You must not read, copy, use or
disclose them without authorisation. If you are not an
intended recipient, please contact us at once by return
email and then delete both messages and all attachments.
list T.J. Yang
▸
From: "Tracy Di Marco White" <user-4d3c8321d54f@xymon.invalid> Sent: Sunday, November 16, 2008 1:17 AM To: <user-ae9b8668bcde@xymon.invalid> Subject: Re: [hobbit] monitoring patch status?
On Sat, Nov 15, 2008 at 5:59 AM, Martin Flemming <user-f286aaa49a76@xymon.invalid> wrote:Yep, somedays ago i've "found" pca too, and a xymon-module for it will be great ! .. maybe for redhat-clones there will be yum to use, has got somebody work for it ? :-)I had one of our students write a package auditing script for RHEL 5.1, something to match the NetBSD pkgsrc security auditing script we use on all our NetBSD machines.
The RHEL version requires 'yum
install yum-security' and consists of:
yum-audit - checks security status of yum installed packages on RHEL 5.1
and greater
I have RH machines ranging from RH9 to RHEL4.
My interest is to learn how to implement counter part of Solaris pca that
compare with a
central patch/package database file(s) on web server. Audit is the main
interest here.
This way xymon-pca module can report missed patchs/pkgs on one single
column.
▸
yum-get-audit-script - to be set up as a root cron job to pull the
security
statuses from yum
yum-cve.ignore - an example CVE ignore file to tell the script with CVE's
to mark as green
- its location is specified in the yum-audit script
If others are interested, I'll see about making them available.I am interested about the *.src.rpm to see/learn how you did it. tj
-Tracy
list Buchan Milne
▸
On Sunday 16 November 2008 09:17:02 Tracy Di Marco White wrote:
On Sat, Nov 15, 2008 at 5:59 AM, Martin Flemming <user-f286aaa49a76@xymon.invalid> wrote:Yep, somedays ago i've "found" pca too, and a xymon-module for it will be great !
The first thing here in my mind is to agree on the test name. Why? Well, you probably want to have the same alerting (or not), no-prop, etc. For example, we have a script for RHEL < 5, for up2date, but the test name is 'updates', not up2date, and we have --nopropyellow=updates . If we had any Debian boxes (using the "apt" test), then I would have to duplicate a lot of this ...
▸
.. maybe for redhat-clones there will be yum to use, has got somebody work for it ? :-)I had one of our students write a package auditing script for RHEL 5.1, something to match the NetBSD pkgsrc security auditing script we use on all our NetBSD machines. The RHEL version requires 'yum install yum-security' and consists of:
You mean it requires the "yum-security" package (which we install during kickstart with the package list, not after-the-fact with yum ...).
▸
yum-audit - checks security status of yum installed packages on RHEL 5.1
and greater
yum-get-audit-script - to be set up as a root cron job to pull the security
statuses from yum
yum-cve.ignore - an example CVE ignore file to tell the script with CVE's
to mark as green
- its location is specified in the yum-audit scriptWell, I have a sudo rule (in LDAP) allowing the hobbit to run up2date -l, and a the hobbit extension script I have runs up2date -l once every 6 hours, writing the output to a file, and if the file is not older than 6 hours, will evaluate it and send the results to Hobbit. Since we haven't put RHEL5 servers in production yet (that will happen very soon), I haven't updated my own check to use 'yum --security' yet ... (RHN complains if your servers check rhn more frequently than once every 6 hours).
list Michael Nemeth
Ive two hp scripts that may by of use, work on hpux 11.0 ckswstate; a one line that check is all software been configed: /usr/sbin/swlist -l fileset -a state and cksupers that will take a list and return if the patches or active, not present superseded. So if can get a list of patches from hp I believe this will work for you purpose. If interest I'll post but will take a few days as it on my classed side.
▸
T.J. Yang wrote:For my understanding, there is no patch concept for Linux OS. Solaris and HP-UX are two Unix OS that I need to deal with have OS patches. Windows has patch also but is there an open source pca script doing patch report ? tj From: "Martin Flemming" <user-f286aaa49a76@xymon.invalid> Sent: Saturday, November 15, 2008 5:59 AM To: <user-ae9b8668bcde@xymon.invalid> Subject: Re: [hobbit] monitoring patch status?Yep, somedays ago i've "found" pca too, and a xymon-module for it will be great ! .. maybe for redhat-clones there will be yum to use, has got somebody work for it ? :-) cheers, martin On Sat, 15 Nov 2008, T.J. Yang wrote:From: "Asif Iqbal" <user-6f4b51ac2a40@xymon.invalid> Sent: Friday, November 14, 2008 6:24 PM To: <user-ae9b8668bcde@xymon.invalid> Subject: Re: [hobbit] monitoring patch status?I would love to use it for solaris as well. What has anyone done on that venue? I can see pca as a good tool for that.Thanks for pca pointer, this is definitely a very-nice-to-have xymon module. I am checking it out by implementing it on my test xymon environment.pca - analyze, download and install patches for Sun Solaris"pca --xymon" is what I am looking to implement. it won't download and install patch just alert the missing patches on xymon server under pca column. tjOn Fri, Nov 14, 2008 at 5:38 PM, McDonald, Dan <user-290ce4e24e19@xymon.invalid> wrote:I got hit up with the task of using xymon to monitor whether our > windows servers are patched. I saw a plugin on deadcat that requires > licensed software from shavlik.com, (and being over 4 years old, I have no > idea if it works with bbwin, or if shavlik's api was still the same) but wondered if there were any other solutions out there. Minimum functionality is a list of applied patches that would show up on the client data link. For our linux boxes, I could probably just rpm -qa --last | head and check the date that an RPM was last installed - if it's more than a month, there is probably a problem... But I don't know enough about windows to come up with a simple solution for those boxes. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
list Alexander Bech
▸
Alexander Bech schrieb:
Hi,
i have configured alerts in hobbit-alerts.cfg:
HOST=%.*
MAIL user-88549a31d887@xymon.invalid DURATION>3 DURATION<10 REPEAT=1
This works fine.
Hobbit sent me 7 mails after 3 minutes each minute and after that no more.
But i can't see anything in the "Stop after" column in the info-page.
I have found the bug (?) in loadalerts.c in the line 1081 (-less than/+greater than): - if (recip->criteria && recip->criteria->maxduration && (recip->criteria->maxduration < maxdur)) ... + if (recip->criteria && recip->criteria->maxduration && (recip->criteria->maxduration > maxdur)) ... This works: info Alex
list Anna Jonna Armannsdottir
▸
On mán, 2008-11-17 at 23:36 +0100, Alexander Bech wrote:
I have found the bug (?) in loadalerts.c in the line 1081 (-less than/+greater than): - if (recip->criteria && recip->criteria->maxduration && (recip->criteria->maxduration < maxdur)) ... + if (recip->criteria && recip->criteria->maxduration && (recip->criteria->maxduration > maxdur)) ...
Brilliant! This has been bugging me for a while. Please post a patch ASAP. :) -- Kindest Regards, Anna Jonna Ármannsdóttir, %& A: Because people read from top to bottom. Unix System Aministration, Computing Services, %& Q: Why is top posting bad? University of Iceland.
list Alexander Bech
▸
Anna Jonna Armannsdottir schrieb:
On mán, 2008-11-17 at 23:36 +0100, Alexander Bech wrote:I have found the bug (?) in loadalerts.c in the line 1081 (-less than/+greater than): - if (recip->criteria && recip->criteria->maxduration && (recip->criteria->maxduration < maxdur)) ... + if (recip->criteria && recip->criteria->maxduration && (recip->criteria->maxduration > maxdur)) ...Brilliant! This has been bugging me for a while. Please post a patch ASAP. :)
//here's the patch (attached) Alex
Attachments (1)
list Henrik Størner
▸
On Mon, Nov 17, 2008 at 11:36:07PM +0100, Alexander Bech wrote:
Alexander Bech schrieb:Hi, i have configured alerts in hobbit-alerts.cfg: HOST=%.* MAIL user-88549a31d887@xymon.invalid DURATION>3 DURATION<10 REPEAT=1 This works fine. Hobbit sent me 7 mails after 3 minutes each minute and after that no more. But i can't see anything in the "Stop after" column in the info-page.I have found the bug (?) in loadalerts.c in the line 1081 (-less than/+greater than): - if (recip->criteria && recip->criteria->maxduration && (recip->criteria->maxduration < maxdur)) ... + if (recip->criteria && recip->criteria->maxduration && (recip->criteria->maxduration > maxdur)) ...
I'm afraid that was not the correct solution. This fails if you have
DURATION settings on the HOST entry as well as the MAIL entry. The
correct solution is quite different - patch attached, this is also
going into the 4.2.2 version.
Regards,
Henrik
Attachments (1)