Patchdiag

patchdiag is a Perl program available from Sun. It takes the output of the showrev -p command, which lists all installedn patches on a Solaris 2.3+ system, and compares it against a cross-reference file of all extant patches. Its output tells you which patches your system has installed and which of those are out of date, as well as uninstalled Recommended, Security, and Year 2000 patches.

In itself it's pretty good, but the individual administrator has to go to the trouble of running it every so often, as well as downloading the cross-reference file (which changes as new patches appear). Getting the cross-reference file also requires that one have a password for the Sun web site it resides on, which many people don't have. Then there's the issue of finding out what all of those patches actually do. Enter the IMSS patchdiag system.

The IMSS patchdiag system

The IMSS patchdiag system involves several components. A small data collection script is run via cron on all client machines; it runs uname, showrev -p, and pkginfo, then mails the output to an alias at caltech.edu. Mail to this alias is filed away in a directory (via procmail). Every morning at 7:00, another program downloads the current cross-reference file and runs patchdiag against it for every data file that has been collected. The output is used to construct a web page for each machine, with links to the README files of the patches as well as a checkbox system for downloading one or more of the patches from Sun. A summary page is also constructed, saying whether each machine is "OK" (needs no patches) or needs patches (either updates to installed patches or totally new ones in one of the mentioned categories), and containing links to the machine-specific pages. (The output from pkginfo is used to prevent consideration of patches for which none of the associated packages are installed on the machine.) These web pages are accessible only within the Caltech subnet (131.215.xxx.xxx) and are password-protected.

Becoming part of the patchdiag system

To include a machine (Solaris 2.3 or more recent) in the patchdiag system, first put the following shell script into a file on your local machine:

-- file begins here -- don't include this line --
#! /bin/sh

# script for collecting patchdiag information and sending it to
# central point for processing
# Erich Schneider (erich@caltech.edu) 3 Mar 2000

{
echo "Subject: showrev info for patchdiag"
echo
echo `uname -n`:$1
uname -r
uname -p
echo "-- Patches --"
showrev -p
echo "-- Packages --"
pkginfo | awk -e '{ print $2 }'
} | /bin/mail patchdiag-handler@caltech.edu 
-- file ends here -- don't include this line --

(It is availabe on the IMSS cluster as /ccovol/admin/scripts/pdcollect.) Next, do chmod a+x to make it executable. Finally, use crontab -e to create an entry that runs the script every day (the central report generator runs at 7:00 in the morning, so an hour or so before then would be a good time). When you run the script, you should give it one argument, which is a character string to that uniquely represents your organization on campus (for example, IMSS, CACR, CDS, Phys, etc.). The purpose of this argument is to distinguish between one of your machines with a particular name and any other machines in patchdiag that have the same name returned by uname -n (this can happen if the machines are in different DNS domains). As such, putting the DNS domain the machine is in as the argument will work perfectly.

The next day, an entry for the machine will show up on the following web page:

http://www.its.caltech.edu/its/security/patchdiag/

This page is password protected; please contact IMSS Information Security (security@caltech.edu) for the username and password. Don't give this password out, as the information it protects might be useful to hackers!

(Note: it is also possible to force an immediate update of the patchdiag report pages by sending mail to patchdiag-handler@its.caltech.edu with the subject line force update and a body consisting of a list of lines of the form "machine name:organization string". The report pages for those machines will be immediately generated and the main report page updated.)

Your machine will intially appear in the "Other" category. Send email to IMSS Information Security with a list of your machines, and a new category can be created for them. Follow the links for each machine to get to the specific information page. On said page, a link on a patch description goes to the README file for the patch. Each uninstalled patch also has a checkbox next to it. One can check the boxes of patches one wants, then click on the "Get checked patches" button to download a tar file containing them. Or, one can click the "Get all needed patches" button to download a tar file containing all of the patches you need (that is, the ones with checkboxes next to them).

Make sure to check the summary page often to see if your machines' patch status changes.

The individual machine information pages also have a button to "Show security vulnerabilities". This button passes a list of your installed patches to the vulncalc program at securityfocus.com. That program will give you a list of known security vulnerabilities that are not covered by the installed patches. Please note:

  • Some of the vulnerabilities are not covered by any patches whatsoever. The information links for them will lead you to advice on what to do about them, however.
  • Some of the vulnerabilities will list patches that you can't install, because you don't have the underlying packages installed. (The patchdiag output page should not even list those patches.) In such cases you don't need to worry, as the vulnerability will not be there if the unpatched package is not installed.