Hi All,

In this article, we're going to take a look at Cataloging the state of a Linux system - both before and after a patching run.

This is important for both verification and auditing purposes - since it gives us a permanent record of what the Linux System looked at those points in time.

In fact, it would be a good idea to keep these reports in an archive so that they can be reviewed when required.

There are some neat Linux commands used in the following script to achieve this :

- yum history summary
- yum history list
- package-cleanup --problems
- package-cleanup --orphans
- package-cleanup --dupes
- package-cleanup --leaves

Use the 'man package-cleanup' command to get more information on these.

The 'package-cleanup' command comes as part of the 'yum-utils' package, and we can easily verify this by using the 'yum provides' command :

[root@server-to-be-patched network-scripts]# yum provides /usr/bin/package-cleanup
Loaded plugins: security, ulninfo, versionlock
yum-utils-1.1.30-30.0.1.el6.noarch : Utilities based around the yum package manager
Repo        : local_ol6_latest
Matched from:
Filename    : /usr/bin/package-cleanup
   
yum-utils-1.1.30-30.0.1.el6.noarch : Utilities based around the yum package manager
Repo        : installed
Matched from:
Other       : Provides-match: /usr/bin/package-cleanup

The following script can be used to produce a catalog of the Linux system :
#!/bin/bash

#
# This script performs a cataloging of a Linux system - it's packages etc.
#  The idea is to run this both before and after a patching run so the full
#  state of a Linux system - and the changes made to it - are fully documented.
#
# Author: A. Nakon.
# Date  : Jan 2018
#

printf "\n"
printf "\n%s\n" '========================================'

printf "Date     : "
printf "%s " $(/bin/date)


printf "\nHostname : %s\n" $(/bin/hostname)

printf "Uname -a : "
printf "%s " $(/bin/uname -a)

printf "\n%s\n\n" '========================================'

#########

COMMANDINFO='/usr/bin/yum repolist'
printf "\n%s\n" '-----------------------------------------'
printf "%s\n" "${COMMANDINFO}"
printf "%s\n\n" '-----------------------------------------'
$COMMANDINFO


#########

COMMANDINFO='/usr/bin/yum history summary'
printf "\n%s\n" '-----------------------------------------'
printf "%s\n" "${COMMANDINFO}"
printf "%s\n\n" '-----------------------------------------'
$COMMANDINFO

#########

COMMANDINFO="/usr/bin/yum history list"
printf "\n%s\n" '-----------------------------------------'
printf "%s\n" "${COMMANDINFO}"
printf "%s\n\n" '-----------------------------------------'

$COMMANDINFO


#########

COMMANDINFO="/usr/bin/package-cleanup --problems"
printf "\n%s\n" '-----------------------------------------'
printf "%s\n" "${COMMANDINFO}"
printf "%s\n\n" '-----------------------------------------'

$COMMANDINFO


#########

COMMANDINFO="/usr/bin/package-cleanup --orphans"
ORPHANCOUNT=$($COMMANDINFO | /bin/awk '{if ($NF > 1) print $0}' | /usr/bin/wc -l)

printf "\n%s\n" '-----------------------------------------'
printf "%s\n" "${COMMANDINFO}"
printf "%s\n\n" '-----------------------------------------'

$COMMANDINFO

printf "\n%s\n\n" "Number of Orphan Packages (Package + Version  not found in available Repos) : ${ORPHANCOUNT}"


#########

COMMANDINFO="/usr/bin/package-cleanup --dupes"
DUPESCOUNT=$($COMMANDINFO | /bin/awk '{if ($NF > 1) print $0}' | /usr/bin/wc -l)

printf "\n%s\n" '-----------------------------------------'
printf "%s\n" "${COMMANDINFO}"
printf "%s\n\n" '-----------------------------------------'

$COMMANDINFO

printf "\n%s\n\n" "Number of Duplicate Packages found : ${DUPESCOUNT}"


#########

COMMANDINFO="/usr/bin/package-cleanup --leaves"
LEAVESCOUNT=$($COMMANDINFO | /bin/awk '{if ($NF > 1) print $0}' | /usr/bin/wc -l)

printf "\n%s\n" '-----------------------------------------'
printf "%s\n" "${COMMANDINFO}"
printf "%s\n\n" '-----------------------------------------'

$COMMANDINFO

printf "\n%s\n\n" "Number of leaf Packages (Packages with no dependent packages) found : ${LEAVESCOUNT}"

In addition to the above, we'll need two 'wrapper' scripts that will be used to call the above script both before and after the patching process.
These 'wrappers' make it easier to identify if the catalog report is either before or after a patching run.

To make it easier to read / identify different reports, I've use the 'figlet' utility (http://www.figlet.org/ ) to create large banners.

First the before script :

#!/bin/bash

GREEN="\e[92m"
RED="\e[31m"
STOP="\e[0m"

# Create a banner
printf "${RED}"
/usr/bin/figlet -w 180 "=============="
/usr/bin/figlet -w 180 "Before-Patch"
/usr/bin/figlet -w 180 $(/bin/hostname)
/usr/bin/figlet -w 180 "=============="
printf "${STOP}"

# Now run the catalog script
/rxr/depot/root/patching/catalog-linux-system.sh

And now for the After script :

#!/bin/bash

GREEN="\e[92m"
RED="\e[31m"
STOP="\e[0m"

# Create a banner
printf "${GREEN}"
/usr/bin/figlet -w 180 "=============="
/usr/bin/figlet -w 180 "After-Patch"
/usr/bin/figlet -w 180 $(/bin/hostname)
/usr/bin/figlet -w 180 "=============="
printf "${STOP}"

# Now run the catalog script
/rxr/depot/root/patching/catalog-linux-system.sh

So with these scripts now ready, they should be executed both before and after a patch cycle.

We've now reach the point where all our preparations are complete and we can actually execute a patch run! Patching Linux using the 'security-minimal' directive will be the next topic in the series.