flrtvc – Generate FLRTVC report, download and install security and HIPER fixes.
Synopsis
Applies known security and HIPER (High Impact PERvasive) fixes on your system based on its inventory ensuring the systems are at supported and secure levels.
It downloads and uses the Fix Level Recommendation Tool Vulnerability Checker script to generate a report. It parses this report, downloads the required fixes, extracts the files and checks their versions against installed software levels. It also checks for file locking preventing fix installation. It rejects fixes that do not match these requirements and installs the remaining.
In case of inter-locking file(s) you might want run against the task.
You will get the list of installed and rejected fixes in the results meta data.
Requirements
The below requirements are needed on the host that executes this module.
AIX >= 7.1 TL3
Python >= 3.6
Privileged user with authorizations: aix.fs.manage.change,aix.system.install
set environment as PATH: “/usr/bin:/usr/sbin/:/opt/freeware/bin”
Parameters
- apar (optional, str, None)
Type of APAR to check against.
secstands for Security vulnerabilities.
hiperstands for Corrections to High Impact PERvasive threats.
allhas the same behavior asNonehence bothsecandhipervulnerabilities.- filesets (optional, str, None)
Filter filesets for specific phrase. Only fixes that apply to filesets matching the specified phrase will be checked and so updated.
- csv (optional, str, None)
Path to a APAR CSV file containing the description of the
secandhiperfixes.This file is usually transferred from the Fix Central server; you can avoid this rather big transfer by specifying the path to an already transferred file.
- path (optional, str, /var/adm/ansible)
Specifies the directory to save the FLRTVC report.
All temporary files such as installed filesets, fixes listings and downloaded fixes files are stored in the working subdirectory named ‘path/work’.
- save_report (optional, bool, False)
Specifies to save the FLRTVC report in file ‘path/flrtvc.txt’.
- verbose (optional, bool, False)
Generate full FLRTVC reporting (verbose mode).
It runs the FLRTVC script a second time to save the full report into file. So this option impacts the execution performance.
- force (optional, bool, False)
Specifies to remove currently installed ifix before running the FLRTVC script.
- clean (optional, bool, False)
Cleanup working directory ‘path/work’ with all temporary and downloaded files at the end of execution.
- check_only (optional, bool, False)
Specifies to only check if fixes are already applied on the targets.
No download or installation operations will be performed.
- download_only (optional, bool, False)
Specifies to perform check and download operation only.
No installation will be performed.
- extend_fs (optional, bool, True)
Specifies to increase filesystem size of the working directory when extra space is needed.
When set, a filesystem could have increased while the task returns changed=False.
- protocol (optional, str, None)
Optional setting which specifies preferred protocol to use for downloading files.
When set, downloads will be attempted using set protocol.
- flrtvczip (optional, str, https://esupport.ibm.com/customercare/sas/f/flrt3/FLRTVC-latest.zip)
Specifies alternative location (local repository) hosting flrtvc.zip file.
When set, download of FLRTVC-Latest.zip will be attempted from this url.
- localpatchserver (optional, str, False)
Specifies local server ip/hostname containing ifix patches.
When set, urls from frltvc.ksh will replaced with localpatchserver to point to local server.
- localpatchpath (optional, str, False)
Specifies local server path containing ifix patches.
When set, sub paths from frltvc.ksh containing patches will replaced with localpatchpath to point to local path.
Notes
Note
Refer to the FLRTVC page for detail on the script. https://esupport.ibm.com/customercare/flrt/sas?page=../jsp/flrtvc.jsp
The FLRTVC ksh script is packaged as a ZIP file with the FLRTVC.ksh script and LICENSE.txt file. It is downloaded from https://esupport.ibm.com/customercare/sas/f/flrt3/FLRTVC-latest.zip.
The script requires ksh93 to use.
v0.8.1 is the current version of the script, depending on changes, this module might need to be updated.
When the FLRTVC ksh script cannot execute the emgr command, it tries with sudo, so you can try installing sudo on the managed system.
When use local patch server settings localpatchserver and localpatchpath must be both set in order to have a complete full url with patches, for example the local url 192.168.1.100/ifix should become in module localpatchserver 192.168.1.100 and localpatchpath ifix.
Examples
- name: Download patches for security vulnerabilities
flrtvc:
apar: sec
path: /usr/sys/inst.images
download_only: true
- name: Install both sec and hyper patches for all filesets starting with devices.fcp
flrtvc:
filesets: devices.fcp.*
path: /usr/sys/inst
save_report: true
verbose: true
force: false
clean: false
- name: Install patches from local patch server
flrtvc:
apar: sec
protocol: https
localpatchserver: 192.168.1.1
localpatchpath: ifix
flrtvczip: https://192.168.1.1/ifix/flrtvc.zip
csv: https://192.168.1.1/ifix/apar.csv
Return Values
- msg (always, str, FLRTVC completed successfully)
The execution message.
- meta (always, dict, {‘meta’: {‘0.report’: [‘Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required| Last Update|Fixed In’, ‘bos.net.tcp.client_core|7.2.3.15|sec||NOT FIXED - There is a vulnerability in FreeBSD that affects AIX.|7.2.3.0-7.2.3.15| IJ09625 / CVE-2018-6922|http://aix.software.ibm.com/aix/efixes/security/freebsd_advisory.asc|ftp://aix.software.ibm.com/aix/efixes/security/freebsd_fix.tar|CVE-2018-6922:7.5|NO|11/08/2018|7200-03-03’, ‘…’], ‘1.parse’: [’ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix12.tar’, ‘ftp://aix.software.ibm.com/aix/efixes/security/tcpdump_fix4.tar’, ‘…’], ‘2.discover’: [‘ntp_fix12/IJ17059m9b.190719.epkg.Z’, ‘ntp_fix12/IJ17060m9a.190628.epkg.Z’, ‘…’, ‘tcpdump_fix4/IJ12978s9a.190215.epkg.Z’, ‘tcpdump_fix4/IJ12978sBa.190215.epkg.Z’, ‘…’], ‘3.download’: [‘/usr/sys/inst.images/tardir/ntp_fix12/IJ17059m9b.190719.epkg.Z’, ‘/usr/sys/inst.images/tardir/ntp_fix12/IJ17060m9a.190628.epkg.Z’, ‘…’, ‘/usr/sys/inst.images/tardir/tcpdump_fix4/IJ12978s9a.190215.epkg.Z’, ‘/usr/sys/inst.images/tardir/tcpdump_fix4/IJ12978sBa.190215.epkg.Z’, ‘…’], ‘4.1.reject’: [‘102p_fix: prerequisite openssl.base levels do not satisfy condition string: 1.0.2.1600 =< 1.0.2.1500 =< 1.0.2.1600’, ‘…’, ‘IJ12983m2a: locked by previous efix to install’, ‘…’, ‘IJ17059m9b: prerequisite missing: ntp.rte’, ‘…’], ‘4.2.check’: [‘/usr/sys/inst.images/tardir/tcpdump_fix5/IJ20785s2a.191119.epkg.Z’, ‘…’], ‘5.install’: [‘/usr/sys/inst.images/tardir/tcpdump_fix5/IJ20785s2a.191119.epkg.Z’, ‘…’], ‘messages’: [‘a previous efix to install will lock a file of IJ20785s3a preventing its installation, install it manually or run the task again.’, ‘…’]}})
Detailed information on the module execution.
- messages (always, list, see sample of meta)
Details on errors/warnings
- 0.report (if the FLRTVC script succeeds, list, see sample of meta)
Output of the FLRTVC script, report and details on flrtvc error if any.
- 1.parse (if the FLRTVC report parsing succeeds, list, see sample of meta)
List of URLs to download and details on parsing error if any.
- 2.discover (if the URL downloads and epkgs listing succeed, list, see sample of meta)
List of epkgs found in URLs.
URLs can be eFix or tar files or directories needing parsing.
- 3.download (if download operation succeeds, list, see sample of meta)
List of downloaded epkgs.
- 4.1.reject (if check succeeds, list, see sample of meta)
List of epkgs rejected. Can be because installed levels do not match ifix required levels or because a file is or will be locked by an other ifix installation.
You should refer to messages or to log file for very detailed reason.
- 4.2.check (if check succeeds, list, see sample of meta)
List of epkgs matching the prerequisites and trying to install.
- 5.install (if install succeeds, list, see sample of meta)
List of epkgs actually installed on the system.
Status
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by community.