nim_flrtvc – Use NIM to generate FLRTVC report, download and install security and HIPER fixes.

Synopsis

Use the NIM master to apply known security and HIPER (High Impact PERvasive) fixes on target systems based on their inventory ensuring the systems are at supported and secure levels.

It downloads and uses the Fix Level Recommendation Tool Vulnerability Checker script to generate a report. It parses this report, downloads the required fixes, extracts the files and checks their versions against installed software levels. It also checks for file locking preventing fix installation. It rejects fixes that do not match these requirements and installs the remaining.

In case of inter-locking file(s) you might want run against the task.

You will get the list of installed and rejected fixes in the results meta data.

Requirements

The below requirements are needed on the host that executes this module.

  • AIX >= 7.1 TL3

  • Python >= 3.6

  • Privileged user with authorizations: aix.fs.manage.change,aix.system.install,aix.system.nim.config.server

Parameters

targets (True, list, None)

Specifies the NIM clients to perform the action on.

foo* specifies all the NIM clients with name starting by foo.

foo[2:4] specifies the NIM clients among foo2, foo3 and foo4.

* or ALL specifies all the NIM clients.

apar (optional, str, None)

Type of APAR to check or download.

sec stands for Security vulnerabilities.

hiper stands for Corrections to High Impact PERvasive threats.

all has the same behavior as None hence both sec and hiper vulnerabilities.

filesets (optional, str, None)

Filter filesets for specific phrase. Only fixes that apply to filesets matching the specified phrase will be checked and so updated.

csv (optional, str, None)

Path to a APAR CSV file containing the description of the sec and hiper fixes.

This file is usually transferred from the Fix Central server; you can avoid this rather big transfer by specifying the path to an already transferred file.

path (optional, str, /var/adm/ansible)

Specifies the directory to save the FLRTVC report.

All temporary files such as installed filesets, fixes listings and downloaded fixes files are stored in the working subdirectory named ‘path/work’.

save_report (optional, bool, False)

Specifies to save the FLRTVC report in file ‘path/flrtvc_<nim_client_name>.txt’.

verbose (optional, bool, False)

Generate full FLRTVC reporting (verbose mode).

It runs the FLRTVC script a second time to save the full report into file. So this option impacts the execution performance.

force (optional, bool, False)

Specifies to remove currently installed ifix before running the FLRTVC script.

clean (optional, bool, False)

Cleanup working directory ‘path/work’ with all temporary and downloaded files at the end of execution.

check_only (optional, bool, False)

Specifies to only check if fixes are already applied on the targets.

No download or installation operations will be performed.

download_only (optional, bool, False)

Specifies to perform check and download operation only.

No installation will be performed.

extend_fs (optional, bool, True)

Specifies to increase filesystem size of the working directory when extra space is needed.

When set, a filesystem could have increased while the task returns changed=False.

Notes

Note

Examples

- name: Download patches for security vulnerabilities
  nim_flrtvc:
    targets: nimclient01
    apar: sec
    path: /usr/sys/inst.images
    download_only: true

- name: Install both sec and hyper patches for all filesets starting with devices.fcp
  nim_flrtvc:
    targets: nimclient02
    filesets: devices.fcp.*
    path: /usr/sys/inst
    save_report: true
    verbose: true
    force: false
    clean: false

Return Values

msg (always, str, exit on download only)

Status information.

targets (always, list, [‘nimclient01’, ‘nimclient02’, ‘…’])

List of NIM clients actually targeted for the operation.

status (always, dict, )

Status for each target. It can be empty, SUCCESS or FAILURE.

If download_only=True, refer to meta[<target>][messages] and meta[<target>][4.1.reject] for error checking.

meta (always, dict, {‘meta’: {‘messages’: [‘Exception removing /usr/bin/flrtvc.ksh, exception=Access is denied’, ‘…’], ‘nimclient01’: {‘0.report’: [‘Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required| Last Update|Fixed In’, ‘bos.net.tcp.client_core|7.2.3.15|sec||NOT FIXED - There is a vulnerability in FreeBSD that affects AIX.|7.2.3.0-7.2.3.15| IJ09625 / CVE-2018-6922|http://aix.software.ibm.com/aix/efixes/security/freebsd_advisory.asc|ftp://aix.software.ibm.com/aix/efixes/security/freebsd_fix.tar|CVE-2018-6922:7.5|NO|11/08/2018|7200-03-03’, ‘…’], ‘1.parse’: [’ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix12.tar’, ‘ftp://aix.software.ibm.com/aix/efixes/security/tcpdump_fix4.tar’, ‘…’], ‘2.discover’: [‘ntp_fix12/IJ17059m9b.190719.epkg.Z’, ‘ntp_fix12/IJ17060m9a.190628.epkg.Z’, ‘…’, ‘tcpdump_fix4/IJ12978s9a.190215.epkg.Z’, ‘tcpdump_fix4/IJ12978sBa.190215.epkg.Z’, ‘…’], ‘3.download’: [‘/usr/sys/inst.images/tardir/ntp_fix12/IJ17059m9b.190719.epkg.Z’, ‘/usr/sys/inst.images/tardir/ntp_fix12/IJ17060m9a.190628.epkg.Z’, ‘…’, ‘/usr/sys/inst.images/tardir/tcpdump_fix4/IJ12978s9a.190215.epkg.Z’, ‘/usr/sys/inst.images/tardir/tcpdump_fix4/IJ12978sBa.190215.epkg.Z’, ‘…’], ‘4.1.reject’: [‘102p_fix: prerequisite openssl.base levels do not satisfy condition string: 1.0.2.1600 =< 1.0.2.1500 =< 1.0.2.1600’, ‘…’, ‘IJ12983m2a: locked by previous efix to install’, ‘…’, ‘IJ17059m9b: prerequisite missing: ntp.rte’, ‘…’], ‘4.2.check’: [‘/usr/sys/inst.images/tardir/tcpdump_fix5/IJ20785s2a.191119.epkg.Z’, ‘…’], ‘5.install’: [‘/usr/sys/inst.images/tardir/tcpdump_fix5/IJ20785s2a.191119.epkg.Z’, ‘…’], ‘messages’: [‘a previous efix to install will lock a file of IJ20785s3a preventing its installation, install it manually or run the task again.’, ‘…’]}, ‘nimclient02’: {’…’: None}}})

Detailed information on the module execution.

messages (always, list, see sample of meta)

Details on errors/warnings not related to a specific machine

<target> (when target is actually a NIM client or master, dict, )

Detailed information on the execution on the <target>.

messages (always, list, see sample of meta)

Details on errors/warnings

0.report (if the FLRTVC script succeeds, list, see sample of meta)

Output of the FLRTVC script, report or details on flrtvc error if any.

1.parse (if the FLRTVC report parsing succeeds, list, see sample of meta)

List of URLs to download and details on parsing error if any.

2.discover (if the URL downloads and epkgs listing succeed, list, see sample of meta)

List of epkgs found in URLs.

URLs can be eFix or tar files or directories needing parsing.

3.download (if download operation succeeds, list, see sample of meta)

List of downloaded epkgs.

4.1.reject (if check succeeds, list, see sample of meta)

List of epkgs rejected. Can be because installed levels do not match ifix required levels or because a file is or will be locked by an other ifix installation.

You should refer to messages or to log file for very detailed reason.

4.2.check (if check succeeds, list, see sample of meta)

List of epkgs matching the prerequisites and trying to install.

5.install (if install succeeds, list, see sample of meta)

List of epkgs actually installed on the <target> system.

Status

  • This module is not guaranteed to have a backwards compatible interface. [preview]

  • This module is maintained by community.

Authors

  • AIX Development Team (@pbfinley1911)