nim_flrtvc – Use NIM to generate FLRTVC report, download and install security and HIPER fixes.
Synopsis
Use the NIM master to apply known security and HIPER (High Impact PERvasive) fixes on target systems based on their inventory ensuring the systems are at supported and secure levels.
It downloads and uses the Fix Level Recommendation Tool Vulnerability Checker script to generate a report. It parses this report, downloads the required fixes, extracts the files and checks their versions against installed software levels. It also checks for file locking preventing fix installation. It rejects fixes that do not match these requirements and installs the remaining.
In case of inter-locking file(s) you might want run against the task.
You will get the list of installed and rejected fixes in the results meta data.
Requirements
The below requirements are needed on the host that executes this module.
AIX >= 7.1 TL3
Python >= 2.7
Privileged user with authorizations: aix.fs.manage.change,aix.system.install,aix.system.nim.config.server
Parameters
- targets (True, list, None)
Specifies the NIM clients to perform the action on.
foo*specifies all the NIM clients with name starting byfoo.
foo[2:4]specifies the NIM clients among foo2, foo3 and foo4.
*orALLspecifies all the NIM clients.- apar (optional, str, None)
Type of APAR to check or download.
secstands for Security vulnerabilities.
hiperstands for Corrections to High Impact PERvasive threats.
allhas the same behavior asNonehence bothsecandhipervulnerabilities.- filesets (optional, str, None)
Filter filesets for specific phrase. Only fixes that apply to filesets matching the specified phrase will be checked and so updated.
- csv (optional, str, None)
Path to a APAR CSV file containing the description of the
secandhiperfixes.This file is usually transferred from the Fix Central server; you can avoid this rather big transfer by specifying the path to an already transferred file.
- path (optional, str, /var/adm/ansible)
Specifies the directory to save the FLRTVC report.
All temporary files such as installed filesets, fixes listings and downloaded fixes files are stored in the working subdirectory named ‘path/work’.
- save_report (optional, bool, False)
Specifies to save the FLRTVC report in file ‘path/flrtvc_<nim_client_name>.txt’.
- verbose (optional, bool, False)
Generate full FLRTVC reporting (verbose mode).
It runs the FLRTVC script a second time to save the full report into file. So this option impacts the execution performance.
- force (optional, bool, False)
Specifies to remove currently installed ifix before running the FLRTVC script.
- clean (optional, bool, False)
Cleanup working directory ‘path/work’ with all temporary and downloaded files at the end of execution.
- check_only (optional, bool, False)
Specifies to only check if fixes are already applied on the targets.
No download or installation operations will be performed.
- download_only (optional, bool, False)
Specifies to perform check and download operation only.
No installation will be performed.
- extend_fs (optional, bool, True)
Specifies to increase filesystem size of the working directory when extra space is needed.
When set, a filesystem could have increased while the task returns changed=False.
Notes
Note
Refer to the FLRTVC page for detail on the sctipt https://esupport.ibm.com/customercare/flrt/sas?page=../jsp/flrtvc.jsp
The FLRTVC ksh script is packaged as a ZIP file with the FLRTVC.ksh script and LICENSE.txt file. It is downloaded from https://esupport.ibm.com/customercare/sas/f/flrt3/FLRTVC-latest.zip.
The script requires ksh93 to use.
v0.8.1 is the current version of the script, depending on changes, this module might need to be updated.
Examples
- name: Download patches for security vulnerabilities
nim_flrtvc:
targets: nimclient01
apar: sec
path: /usr/sys/inst.images
download_only: yes
- name: Install both sec and hyper patches for all filesets starting with devices.fcp
nim_flrtvc:
targets: nimclient02
filesets: devices.fcp.*
path: /usr/sys/inst
save_report: yes
verbose: yes
force: no
clean: no
Return Values
- msg (always, str, exit on download only)
Status information.
- targets (always, list, [‘nimclient01’, ‘nimclient02’, ‘…’])
List of NIM clients actually targeted for the operation.
- status (always, dict, )
Status for each
target. It can be empty, SUCCESS or FAILURE.If download_only=True, refer to
meta[<target>][messages]andmeta[<target>][4.1.reject]for error checking.- meta (always, dict, {‘meta’: {‘messages’: [‘Exception removing /usr/bin/flrtvc.ksh, exception=Access is denied’, ‘…’], ‘nimclient01’: {‘0.report’: [‘Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required| Last Update|Fixed In’, ‘bos.net.tcp.client_core|7.2.3.15|sec||NOT FIXED - There is a vulnerability in FreeBSD that affects AIX.|7.2.3.0-7.2.3.15| IJ09625 / CVE-2018-6922|http://aix.software.ibm.com/aix/efixes/security/freebsd_advisory.asc|ftp://aix.software.ibm.com/aix/efixes/security/freebsd_fix.tar|CVE-2018-6922:7.5|NO|11/08/2018|7200-03-03’, ‘…’], ‘1.parse’: [’ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix12.tar’, ‘ftp://aix.software.ibm.com/aix/efixes/security/tcpdump_fix4.tar’, ‘…’], ‘2.discover’: [‘ntp_fix12/IJ17059m9b.190719.epkg.Z’, ‘ntp_fix12/IJ17060m9a.190628.epkg.Z’, ‘…’, ‘tcpdump_fix4/IJ12978s9a.190215.epkg.Z’, ‘tcpdump_fix4/IJ12978sBa.190215.epkg.Z’, ‘…’], ‘3.download’: [‘/usr/sys/inst.images/tardir/ntp_fix12/IJ17059m9b.190719.epkg.Z’, ‘/usr/sys/inst.images/tardir/ntp_fix12/IJ17060m9a.190628.epkg.Z’, ‘…’, ‘/usr/sys/inst.images/tardir/tcpdump_fix4/IJ12978s9a.190215.epkg.Z’, ‘/usr/sys/inst.images/tardir/tcpdump_fix4/IJ12978sBa.190215.epkg.Z’, ‘…’], ‘4.1.reject’: [‘102p_fix: prerequisite openssl.base levels do not satisfy condition string: 1.0.2.1600 =< 1.0.2.1500 =< 1.0.2.1600’, ‘…’, ‘IJ12983m2a: locked by previous efix to install’, ‘…’, ‘IJ17059m9b: prerequisite missing: ntp.rte’, ‘…’], ‘4.2.check’: [‘/usr/sys/inst.images/tardir/tcpdump_fix5/IJ20785s2a.191119.epkg.Z’, ‘…’], ‘5.install’: [‘/usr/sys/inst.images/tardir/tcpdump_fix5/IJ20785s2a.191119.epkg.Z’, ‘…’], ‘messages’: [‘a previous efix to install will lock a file of IJ20785s3a preventing its installation, install it manually or run the task again.’, ‘…’]}, ‘nimclient02’: {’…’: None}}})
Detailed information on the module execution.
- messages (always, list, see sample of meta)
Details on errors/warnings not related to a specific machine
- <target> (when target is actually a NIM client or master, dict, )
Detailed information on the execution on the <target>.
- messages (always, list, see sample of meta)
Details on errors/warnings
- 0.report (if the FLRTVC script succeeds, list, see sample of meta)
Output of the FLRTVC script, report or details on flrtvc error if any.
- 1.parse (if the FLRTVC report parsing succeeds, list, see sample of meta)
List of URLs to download and details on parsing error if any.
- 2.discover (if the URL downloads and epkgs listing succeed, list, see sample of meta)
List of epkgs found in URLs.
URLs can be eFix or tar files or directories needing parsing.
- 3.download (if download operation succeeds, list, see sample of meta)
List of downloaded epkgs.
- 4.1.reject (if check succeeds, list, see sample of meta)
List of epkgs rejected. Can be because installed levels do not match ifix required levels or because a file is or will be locked by an other ifix installation.
You should refer to messages or to log file for very detailed reason.
- 4.2.check (if check succeeds, list, see sample of meta)
List of epkgs matching the prerequisites and trying to install.
- 5.install (if install succeeds, list, see sample of meta)
List of epkgs actually installed on the <target> system.
Status
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by community.