[NOTE: This article appears in the December 1997 issue of the USENIX Association's `;login:' magazine, and is reprinted here by permission. Additional reproduction is by permission only. Copyright (c) 1997, USENIX Association.] ToolMan Meets PatchReport by Daniel E. Singer WARNING: This issue's ToolMan is highly platform specific and hardcore sysadmin. If you don't run and maintain Sun Solaris systems, you might wish to move on. Boring Technical Stuff OK, now that everyone else has gone away, we can get down to business. As you know, one of the very tedious aspects of maintaining computer systems is keeping them up to date via application of OS patches. This process breaks down into basically three phases: (1) identifying patches that are needed, (2) downloading patches, and (3) installing patches. You know how much fun this isn't. The process is tedious, time consuming, error prone, and boring. But I'll show you a program that can accomplish all of this and more in one single, solitary command line. Background In our department, a medium-sized site, we have (among other systems) about 150 computers running Sparc and X86 Solaris (SunOS 5.5, 5.5.1, and 5.6). These all need occasional patch updates, either to fix some identifiable problems or because, well, it's just that time. Sun makes these rueful patch update tasks more bearable in a few ways. (1) They supply a nice Web site from which most patches can be downloaded whether or not you have a support contract (though if you have the contract, you get a few extra bennies). (2) They also supply a handy program, patchdiag, which will analyze your system and tell you which patches could be applied. And (3) They supply some useful tools for applying and maintaining patches on your system, namely, `installpatch', `showrev', and, for Solaris 2.6, `patchadd'. But there are some problems with going through this procedure. One is the use of the `patchdiag' program. You must connect to the SunSolve site ( or ) using your support ID and password, and download the latest copy of the `patchdiag.xref' patch database file and possibly a current copy of the `patchdiag' program. Then there are some deficiencies with the `patchdiag' output (see Listing 1). Listing 1: Excerpt from the output of a run of `patchdiag'. % patchdiag -x patchdiag.xref ================================================================================ System Name: turkey SunOS Vers: 5.5.1 Arch: sparc Cross Reference File Date: 30/Sep/97 PatchDiag Version: 1.0.1 ================================================================================ Report Note: Recommended patches are considered the most important and highly recommended patches that avoid the most critical system, user, or security related bugs which have been reported and fixed to date. A patch not listed on the recommended list does not imply that it should not be used if needed. Some patches listed in this report may have certain platform specific or application specific dependencies and thus may not be applicable to your system. It is important to carefully review the README file of each patch to fully determine the applicability of any patch with your system. ================================================================================ INSTALLED PATCHES Patch Installed Latest Synopsis ID Revision Revision -------------------------------------------------------------------------------- 103582 01 15 SunOS 5.5.1: /kernel/drv/tcp and /usr/bin/netstat patch 103630 01 09 SunOS 5.5.1: ip ifconfig arp udp icmp patch 103663 01 08 SunOS 5.5.1: libresolv, in.named, namedÐxfer, nslookup & nstest pa 103690 03 05 SunOS 5.5.1: cron/crontab/at/atq/atrm patch 104433 03 04 SunOS 5.5.1: pam security patch ================================================================================ UNINSTALLED RECOMMENDED PATCHES Patch Installed Latest Synopsis ID Revision Revision -------------------------------------------------------------------------------- 103558 N/A 10 SunOS 5.5.1: admintool/launcher fixes plus various swmtool fixes 103594 N/A 10 SunOS 5.5.1: /usr/lib/sendmail fixes 103600 N/A 18 SunOS 5.5.1: nfs, tlimod and rpcmod patch 103612 N/A 33 SunOS 5.5.1: libc, libnsl, libucb, nis_cachemgr and rpc.nisd patch 103640 N/A 12 SunOS 5.5.1: kernel patch 103680 N/A 01 SunOS 5.5.1: nscd/nscd_nischeck rebuild for BIND 4.9.3 103686 N/A 02 SunOS 5.5.1: rpc.nisd_resolv patch 103696 N/A 02 SunOS 5.5.1: /sbin/su and /usr/bin/su patch [ ... 29 lines deleted ... ] 103901 N/A 08 OpenWindows 3.5.1: Xview Patch 104338 N/A 02 OpenWindows 3.5.1: libXt patch 105251 N/A 01 OpenWindows 3.5.1: libXt Binary Compatibility Patch ================================================================================ UNINSTALLED SECURITY PATCHES NOTE: This list includes the Security patches that are also Recommended Patch Installed Latest Synopsis ID Revision Revision -------------------------------------------------------------------------------- 103558 N/A 10 SunOS 5.5.1: admintool/launcher fixes plus various swmtool fixes 103594 N/A 10 SunOS 5.5.1: /usr/lib/sendmail fixes 103612 N/A 33 SunOS 5.5.1: libc, libnsl, libucb, nis_cachemgr and rpc.nisd patch 103640 N/A 12 SunOS 5.5.1: kernel patch 103680 N/A 01 SunOS 5.5.1: nscd/nscd_nischeck rebuild for BIND 4.9.3 103686 N/A 02 SunOS 5.5.1: rpc.nisd_resolv patch 103696 N/A 02 SunOS 5.5.1: /sbin/su and /usr/bin/su patch [ ... 22 lines deleted ... ] 103901 N/A 08 OpenWindows 3.5.1: Xview Patch 104338 N/A 02 OpenWindows 3.5.1: libXt patch 105251 N/A 01 OpenWindows 3.5.1: libXt Binary Compatibility Patch ================================================================================ As you can see, the patches are listed in three sections: Installed, Recommended, and Security. This layout is not very clear in that there is overlap between the Recommended and Security sections that makes it difficult to decide which patches to install. You cannot easily see, for instance, which patches are both Recommended and Security without doing a lot of tedious cross-referencing. Additionally, if a patch is already installed and an update is available (Installed section), there is no indication as to whether such a patch is Recommended or Security or both. And even if these were not problems, you still have to go through the rigamarole of downloading the patches and running the installations. If you need to do this for multiple OS releases for multiple hardware architectures, it becomes easy to let this slip down to a lower spot on your priority list. This is quite unfortunate in a scenario, for example, of Internet-connected computers needing security patches! A Break in the Clouds One of my co-workers, Joe Shamblin, is our OS and security guru and is generally the one burdened with the chore of keeping our systems uptodate with the latest patches. He has brilliantly automated and simplified this odious task. Joe created -- and regularly employs -- a not-so-trivial Perl script called PatchReport, so named because in its initial incarnation its sole function was to produce a report a la patchdiag, but with two improvements: it automatically downloaded the xref file, and it provided a more usable, consolidated report. The table produced by PatchReport combines the information from all three sections of the patchdiag report, indicating in a single line for each patch if it is Recommended, Security, and/or if a prior version is already installed. This makes it much easier to scan the list and decide which patches are appropriate for your system. But PatchReport has evolved into a full-fledged patch analyzer (the report), downloader, and installer. As noted earlier, it can accomplish all of this and leave a Solaris system completely up to date via a single command. Invoked with appropriate options specified, PatchReport will: connect to the Sunsolve site, download the patchdiag.xref and CHECKSUMS files, analyze patches on your system and produce a report, download selected patches, check the md5 checksums, and install the patches. You can even tell it to shut down and reboot the system when it's done! Listing 2 shows an example of a PatchReport run. By the way, if PatchReport finds that your system is completely up to date, well, you'll just have to find out for yourself what happens. You can also use PatchReport in conjunction with Sun's JumpStart suite (used to install new systems). PatchReport can download appropriate patches to a directory. Then JumpStart can be configured to install these patches to the OS during the initial installation. Alternatively, JumpStart could be configured to call PatchReport directly. PatchReport is written for Solaris and not extended to other operating systems because Sun has a very open and wellÐdocumented patch system that makes programs like patchdiag and PatchReport possible. Other vendors, please take note. Closing Remarks To paraphrase someone who was paraphrasing Dave Barry, systems administration consumes time like Dave Barry's dog gobbles taco chips. If your job involves installing, maintaining, and updating SolarisÐbased systems, here's a power tool that can save you hours at a pop. But you better hurry and pick up a copy before SprintNet goes down again! To paraphrase another sage, "you snooze, you looze." Listing 2: Excerpt from the output of a run of PatchReport # PatchReport -Ari Please provide the account and password in the form "ID/passwd" account/passwd? *******/******* Analyzing needed patches on your machine, this might take a minute or two depending on the options you chose, and/or your net connection. Patch-ID Security Recommended ID Description -------------------------------------------------------------------------------- 103558-10 Security Recommended SunOS 5.5.1: admintool/launcher fixes plus various swmtool 103582-15 Security Recommended 01 SunOS 5.5.1: /kernel/drv/tcp and /usr/bin/netstat patch 103594-10 Security Recommended SunOS 5.5.1: /usr/lib/sendmail fixes 103600-18 N/A Recommended SunOS 5.5.1: nfs, tlimod and rpcmod patch 103612-33 Security Recommended SunOS 5.5.1: libc, libnsl, libucb, nis_cachemgr and rpc.ni 103630-09 Security Recommended 01 SunOS 5.5.1: ip ifconfig arp udp icmp patch 103663-08 Security Recommended 01 SunOS 5.5.1: libresolv, in.named, namedÐxfer, nslookup & nÉ 103680-01 Security Recommended SunOS 5.5.1: nscd/nscd_nischeck rebuild for BIND 4.9.3 103686-02 Security Recommended SunOS 5.5.1: rpc.nisd_resolv patch 103690-05 Security Recommended 03 SunOS 5.5.1: cron/crontab/at/atq/atrm patch [ ... 21 lines deleted ... ] 103901-08 Security Recommended OpenWindows 3.5.1: Xview Patch 104338-02 Security Recommended OpenWindows 3.5.1: libXt patch 105251-01 Security Recommended OpenWindows 3.5.1: libXt Binary Compatibility Patch **Retrieving Patches** Patch-ID Checksum status Description -------------------------------------------------------------------------------- 103558-10 checksum match SunOS 5.5.1: admintool/launcher fixes plus various swmtool 103582-15 checksum match SunOS 5.5.1: /kernel/drv/tcp and /usr/bin/netstat patch 103594-10 checksum match SunOS 5.5.1: /usr/lib/sendmail fixes 103600-18 checksum match SunOS 5.5.1: nfs, tlimod and rpcmod patch 103612-33 checksum match SunOS 5.5.1: libc, libnsl, libucb, nis_cachemgr and rpc.ni 103630-09 checksum match SunOS 5.5.1: ip ifconfig arp udp icmp patch 103663-08 checksum match SunOS 5.5.1: libresolv, in.named, named-xfer, nslookup & n? 103680-01 checksum match SunOS 5.5.1: nscd/nscd_nischeck rebuild for BIND 4.9.3 103686-02 checksum match SunOS 5.5.1: rpc.nisd_resolv patch [ ... 22 lines deleted ... ] 103901-08 checksum match OpenWindows 3.5.1: Xview Patch 104338-02 checksum match OpenWindows 3.5.1: libXt patch 105251-01 checksum match OpenWindows 3.5.1: libXt Binary Compatibility Patch ** Installing all patches without checking them first ** ** can have negative consequences. I am assuming that ** ** you know this, and think that all of these patches ** ** are a good idea. Using the -F option will turn off ** ** this message. ** Which patches do you want to install (all/none/list of patches) all **Installing Patches (this can take a while)** Patch-ID Install status Description -------------------------------------------------------------------------------- 103558-10 Patch installed SunOS 5.5.1: admintool/launcher fixes plus various swmtool 103582-15 Patch installed SunOS 5.5.1: /kernel/drv/tcp and /usr/bin/netstat patch 103594-10 Patch installed SunOS 5.5.1: /usr/lib/sendmail fixes 103600-18 Patch installed SunOS 5.5.1: nfs, tlimod and rpcmod patch 103612-33 Patch installed SunOS 5.5.1: libc, libnsl, libucb, nis_cachemgr and rpc.ni 103630-09 Patch installed SunOS 5.5.1: ip ifconfig arp udp icmp patch 103663-08 Patch installed SunOS 5.5.1: libresolv, in.named, named-xfer, nslookup & n 103680-01 Patch installed SunOS 5.5.1: nscd/nscd_nischeck rebuild for BIND 4.9.3 103686-02 Patch installed SunOS 5.5.1: rpc.nisd_resolv patch 103690-05 Patch installed SunOS 5.5.1: cron/crontab/at/atq/atrm patch [ ... 21 lines deleted ... ] 103901-08 Patch installed OpenWindows 3.5.1: Xview Patch 104338-02 Patch installed OpenWindows 3.5.1: libXt patch 105251-01 Patch installed OpenWindows 3.5.1: libXt Binary Compatibility Patch Program: PatchReport Abstract: analyze system, download and install patches Platforms: Solaris 2.x (SunOS 5.x) Language: Perl 5.002+, with modules: libnet, Data-Dumper, MD5, and IO Author: Joe Shamblin Availability: Features are still being added, so check for updates! Author info: Dan has been doing a mix of programming and systems administration for 13 years. He is currently a systems administrator in the Duke University Department of Computer Science in Durham, North Carolina, USA.