Showing which servers need to have critical errata applied
We recently moved into a very aggressive patch cycle where I must apply critical errata within 48 hours, fun.
My set up is Sat 6.7.5, I will have one content view which will be published Monday morning with all the content that is synced daily to my Library. My goal is to scan the Library for all errata each morning to see if I synced any critical errata and then tie that errata number to the hostname that it needs to be applied on.
So far, I can come up with the following:
hammer> erratum list --errata-restrict-applicable yes --search important
------|----------------|----------|-----------------------------------------------|------------|-----------
ID | ERRATA ID | TYPE | TITLE | ISSUED | UPDATED
------|----------------|----------|-----------------------------------------------|------------|-----------
18843 | RHSA-2020:5350 | security | Important: net-snmp security update | 2020-12-07 | 2020-12-07
18815 | RHSA-2020:5257 | security | Important: firefox security update | 2020-11-30 | 2020-11-30
18813 | RHSA-2020:5239 | security | Important: firefox security update | 2020-11-30 | 2020-11-30
18798 | RHSA-2020:5129 | security | Important: net-snmp security update | 2020-11-17 | 2020-11-17
18729 | RHSA-2020:4946 | security | Important: libX11 security update | 2020-11-05 | 2020-11-05
18728 | RHSA-2020:4952 | security | Important: freetype security update | 2020-11-05 | 2020-11-05
18725 | RHSA-2020:4908 | security | Important: libX11 security update | 2020-11-04 | 2020-11-04
18724 | RHSA-2020:4907 | security | Important: freetype security update | 2020-11-04 | 2020-11-04
18331 | RHSA-2020:4685 | security | Important: kernel security update | 2020-11-04 | 2020-11-04
18287 | RHSA-2020:4276 | security | Important: kernel security update | 2020-10-19 | 2020-10-20
18275 | RHSA-2020:4182 | security | Important: kernel security and bug fix update | 2020-10-06 | 2020-10-07
------|----------------|----------|-----------------------------------------------|------------|-----------
That seems to show me errata that has not been added to the CV yet and still remains Library. I used to option for --errata-restrict-installable yes but it seems to not show Library but rather what is in the CV since it is missing the errata from 12/07, which would not be in the CV since it was published on 12/01.
hammer> erratum list --errata-restrict-installable yes --search important
------|----------------|----------|-----------------------------------------------|------------|-----------
ID | ERRATA ID | TYPE | TITLE | ISSUED | UPDATED
------|----------------|----------|-----------------------------------------------|------------|-----------
18798 | RHSA-2020:5129 | security | Important: net-snmp security update | 2020-11-17 | 2020-11-17
18729 | RHSA-2020:4946 | security | Important: libX11 security update | 2020-11-05 | 2020-11-05
18728 | RHSA-2020:4952 | security | Important: freetype security update | 2020-11-05 | 2020-11-05
18725 | RHSA-2020:4908 | security | Important: libX11 security update | 2020-11-04 | 2020-11-04
18724 | RHSA-2020:4907 | security | Important: freetype security update | 2020-11-04 | 2020-11-04
18331 | RHSA-2020:4685 | security | Important: kernel security update | 2020-11-04 | 2020-11-04
18287 | RHSA-2020:4276 | security | Important: kernel security update | 2020-10-19 | 2020-10-20
18275 | RHSA-2020:4182 | security | Important: kernel security and bug fix update | 2020-10-06 | 2020-10-07
So now that I have the errata IDs, I would like to then get information on them to see which hosts need that particular errata. For example, I want to see which hosts need ID 18843, so I'll run:
hammer> erratum info --id 18843
Title: Important: net-snmp security update
Description: The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
Security Fix(es):
* net-snmp: Improper Privilege Management in EXTEND MIB may lead to privileged commands execution (CVE-2020-15862)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
ID: 18843
Errata ID: RHSA-2020:5350
Reboot Suggested: false
Updated: 2020-12-07
Issued: 2020-12-07
Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Packages: net-snmp-5.7.2-49.el7_9.1.x86_64, net-snmp-agent-libs-5.7.2-49.el7_9.1.i686, net-snmp-agent-libs-5.7.2-49.el7_9.1.x86_64, net-snmp-debuginfo-5.7.2-49.el7_9.1.i686, net-snmp-debuginfo-5.7.2-49.el7_9.1.x86_64, net-snmp-devel-5.7.2-49.el7_9.1.i686, net-snmp-devel-5.7.2-49.el7_9.1.x86_64, net-snmp-gui-5.7.2-49.el7_9.1.x86_64, net-snmp-libs-5.7.2-49.el7_9.1.i686, net-snmp-libs-5.7.2-49.el7_9.1.x86_64, net-snmp-perl-5.7.2-49.el7_9.1.x86_64, net-snmp-python-5.7.2-49.el7_9.1.x86_64, net-snmp-sysvinit-5.7.2-49.el7_9.1.x86_64, net-snmp-utils-5.7.2-49.el7_9.1.x86_64
Good information, but I need to see which hosts need that. From the GUI, that is easy, go to the errata number, click on it then click the Content Hosts tab and it will show you which hosts will need that errata.
So that would be my goal via Hammer/bash.
Find any critical errata that was just synced, then show me which hosts need that errata so it can be planned for with the server owner in a report that can ideally be emailed to me from the Satellite server.
I do have a ticket with support but I am not sure we are getting far.
Any community help would be very much appreciated.
