ZeroDayPatch: Patch Automation Tool for PMS 7.1 SP2 - Protirus/patchautomation GitHub Wiki

Update: Moved to version 10 of the toolkit. No features were added but this build cut the ties with the Altiris.PatchManagementCore.Web.dll.

So the program will work fine without the DLL in the current directory. Wee are free at last :D.

Please note that this build is targetting 7.1 SP2 MP1.1, with or without roll-ups.

#################

Important Forewords: This tool will allow you to stage and distribute all bulletins that match the critical severity (or more if you use the /severity switch). I and Symantec in general do not advise to do this on test, validation or production systems unless the MetaData Import Task is configured to import bulletins that you want to distribute or test.

#################

It's been a very long while since I posted a download on Connect but tonight I've got something worth sharing.

This week I needed to work on implementing automated patching for one of my customer with Workflow and this lead me to consider writing something similar to the 6.2 [1] tool we had, but for 7.1.

And it turned out to be rather trivial, compared to the code we previously had to write.

This is because the Patch Workflow API contains everything needed to handle the staging of bulletins and creation of software update policies.

So, I'm attaching an executable file to this download and you will need to copy the Altiris.PatchManagementCore.Web.dll file to the directory for the tool to work.

And here's a brief description of the tool command line options:

File name: Version dependant - but normally starting with ZeroDayPatch.

File path: Any, but make sure you have the Altiris.PatchManagementCore.Web.dll (which can be found here on Connect for version 7.1).

Usage:

ZeroDayPatch (version 10)command line usage:

/vulnerable Use this command line switch to install and run a custom stored procedure to retrieve candidate bulletins. The procedure will be installed is and named ZeroDayPatch_GetVulnerableMachines-0003.

/targetguid=<target_guid> Use this option to set the target guid to be used with newly created policies. This will over-write the default target defined globally.

/config= Reads the file at the provided path and parses each line for com- -mand line options. Here is a sample config file content: /severity=critical /custom-sp=CWoC_GetAllBulletins /vendor=google /dryrun /debug

/test Run the automate in test mode only. A maximum of 10 policies will be created in this mode.

/dryrun Run the automate in fry run mode. No changes will be made to the system, but expected operation will be printed to the console.

/severity=|* Set the severity used to select bulletins that will be handle by the automate. The * wildcard can be use to match all severities.

/patchall Use this command line if you want to manage bulletins from all vendors in the database. By default we only handle Microsoft bul- -letins.

/released-before= Configure a date filter that will include bulletin released before the specified date. It is set by default to the current date.

/released-after= Configure a date filter that will include bulletin released after the specified date. It is set by default to (current date -1 year).

/custom-sp=<sp_name> This option allows the user to specify a custom stored procedure to be called during the execution. The stored procedure may be present on the database (if not the automate will return with no errors) and must contains the following columns that are used and needed: * _resourceguid [Software bulletin guid] * released [Software bulletin release date] * bulletin [Bulletin name] * severity [Bulletin Severity] You can also add a vendor column if you want to filter bulletins by vendor (see option /vendor)

/vendor=|* Configure a vendor filter to only return bulletins that match the vendor string from a custom procedure. This is because the vendor field doesn't exist in default Patch Procedures used by this tool.

If /vendor is specified with a custom-sp that doesn't contain the
vendor field the setting will be ignored (all bulletins will be
returned).

/debug Output extra information on the command line to allow debugging or reporting problems to Symantec Connect.

/duplicates Use this command if you want the tool to generate duplicate policies. This is useful if you want, for example, to migrate policies from a parent to a child SMP without disruption.

Note! Duplicated and new entries will be added to the exclusion
table in the database for safety reasons.

/exclude-on-fail Use this command to add bulletins to the excluded table if it fails 3 times during the stagging or policy creation phases. If not uses the failing bulletin will only be skipped.

/retarget Use this command if you want to switch existing policies to use a new target. The target guid should be provided with /targetguid=...

/version Print out the current version of the tool.

/? Print this help message to the console (stdout). This tool was coded to be as simple and straight forward as possible. Here are some key points on what it does and doesn't do:

It creates a policy if no policy exist (so we don't create duplicates) It enables the policy by default It does not verify whether the targetGuid provided is a valid target Now, please let me know if this helps and if you have some feature needs or comments, post them here or contact me directly!

[1] https://www-secure.symantec.com/connect/articles/readypatch-management-solution-automation-tools-patch-management-solution-62

###################################################################

Document version 2:

Replaced the file with version 0.5.3 (ZeroDayPatch-0.5.3.zip) Added /vulnerable switch to the tool and documentation Implemented custom target guid during policy creation (missing from the API) Document version 3:

Added foreword section Attached file with version 0.5.4 Remove the hardcoded target for new policies. This will now use the system default target (normally user configured) Added /? handler and help message for the console Document version 4:

Added command line switch /released-before Added command line switch /released-after Added command line switch /patchall Converted the command line switch description to be a copy of /? output Attached file version 0.5.6b which contains the Altiris.PatchManagementCore.Web.dll to allow the tool to run on 7.1 SP2 versions up to MP1. Document version 5:

Added stored procedure schema versioning (and auto-update) Corrected stored procedure field to match "Released" date Corrected a typo in the console messages Attached file version 0.5.7 Document version 6:

Attached version 0.6.6 (from revision 770) Made previous versions visible (so you are not forced to get the latest only ;) Document version 7:

Attached version 0.6.7 release (from revision 777) Attached version 0.6.7 debug (from revision 777) Updated the command line message on this download to reflect changes Added feature /severity=* Document version 7b:

Attached version 0.7.0 release (from revision 8755b369fd0e) Attached custom-procedure sample CWoC_GetAllBulletins.sql Updated the command line message on this download to reflect changes Added feature /custom-sp= Added feature /vendor=|* Added feature /config= Document version 8:

Attached version 8 Updated the command line message to reflect changes Added feature /duplicates Added automatic creation of the "patchautomation_excluded" table. Changed naming scheme to be simpler Aligned doc and release versions Document version 9:

Attached version 9 for 7.1 Updated the command line message to reflect changes Added feature /exclude-on-fail Added feature /retarget Document version 10:

Attached version 10 for 7.1 Updated the command line message to reflect changes