Security Updates - ghomem/legacy_puppet_infrastructure GitHub Wiki
We have support in puppet_infrastructure to help with two kinds of security updates:
- surface security updates -> we upgrade a list of selected packages that are specially exposed if there's a security vulnerability, for example openssh-server
- relevant security updates -> we upgrade packages with security issues above certain priority (low, medium, high...)
You can execute the surface security updates by executing as root /opt/puppet-infrastructure/bin/apt-update-surface.sh, example output:
user@node01:~$ sudo /opt/puppet-infrastructure/bin/apt-update-surface.sh
package openssh-server 1:8.9p1-3ubuntu0.1 has no update available (or was already updated)
package openssh-client 1:8.9p1-3ubuntu0.1 has no update available (or was already updated)
package openssh-sftp-server 1:8.9p1-3ubuntu0.1 has no update available (or was already updated)
package openssl 3.0.2-0ubuntu1.10 has no update available (or was already updated)
package libssl1.1 not installed
package libudev1 249.11-0ubuntu3.9 has no update available (or was already updated)
package ca-certificates 20230311ubuntu0.22.04.1 has no update available (or was already updated)
package vim 2:8.2.3995-1ubuntu2.8 has no update available (or was already updated)
package vim-runtime 2:8.2.3995-1ubuntu2.8 has no update available (or was already updated)
package vim-common 2:8.2.3995-1ubuntu2.8 has no update available (or was already updated)
package coreutils 8.32-4.1ubuntu1 has no update available (or was already updated)
package gzip 1.10-4ubuntu4.1 has no update available (or was already updated)
package less 590-1ubuntu0.22.04.1 has no update available (or was already updated)
package multitail not installed
package util-linux 2.37.2-4ubuntu3 has no update available (or was already updated)
package openvpn not installed
package nginx-core 1.18.0-6ubuntu14.3 has no update available (or was already updated)
package nginx-extras not installed
package postfix not installed
package dovecot-core not installed
- You can use MCO from the puppet master by executing the following command:
MYCMD='/opt/puppet-infrastructure/bin/apt-update-surface.sh'
sudo mco shell run "$MYCMD" -I "<node_name>"
The script that implements this feature searches updates on every package of a system and determines what updates are related to CVEs with High priority.
This feature is packaged inside filesystem_apt class and is added by default inside node_base.
Although the check is automatically executed via cron you can launch it manually (this takes a bit of time) with:
sudo /opt/puppet-infrastructure/bin/apt-check-updates.sh High
To see the packages that need to be updated:
cat /var/lib/apt-check-updates/list
To update the packages:
- Use MCO from the puppet master by executing the following command:
MYCMD='/opt/puppet-infrastructure/bin/apt-update-relevant.sh'
sudo mco shell run "$MYCMD" -I "<node_name>"
- or ssh into each machine and execute:
sudo /opt/puppet-infrastructure/bin/apt-update-relevant.sh