Patch Management Solution

 View Only
Back to Library

{CWoC} PatchAutomation - Automated patching with Full Test Life-cycle 

Jan 08, 2013 03:09 PM

[END OF "SUPPORT" NOTICE]

Hello everyone, after close to 5 years maintaining various tools around Symantec Connect this legacy is turning to be more of a burden than anything else.

It's still is a great set of tool and they all have their use, but as such I'm not going to maintain them anymore.

The source code for this tool may still change over time, and can be found on Github: https://github.com/somewhatsomewhere?tab=repositories

[/END OF "SUPPORT" NOTICE]

Update: Just released version 10, which removes the ties to Altiris.PatchManagementCore.dll.

I have extended the ZeroDayPatch tool to meet my customer requirement to further automate patching operations:

In this tool we not only want to create policies automatically but we also want to follow a 3 step process:

  1. Stage required bulletin and create a policy that targets a test group (Test phase)
  2. Check if policy in Test were created more than n days ago. If yes move the policies target to a validation group (Validation phase)
  3. Check if policy in Validation were created more than m days ago. If yes move the policies target to a production group (Production phase)

The conditions used to move policies from one phase to another are configurable, but here's a flow chart that explain the logic in details:

Please remember to copy the Altiris.PatchManagementCore.Web.dll to the directory where you have unpacked PatchAutomation.exe.

And finally here is the command line documentation:

PatchAutomation (version 10) command line usage:

  /targetguid-test=<target_guid>
  /targetguid-validation=<target_guid>
  /targetguid-production=<target_guid>

    The 3 command line options above are mandatory and used to define
    the target used with each phases (Test, Validation, Production).

  /day2validation=<n>
  /day2production=<n>
    The 2 command line above define the interval in days necessary to
    move policies from one phase to the next. The days are match using
    >= n, so if you set these to 1 (day) the policies created the day
    before will be re-targeted (so the interval could be as low as a
    few minutes if the tool runs at 2300 and again at 0005 the next day.

  /fr
    Switch the automatic policy names postfix from English to French like:
      * 'Test Target' <--> 'Cible de Test'
      * 'Validation Rarget' <--> 'Cible de Validation'
      * 'Production Target' <--> 'Cible de Production'

  /config=<file path>
    Reads the file at the provided path and parses each line for com-
    mand line options. Here is a sample config file content:
      /severity=critical
      /custom-sp=CWoC_GetAllBulletins
      /vendor=google
      /dryrun
      /debug

  /test
    Run the automate in test mode only. A maximum of 10 policies will
    be created in this mode.

  /dryrun
    Run the automate in fry run mode. No changes will be made to the
    system, but expected operation will be printed to the console.

  /severity=<severity>|*
    Set the severity used to select bulletins that will be handle by
    the automate. The * wildcard can be use to match all severities.

  /patchall
    Use this command line if you want to manage bulletins from all
    vendors in the database. By default we only handle Microsoft bul-
    -letins.

  /released-before=<yyyy-MM-dd formatted date>
    Configure a date filter that will include bulletin released before
    the specified date. It is set by default to the current date.

  /released-after=<yyyy-MM-dd formatted date>
    Configure a date filter that will include bulletin released after
    the specified date. It is set by default to (current date -1 year).

  /custom-sp=<sp_name>
    This option allows the user to specify a custom stored procedure to
    be called during the execution. The stored procedure may be present
    on the database (if not the automate will return with no errors) and
    must contains the following columns that are used and needed:
      * _resourceguid [Software bulletin guid]
      * released [Software bulletin release date]
      * bulletin [Bulletin name]
      * severity [Bulletin Severity]
    You can also add a vendor column if you want to filter bulletins by
    vendor (see option /vendor)

  /vendor=<vendor string>
    Configure a vendor filter to only return bulletins that match the
    vendor string from a custom procedure. This is because the vendor
    field doesn't exist in default Patch Procedures used by this tool.

    If /vendor is specified with a custom-sp that doesn't contain the
    vendor field the setting will be ignored (all bulletins will be
    returned).

  /debug
    Output extra information on the command line to allow debugging or
    reporting problems to Symantec Connect.

  /duplicates
    Use this command if you want the tool to generate duplicate
    policies. This is useful if you want, for example, to migrate
    policies from a parent to a child SMP without disruption.

    Note! Duplicated and new entries will be added to the exclusion
    table in the database for safety reasons.

 /exclude-on-fail
    Use this command to add bulletins to the excluded table if it fails
    3 times during the stagging or policy creation phases. If not uses
    the failing bulletin will only be skipped.

  /version
    Print out the current version of the tool.

  /?
    Print this help message to the console (stdout).

Document changes:

Version 1.1: Changed the attached file to PatchAutomation-0.6.3 (build from revision 747).

Version 1.2: Changed the image link to the full size version.

Version 1.3: Updated the command line help message, workflow and uploaded release 0.6.4 (built from revision 750).

Version 1.4: Added patch exclusion using a database table in build 0.6.6 (built from revision 770).

Version 1.5: Added /custom-sp feature to allow users to call-in their own stored procedure and better control the bulletins handled by the program (built from revision 777)

Version 1.6: Added /fr switch and /version and updated the documentation accordingly and uploaded release 0.6.9  (built from revision 787). Also moved the data from the original blog post to a proper download page which is better suited.

Version 1.7: Added /vendor and /config command line options. Uploaded custom stored procedure to provide the missing vendor field (needed with /vendor). Uploaded version 0.7.0 (built from revision 1499b791f1eb)

Version 1.8: Pulled a bug fix and some spelling corrections (58f95c9cd476 and ade2195063cc) from Brian Nelson and bumped the version to 0.7.1.

Version 1.9: Changed the numbering scheme, so we are now at version 8 and added a "/duplicates" switch. This allows you to generate duplicate policies if you need them, or brand new ones. Any policy created will then be added to the "patchautomation_excluded" table that we generate automatically now. This is useful if you want to transition existing policies to a new target, or as in my case, from hierarchy based to locally generated. Amended the command line /? print out to match those changes.

Version 2.0: Added Patch Automation version 10 (Built for 7.1 SP2 MP1.1) and documentation on the /exclude-on-fail switch.

Statistics
0 Favorited
1 Views
4 Files
0 Shares
1 Downloads
Attachment(s)
Download All
txt file
cwoc_getallbulletins.sql_.txt   3 KB   1 version
Uploaded - Feb 25, 2020
 
Download
zip file
PatchAutomation-0.7.1-release.zip   13 KB   1 version
Uploaded - Feb 25, 2020
 
Download
zip file
PatchAutomation-v10-7.1-SP2-MP1.1.zip   17 KB   1 version
Uploaded - Feb 25, 2020
 
Download
zip file
PatchAutomation-v8.zip   15 KB   1 version
Uploaded - Feb 25, 2020
 
Download

Tags and Keywords

Comments

Migration User
Nov 17, 2015 01:52 PM

After more research, it appears that the patchautomation-v10-7.5-sp1.exe ignores the first row returned by the stored procedure zerodaypatch_getvulnerablemachines-0003.    After altering the stored procedure to insert a dummy first row, a previously skipped bulletin was staged.

I can provide more information if you need it.

Mike

Migration User
Oct 29, 2015 08:53 AM

Chrome-151 policy has been built.  I didn't change anything.   But its working, so I will leave it alone.  Thanks!

 

Ludovic Ferre
Oct 27, 2015 11:21 AM

Hello Mike,

I'm glad to see that almost 3 years after I wrote the tool it is still of use to people :D.

Looking at the data you have provided above I'd say the problem most likely lies in the stored procedure you use (ZeroDayPatch_GetVulnerableMachines-0003).

You should be able to run it and most likely it doesn't return the Google updates / bulletins.

Feel free to DM me or email me if you want to send me screenshots or SQL output.

Migration User
Oct 27, 2015 11:06 AM

Ludovic -
Thanks for the wonderful utility!   This has saved me hours already, and I just implemented it last week.   

I do have something a little strange happening though.   So far, one patch will not process.  Chrome-151.   It isn't superceded, and it does apply to a large number of computers, and is not already installed.  Patches from vendors other than Microsoft are processing, and the utility does complete processing as seen by the 'see you soon' message in the logs.  Switches I am using are:

/targetguid-test=46831A85-0E57-4DF2-BDE0-52C60E400E3E

/targetguid-validation=5C59FA7C-418F-415A-8663-3C2815C1FCB1

/targetguid-production=BB42A252-B6F4-4F99-BA17-91348391EB90

/patchall

/day2validation=2

/day2production=7

/severity=*

/custom-sp=ZeroDayPatch_GetVulnerableMachines-0003

Can you point me in the right direction for troubleshooting? 

Thank you!

Mike

Ludovic Ferre
Feb 17, 2015 08:09 AM

Yes Mistral, you are correct.

The are in the publishing workflow now, so they should be available shortly (24~48 hours depending how busy Cherryl is).

But given 7.6 is not out yet I think waiting for the dwnloads for such a short time won't be a real issue ;).

Mistral
Feb 17, 2015 06:49 AM

The last two links seem to be private:

We're sorry, but the author of this page has restricted access to it.

If you have questions about why you can't access this page, please contact us.

Ludovic Ferre
Feb 17, 2015 05:58 AM

Version 10 is out today for 7.1 and 7.5, whilst the 7.6 download is in the Connect publishing workflow now as well as a new utility: PatchExclusion (which helps handling the content of the exclusion table - also in the Connect publishing workflow):

Standard documentation and 7.1 builds:

7.5 Gold build (no longer supported)

7.5 SP1 builds:

7.6 Gold builds:

Patch Exclusion (7.1, 7.5 and 7.6 builds):

Enjoy, and let me know if you encounter any issue _and_ if all goes well (I'm not averse to good news ;)

Preppietechie
Oct 24, 2013 07:53 AM

Fair enough.  I know I'm in a bit of a unique situation.  =]  In any case, I really appreciate your work on this tool.  It's proving to be quite helpful in our other Altiris environments where we handle things a bit more traditionally.

 

Thanks!

-Prep

Ludovic Ferre
Oct 23, 2013 04:32 PM

Hello Mr Preppie :D

Honnestly I think it would be quite an undertaking and I'm not sure it would be worth.

The #1 issue is that Patch is built around the Bulletin. So to filter out undesired updates from the bulletin would bring in a lot of complexity.

Also the automation process is quite flexible, and I think that if an update needs to be removed out of a policy this would be flagged and handled by the Patch Administrator.

Preppietechie
Oct 22, 2013 02:49 PM

Questions about which updates are selected within each bulletin.  Right now every update is selected when a policy is created by the tool.  Any chance of only selecting the updates that are applicable?  Does that make sense?

 

Thanks!

Ludovic Ferre
Aug 31, 2013 01:18 AM

Message and file sent.

Note that I can't share the file directly here on Connect for legal reasons.

Ludovic Ferre
Aug 05, 2013 09:09 AM

Hello Sacheen,

I'm back from holidays, so I can send you references to the correct DLL version. I can't quite explain why it doesn't work, as other people have report the issue and the same file (from my system) works.

Anyhow, please send me a personal message and I'll get you what you need.

:D.

Migration User
Jul 30, 2013 05:49 AM

Hi Ludo,

I have just discovered this tool, but am having issues running it due to the version of the Altiris.PatchManagementCore.Web.dll. We have just updated to RU6.

 

PatchAutomate starting.
Caught exception Could not load file or assembly 'Altiris.PatchManagementCore.We
b, Version=7.1.7580.0, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f' or one
of its dependencies. The located assembly's manifest definition does not match t
he assembly reference. (Exception from HRESULT: 0x80131040)
InnerException=
StackTrace=   at Symantec.CWoC.PatchAutomate.RunAutomation()
   at Symantec.CWoC.PatchAutomate.Main(String[] args)

 

The version of the file I have is 7.1.7858.0

 

Thanks

 

Sacheen

 

Preppietechie
Jul 10, 2013 04:18 PM

Solved my own problem (always a good thing, right?).  For the curious, the problem I was running into was I was expecting patchautomation.exe to offer something similar to zerodaypatch.exe, in that it would only pay attention to bulletins that my devices were vulnerable for.  It doesn't out of the box, but thanks to the /custom-sp switch, it can (and you don't even need to cook up your own custom sp).  All you need to is run the zerodaypatch.exe from here https://www-secure.symantec.com/connect/downloads/patch-automation-tool-pms-71-sp2 with the /vulnerable switch.  That will install a custom stored procedure called "ZeroDayPatch_GetVulnerableMachines-0003".

Once you do that, you can then reference that stored procedure when using patchautomation.exe.

Preppietechie
Jul 10, 2013 01:53 PM

So after playing with ZeroDayPatch.exe, I discovered this tool.  But I'm a little confused.  When I do a dryrun with zeroday, It says it's going to end up creating two or three policies.  But when I do a similar dryrun with patchautomation, says no policies will be created.  What am I missing?  Also, am I correct in presuming that the stored procedure attached to this article is the same as the one attached to the zerodaypatch.exe article?  Thanks in advance!

Migration User
May 15, 2013 10:18 PM

This looks like a fantastic tool, and an answer to many end-user's requests :)

I think I have an issue though . . 

When trying to run it i get the following ..

Caught exception Could not load file or assembly 'Altiris.PatchManagementCore.Web, Version=7.1.7580.0, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f' or oneof its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

From what i can tell, it is having an issue with the version of the .DLL that i'm running on this server (Latest release)

Is there anything i can do to continue testing ?

How do i work around this in future when we update patch versions ?

Cheers all,

Ludovic Ferre
Mar 27, 2013 04:48 PM

Thanks to Brian Nelson we have an new version of Patch Automation that is cleaner (58f95c9cd476) and works as it should (ade2195063cc).

Thanks again Brian!!!

On a side note, I knew that git was a superior cvs to subversion, but experiencing it first hand was just amazing. A single pull from Brian clone and that was it :D.

It also demonstrates that having an open code repository helps improve the built software (and that many minds work better than just one) so this was kind of a great present for my 38th birthday (today).

Ludovic Ferre
Mar 26, 2013 07:06 AM

Hello Brian,

Sorry for the long delay coming back to you. I my second daughter was born last month and I was off for a few weeks. It took me a while to get back in working order (I did a huge spring clean on my test lab and decided to change the way I work to be more efficient and closer to my customers where possible) but I should be able to work on this side project now.

Could you send me the patches via direct message? I'll be more than happy to merge them.

Brian Nelson
Mar 05, 2013 02:52 PM

Ludovic,

My assumption on the code was correct. I cloned your GIT repo and comitted two changes to fix this problem as well as some typos. I hope you can merge the changes into your next release.

Brian

 

Brian Nelson
Mar 01, 2013 05:55 PM

Hmm... Now I've found a bad bug. It seems that whenever a policy is re-targeted, it is always targeted to the 'production' GUID, skipping the 'validation' GUID.

I *think* the problem is here:

https://code.google.com/p/ns-tooling-git/source/browse/PatchAutomation/PatchAutomation/PatchAutomation.cs#175

I'm pretty sure that statement needs to be made conditional of what 'stage' is happening to say what GUID to use. I only did a cursory glance at the code though, so I could be off base.

I wanted to try fixing/testing this myself, but after 4 hours of trying I couldn't figure out how to get the Altiris SDK bits into my Visual Studio to make the code compile.

Brian

 

Brian Nelson
Feb 28, 2013 10:18 AM

Ludovic,

Ah, yes. I was thinking it might be along those lines but had no idea how to get the proper GUID. The article you linked was very helpful! Now my patch policies are being targeted properly and everything seems good.

However, I have seen an intermittent crash in PatchAutomation:

Caught exception Unable to load the specified item (GUID:{...})
InnerException=System.Data.SqlClient.SqlException: Transaction (Process ID 76) was deadlocked on lock | communication buffer resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

The GUID listed has been different each time, and it does not seem to match a patch or target GUID. It's only happened three times so far out of about 20-25 total runs.

I haven't noticed any ill effects from the crash. Simply re-running the PatchAudomation job seems to work ok. I thought I'd post the info though in case it's helpful. If you want the full stack trace let me know and I'll PM it to you.

Cheers,

Brian

Ludovic Ferre
Feb 22, 2013 01:08 AM

Hello Brian,

The issue here is that when you use a filter with a policy it is turned into a target in the background but there's an article I authored that hould help you out here:

https://www-secure.symantec.com/connect/articles/how-create-report-return-resourcetarget-membership-user

Sorry there's no easy way to do this right now.

Regarding the released_after, that's clearly a typo. All command line option are hyphenated. I'll corret that a little later.

 

Brian Nelson
Feb 21, 2013 05:56 PM

Hello!

What do I use for the targetguid's? I've been trying to use the GUID of my patch group filters, but it doesn't seem to work. The program runs, and policies get created as expected, but they are targeted to nothing. I've tried putting the GUIDs both with and without {}'s and it seems to make no difference. Do they need quotes or anything?

Also, a slight bug, the documentation shows option "released_after" but the program actually seems to recognize option "released-after" (with a dash).

Thanks!

Brian

 

Related Entries and Links

No Related Resource entered.