Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

{CWoC} PatchAutomation - Automated patching with Full Test Life-cycle

Created: 08 Jan 2013 • Updated: 31 Aug 2013 | 16 comments
Ludovic Ferre's picture
+4 4 Votes
Login to vote

Update: Just released version 8, which adds the /duplicates switch.

I have extended the ZeroDayPatch tool to meet my customer requirement to further automate patching operations:

In this tool we not only want to create policies automatically but we also want to follow a 3 step process:

  1. Stage required bulletin and create a policy that targets a test group (Test phase)
  2. Check if policy in Test were created more than n days ago. If yes move the policies target to a validation group (Validation phase)
  3. Check if policy in Validation were created more than m days ago. If yes move the policies target to a production group (Production phase)

The conditions used to move policies from one phase to another are configurable, but here's a flow chart that explain the logic in details:

Please remember to copy the Altiris.PatchManagementCore.Web.dll to the directory where you have unpacked PatchAutomation.exe.

And finally here is the command line documentation:

PatchAutomate (version=8) command line usage:

  /targetguid-test=<target_guid>
  /targetguid-validation=<target_guid>
  /targetguid-production=<target_guid>

    The 3 command line options above are mandatory and used to define
    the target used with each phases (Test, Validation, Production).

  /day2validation=<n>
  /day2production=<n>
    The 2 command line above define the interval in days necessary to
    move policies from one phase to the next. The days are match using
    >= n, so if you set these to 1 (day) the policies created the day
    before will be re-targeted (so the interval could be as low as a
    few minutes if the tool runs at 2300 and again at 0005 the next day.

  /fr
    Switch the automatic policy names postfix from English to French like:
      * 'Test Target' <--> 'Cible de Test'
      * 'Validation Rarget' <--> 'Cible de Validation'
      * 'Production Target' <--> 'Cible de Production'

  /config=<file path>
    Reads the file at the provided path and parses each line for com-
    mand line options. Here is a sample config file content:
      /severity=critical
      /custom-sp=CWoC_GetAllBulletins
      /vendor=google
      /dryrun
      /debug

  /test
    Run the automate in test mode only. A maximum of 10 policies will
    be created in this mode.

  /dryrun
    Run the automate in fry run mode. No changes will be made to the
    system, but expected operation will be printed to the console.

  /severity=<severity>|*
    Set the severity used to select bulletins that will be handle by
    the automate. The * wildcard can be use to match all severities.

  /patchall
    Use this command line if you want to manage bulletins from all
    vendors in the database. By default we only handle Microsoft bul-
    -letins.

  /released-before=<yyyy-MM-dd formatted date>
    Configure a date filter that will include bulletin released before
    the specified date. It is set by default to the current date.

  /released-after=<yyyy-MM-dd formatted date>
    Configure a date filter that will include bulletin released after
    the specified date. It is set by default to (current date -1 year).

  /custom-sp=<sp_name>
    This option allows the user to specify a custom stored procedure to
    be called during the execution. The stored procedure may be present
    on the database (if not the automate will return with no errors) and
    must contains the following columns that are used and needed:
      * _resourceguid [Software bulletin guid]
      * released [Software bulletin release date]
      * bulletin [Bulletin name]
      * severity [Bulletin Severity]
    You can also add a vendor column if you want to filter bulletins by
    vendor (see option /vendor)

  /vendor=<vendor string>
    Configure a vendor filter to only return bulletins that match the
    vendor string from a custom procedure. This is because the vendor
    field doesn't exist in default Patch Procedures used by this tool.

    If /vendor is specified with a custom-sp that doesn't contain the
    vendor field the setting will be ignored (all bulletins will be
    returned).

  /debug
    Output extra information on the command line to allow debugging or
    reporting problems to Symantec Connect.

  /duplicates
    Use this command if you want the tool to generate duplicate
    policies. This is useful if you want, for example, to migrate
    policies from a parent to a child SMP without disruption.

     Note! Duplicated and new entries will be added to the exclusion
     table in the database for safety reasons.

  /version
    Print out the current version of the tool.

  /?
    Print this help message to the console (stdout).

Document changes:

Version 1.1: Changed the attached file to PatchAutomation-0.6.3 (build from revision 747).

Version 1.2: Changed the image link to the full size version.

Version 1.3: Updated the command line help message, workflow and uploaded release 0.6.4 (built from revision 750).

Version 1.4: Added patch exclusion using a database table in build 0.6.6 (built from revision 770).

Version 1.5: Added /custom-sp feature to allow users to call-in their own stored procedure and better control the bulletins handled by the program (built from revision 777)

Version 1.6: Added /fr switch and /version and updated the documentation accordingly and uploaded release 0.6.9  (built from revision 787). Also moved the data from the original blog post to a proper download page which is better suited.

Version 1.7: Added /vendor and /config command line options. Uploaded custom stored procedure to provide the missing vendor field (needed with /vendor). Uploaded version 0.7.0 (built from revision 1499b791f1eb)

Version 1.8: Pulled a bug fix and some spelling corrections (58f95c9cd476 and ade2195063cc) from Brian Nelson and bumped the version to 0.7.1.

Version 1.9: Changed the numbering scheme, so we are now at version 8 and added a "/duplicates" switch. This allows you to generate duplicate policies if you need them, or brand new ones. Any policy created will then be added to the "patchautomation_excluded" table that we generate automatically now. This is useful if you want to transition existing policies to a new target, or as in my case, from hierarchy based to locally generated. Amended the command line /? print out to match those changes.

Comments 16 CommentsJump to latest comment

Brian Nelson's picture

Hello!

What do I use for the targetguid's? I've been trying to use the GUID of my patch group filters, but it doesn't seem to work. The program runs, and policies get created as expected, but they are targeted to nothing. I've tried putting the GUIDs both with and without {}'s and it seems to make no difference. Do they need quotes or anything?

Also, a slight bug, the documentation shows option "released_after" but the program actually seems to recognize option "released-after" (with a dash).

Thanks!

Brian

 

0
Login to vote
Ludovic Ferre's picture

Hello Brian,

The issue here is that when you use a filter with a policy it is turned into a target in the background but there's an article I authored that hould help you out here:

https://www-secure.symantec.com/connect/articles/how-create-report-return-resourcetarget-membership-user

Sorry there's no easy way to do this right now.

Regarding the released_after, that's clearly a typo. All command line option are hyphenated. I'll corret that a little later.

 

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
Brian Nelson's picture

Ludovic,

Ah, yes. I was thinking it might be along those lines but had no idea how to get the proper GUID. The article you linked was very helpful! Now my patch policies are being targeted properly and everything seems good.

However, I have seen an intermittent crash in PatchAutomation:

Caught exception Unable to load the specified item (GUID:{...})
InnerException=System.Data.SqlClient.SqlException: Transaction (Process ID 76) was deadlocked on lock | communication buffer resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

The GUID listed has been different each time, and it does not seem to match a patch or target GUID. It's only happened three times so far out of about 20-25 total runs.

I haven't noticed any ill effects from the crash. Simply re-running the PatchAudomation job seems to work ok. I thought I'd post the info though in case it's helpful. If you want the full stack trace let me know and I'll PM it to you.

Cheers,

Brian

0
Login to vote
Brian Nelson's picture

Hmm... Now I've found a bad bug. It seems that whenever a policy is re-targeted, it is always targeted to the 'production' GUID, skipping the 'validation' GUID.

I *think* the problem is here:

https://code.google.com/p/ns-tooling-git/source/browse/PatchAutomation/PatchAutomation/PatchAutomation.cs#175

I'm pretty sure that statement needs to be made conditional of what 'stage' is happening to say what GUID to use. I only did a cursory glance at the code though, so I could be off base.

I wanted to try fixing/testing this myself, but after 4 hours of trying I couldn't figure out how to get the Altiris SDK bits into my Visual Studio to make the code compile.

Brian

 

0
Login to vote
Brian Nelson's picture

Ludovic,

My assumption on the code was correct. I cloned your GIT repo and comitted two changes to fix this problem as well as some typos. I hope you can merge the changes into your next release.

Brian

 

0
Login to vote
Ludovic Ferre's picture

Hello Brian,

Sorry for the long delay coming back to you. I my second daughter was born last month and I was off for a few weeks. It took me a while to get back in working order (I did a huge spring clean on my test lab and decided to change the way I work to be more efficient and closer to my customers where possible) but I should be able to work on this side project now.

Could you send me the patches via direct message? I'll be more than happy to merge them.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
Ludovic Ferre's picture

Thanks to Brian Nelson we have an new version of Patch Automation that is cleaner (58f95c9cd476) and works as it should (ade2195063cc).

Thanks again Brian!!!

On a side note, I knew that git was a superior cvs to subversion, but experiencing it first hand was just amazing. A single pull from Brian clone and that was it :D.

It also demonstrates that having an open code repository helps improve the built software (and that many minds work better than just one) so this was kind of a great present for my 38th birthday (today).

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
AussieConsult's picture

This looks like a fantastic tool, and an answer to many end-user's requests :)

I think I have an issue though . . 

When trying to run it i get the following ..

Caught exception Could not load file or assembly 'Altiris.PatchManagementCore.Web, Version=7.1.7580.0, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f' or oneof its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

From what i can tell, it is having an issue with the version of the .DLL that i'm running on this server (Latest release)

Is there anything i can do to continue testing ?

How do i work around this in future when we update patch versions ?

Cheers all,

0
Login to vote
Preppietechie's picture

So after playing with ZeroDayPatch.exe, I discovered this tool.  But I'm a little confused.  When I do a dryrun with zeroday, It says it's going to end up creating two or three policies.  But when I do a similar dryrun with patchautomation, says no policies will be created.  What am I missing?  Also, am I correct in presuming that the stored procedure attached to this article is the same as the one attached to the zerodaypatch.exe article?  Thanks in advance!

0
Login to vote
Preppietechie's picture

Solved my own problem (always a good thing, right?).  For the curious, the problem I was running into was I was expecting patchautomation.exe to offer something similar to zerodaypatch.exe, in that it would only pay attention to bulletins that my devices were vulnerable for.  It doesn't out of the box, but thanks to the /custom-sp switch, it can (and you don't even need to cook up your own custom sp).  All you need to is run the zerodaypatch.exe from here https://www-secure.symantec.com/connect/downloads/patch-automation-tool-pms-71-sp2 with the /vulnerable switch.  That will install a custom stored procedure called "ZeroDayPatch_GetVulnerableMachines-0003".

Once you do that, you can then reference that stored procedure when using patchautomation.exe.

0
Login to vote
sganatra's picture

Hi Ludo,

I have just discovered this tool, but am having issues running it due to the version of the Altiris.PatchManagementCore.Web.dll. We have just updated to RU6.

 

PatchAutomate starting.
Caught exception Could not load file or assembly 'Altiris.PatchManagementCore.We
b, Version=7.1.7580.0, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f' or one
of its dependencies. The located assembly's manifest definition does not match t
he assembly reference. (Exception from HRESULT: 0x80131040)
InnerException=
StackTrace=   at Symantec.CWoC.PatchAutomate.RunAutomation()
   at Symantec.CWoC.PatchAutomate.Main(String[] args)

 

The version of the file I have is 7.1.7858.0

 

Thanks

 

Sacheen

 

0
Login to vote
Ludovic Ferre's picture

Hello Sacheen,

I'm back from holidays, so I can send you references to the correct DLL version. I can't quite explain why it doesn't work, as other people have report the issue and the same file (from my system) works.

Anyhow, please send me a personal message and I'll get you what you need.

:D.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
Ludovic Ferre's picture

Message and file sent.

Note that I can't share the file directly here on Connect for legal reasons.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
Preppietechie's picture

Questions about which updates are selected within each bulletin.  Right now every update is selected when a policy is created by the tool.  Any chance of only selecting the updates that are applicable?  Does that make sense?

 

Thanks!

0
Login to vote
Ludovic Ferre's picture

Hello Mr Preppie :D

Honnestly I think it would be quite an undertaking and I'm not sure it would be worth.

The #1 issue is that Patch is built around the Bulletin. So to filter out undesired updates from the bulletin would bring in a lot of complexity.

Also the automation process is quite flexible, and I think that if an update needs to be removed out of a policy this would be flagged and handled by the Patch Administrator.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
Preppietechie's picture

Fair enough.  I know I'm in a bit of a unique situation.  =]  In any case, I really appreciate your work on this tool.  It's proving to be quite helpful in our other Altiris environments where we handle things a bit more traditionally.

 

Thanks!

-Prep

0
Login to vote