flrtvc – Generate FLRTVC report, download and install security and HIPER fixes.

Synopsis

Applies known security and HIPER (High Impact PERvasive) fixes on your system based on its inventory ensuring the systems are at supported and secure levels.

It downloads and uses the Fix Level Recommendation Tool Vulnerability Checker script to generate a report. It parses this report, downloads the required fixes, extracts the files and checks their versions against installed software levels. It also checks for file locking preventing fix installation. It rejects fixes that do not match these requirements and installs the remaining.

In case of inter-locking file(s) you might want run against the task.

You will get the list of installed and rejected fixes in the results meta data.

Requirements

The below requirements are needed on the host that executes this module.

  • AIX >= 7.1 TL3

  • Python >= 2.7

  • Privileged user with authorizations: aix.fs.manage.change,aix.system.install

Parameters

apar (optional, str, None)

Type of APAR to check against.

sec stands for Security vulnerabilities.

hiper stands for Corrections to High Impact PERvasive threats.

all has the same behavior as None hence both sec and hiper vulnerabilities.

filesets (optional, str, None)

Filter filesets for specific phrase. Only fixes that apply to filesets matching the specified phrase will be checked and so updated.

csv (optional, str, None)

Path to a APAR CSV file containing the description of the sec and hiper fixes.

This file is usually transferred from the Fix Central server; you can avoid this rather big transfer by specifying the path to an already transferred file.

path (optional, str, /var/adm/ansible)

Specifies the directory to save the FLRTVC report.

All temporary files such as installed filesets, fixes listings and downloaded fixes files are stored in the working subdirectory named ‘path/work’.

save_report (optional, bool, False)

Specifies to save the FLRTVC report in file ‘path/flrtvc.txt’.

verbose (optional, bool, False)

Generate full FLRTVC reporting (verbose mode).

It runs the FLRTVC script a second time to save the full report into file. So this option impacts the execution performance.

force (optional, bool, False)

Specifies to remove currently installed ifix before running the FLRTVC script.

clean (optional, bool, False)

Cleanup working directory ‘path/work’ with all temporary and downloaded files at the end of execution.

check_only (optional, bool, False)

Specifies to only check if fixes are already applied on the targets.

No download or installation operations will be performed.

download_only (optional, bool, False)

Specifies to perform check and download operation only.

No installation will be performed.

extend_fs (optional, bool, True)

Specifies to increase filesystem size of the working directory when extra space is needed.

When set, a filesystem could have increased while the task returns changed=False.

Notes

Note

Examples

- name: Download patches for security vulnerabilities
  flrtvc:
    apar: sec
    path: /usr/sys/inst.images
    download_only: yes

- name: Install both sec and hyper patches for all filesets starting with devices.fcp
  flrtvc:
    filesets: devices.fcp.*
    path: /usr/sys/inst
    save_report: yes
    verbose: yes
    force: no
    clean: no

Return Values

msg (always, str, FLRTVC completed successfully)

The execution message.

meta (always, dict, {‘meta’: {‘0.report’: [‘Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required| Last Update|Fixed In’, ‘bos.net.tcp.client_core|7.2.3.15|sec||NOT FIXED - There is a vulnerability in FreeBSD that affects AIX.|7.2.3.0-7.2.3.15| IJ09625 / CVE-2018-6922|http://aix.software.ibm.com/aix/efixes/security/freebsd_advisory.asc|ftp://aix.software.ibm.com/aix/efixes/security/freebsd_fix.tar|CVE-2018-6922:7.5|NO|11/08/2018|7200-03-03’, ‘…’], ‘1.parse’: [‘ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix12.tar’, ‘ftp://aix.software.ibm.com/aix/efixes/security/tcpdump_fix4.tar’, ‘…’], ‘2.discover’: [‘ntp_fix12/IJ17059m9b.190719.epkg.Z’, ‘ntp_fix12/IJ17060m9a.190628.epkg.Z’, ‘…’, ‘tcpdump_fix4/IJ12978s9a.190215.epkg.Z’, ‘tcpdump_fix4/IJ12978sBa.190215.epkg.Z’, ‘…’], ‘3.download’: [‘/usr/sys/inst.images/tardir/ntp_fix12/IJ17059m9b.190719.epkg.Z’, ‘/usr/sys/inst.images/tardir/ntp_fix12/IJ17060m9a.190628.epkg.Z’, ‘…’, ‘/usr/sys/inst.images/tardir/tcpdump_fix4/IJ12978s9a.190215.epkg.Z’, ‘/usr/sys/inst.images/tardir/tcpdump_fix4/IJ12978sBa.190215.epkg.Z’, ‘…’], ‘4.1.reject’: [‘102p_fix: prerequisite openssl.base levels do not satisfy condition string: 1.0.2.1600 =< 1.0.2.1500 =< 1.0.2.1600’, ‘…’, ‘IJ12983m2a: locked by previous efix to install’, ‘…’, ‘IJ17059m9b: prerequisite missing: ntp.rte’, ‘…’], ‘4.2.check’: [‘/usr/sys/inst.images/tardir/tcpdump_fix5/IJ20785s2a.191119.epkg.Z’, ‘…’], ‘5.install’: [‘/usr/sys/inst.images/tardir/tcpdump_fix5/IJ20785s2a.191119.epkg.Z’, ‘…’], ‘messages’: [‘a previous efix to install will lock a file of IJ20785s3a preventing its installation, install it manually or run the task again.’, ‘…’]}})

Detailed information on the module execution.

messages (always, list, see sample of meta)

Details on errors/warnings

0.report (if the FLRTVC script succeeds, list, see sample of meta)

Output of the FLRTVC script, report and details on flrtvc error if any.

1.parse (if the FLRTVC report parsing succeeds, list, see sample of meta)

List of URLs to download and details on parsing error if any.

2.discover (if the URL downloads and epkgs listing succeed, list, see sample of meta)

List of epkgs found in URLs.

URLs can be eFix or tar files or directories needing parsing.

3.download (if download operation succeeds, list, see sample of meta)

List of downloaded epkgs.

4.1.reject (if check succeeds, list, see sample of meta)

List of epkgs rejected. Can be because installed levels do not match ifix required levels or because a file is or will be locked by an other ifix installation.

You should refer to messages or to log file for very detailed reason.

4.2.check (if check succeeds, list, see sample of meta)

List of epkgs matching the prerequisites and trying to install.

5.install (if install succeeds, list, see sample of meta)

List of epkgs actually installed on the system.

Status

  • This module is not guaranteed to have a backwards compatible interface. [preview]

  • This module is maintained by community.

Authors

  • AIX Development Team (@pbfinley1911)