search

IBM / ansible-power-aix

Developer contributions for Ansible Automation on Power
https://ibm.github.io/ansible-power-aix/
GNU General Public License v3.0
81 stars 95 forks source link

Subject: ibm.power_aix.flrtvc: module downloads the fixes, but does not install them on the system. #422

Closed Indfern closed 8 months ago

Indfern commented 8 months ago

Describe the bug I'm using ibm.power_aix.flrtvc: module to identify and fix vulnerabilities in aix.

My Goal:

1.) Generate vulnerability reports for p10test host group. (Successful) 2.) Fix vulnerabilities whereever they exists in p10test host group. (Facing Issues)

Background Details.

apa alias details [root@txansible01 Aix]# alias apa alias apa='ANSIBLE_STDOUT_CALLBACK=yaml ansible-playbook -i inventory' [root@txansible01 Aix]#

Inventory details. [p10test] txulp10atest ansible_host=10.0.12.91 txulp10btest ansible_host=10.0.12.128

I injest values for variables, during the playbook run time

Steps I'm carrying out.

1.) Generate the report for the servers. Here, i use "check_only: yes", so no download happens.

[root@txansible01 Aix]# cat flrtVC-chk.yml

Running the playbook. [root@txansible01 Aix]# apa flrtVC-chk.yml -e host=p10test

PLAY [Provide applicable security and HIPER fixes report for p10test host(s) and/or group(s)] *
TASK [Provide FLRT VC Report] ***** ok: [txulp10atest] ok: [txulp10btest]

PLAY RECAP **** txulp10atest : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
txulp10btest : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

[root@txansible01 Aix]#

2.) Then i checked the report. txulp10atest:/var/adm/ansible# pwd /var/adm/ansible txulp10atest:/var/adm/ansible# ls -ltr total 40 drwxr--r-- 3 root system 4096 Mar 8 11:05 work -rw-r--r-- 1 root system 12918 Mar 8 11:06 flrtvc.txt txulp10atest:/var/adm/ansible#

I can see there are total 19 vulnerabilities found. txulp10atest:/var/adm/ansible# cat flrtvc.txt //////////////////////////////////////////////////////////// // IBM FLRTVC (v0.8.8) Report // Server: txulp10atest // Date: Fri Mar 8 11:06:14 CST 2024 // Report by: root // Vulnerable Filesets: 16 // Total Vulnerabilities: 19 // Total Fixes (not shown): 16 ////////////////////////////////////////////////////////////

Out of 19, 11 related to SP/ML upgrades. But 8 seems to be ok to be fixed in current OS version.

invscout.rte - 2.2.0.23 - Vulnerabilities (2)

(1) NOT FIXED - AIX is vulnerable to arbitrary command execution due to invscout
Type: sec Score: 8.4 Versions: 2.2.0.0-2.2.0.23 APARs/CVEs: CVE-2023-28528 Last Update: 04/12/2023 Bulletin: https://aix.software.ibm.com/aix/efixes/security/invscout_advisory4.asc Download: https://aix.software.ibm.com/aix/efixes/security/invscout_fix4.tar Fixed In: See Bulletin

(2) NOT FIXED - AIX is vulnerable to arbitrary command execution due to invscout Type: sec Score: 8.4 Versions: 2.2.0.0-2.2.0.24 APARs/CVEs: CVE-2023-45168 Last Update: 11/30/2023 Bulletin: https://aix.software.ibm.com/aix/efixes/security/invscout_advisory5.asc Download: https://aix.software.ibm.com/aix/efixes/security/invscout_fix5.tar Fixed In: See Bulletin

ntp.rte - 7.4.2.8153 - Vulnerabilities (1)

(1) NOT FIXED - AIX is vulnerable to a denial of service due to NTP

 Type:         sec
 Score:        CVE-2023-26551:5.3 CVE-2023-26552:5.3 CVE-2023-26553:5.3 CVE-2023-26554:5.3
 Versions:     7.4.2.8100-7.4.2.8153
 APARs/CVEs:   CVE-2023-26551 / CVE-2023-26552 / CVE-2023-26553 / CVE-2023-26554
 Last Update:  10/05/2023
 Bulletin:     https://aix.software.ibm.com/aix/efixes/security/ntp_advisory14.asc
 Download:     https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar
 Fixed In:     See Bulletin

openssh.base.client - 8.1.102.2106 - Vulnerabilities (1)

(1) NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH

 Type:         sec
 Score:        CVE-2023-38408:8.1 CVE-2023-40371:6.2
 Versions:     8.1.102.0-8.1.102.2106
 APARs/CVEs:   38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371
 Last Update:  08/23/2023
 Bulletin:     https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc
 Download:     https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
 Fixed In:     See Bulletin

openssh.base.server - 8.1.102.2106 - Vulnerabilities (1)

(1) NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH

 Type:         sec
 Score:        CVE-2023-38408:8.1 CVE-2023-40371:6.2
 Versions:     8.1.102.0-8.1.102.2106                                                                               
 APARs/CVEs:   38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371
 Last Update:  08/23/2023                                                                                           
 Bulletin:     https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc
 Download:     https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar                                   
 Fixed In:     See Bulletin

openssl.base - 1.1.2.2200 - Vulnerabilities (1)

(1) NOT FIXED - AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL

 Type:         sec
 Score:        CVE-2023-5363:5.9 CVE-2023-5678:3.7 CVE-2023-6129:5.9 CVE-2023-6237:3.1
 Versions:     1.1.2.0-1.1.2.2200
 APARs/CVEs:   CVE-2023-5363 / CVE-2023-5678 / CVE-2023-6129 / CVE-2023-6237
 Last Update:  01/26/2024
 Bulletin:     https://aix.software.ibm.com/aix/efixes/security/openssl_advisory40.asc
 Download:     https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
 Fixed In:     See Bulletin

(2) NOT FIXED - AIX is vulnerable to sensitive information exposure due to Perl - CVE-2023-31484

 Type:         sec
 Score:        6.8
 Versions:     5.28.0.0-5.28.1.6
 APARs/CVEs:   CVE-2023-31484
 Last Update:  11/02/2023
 Bulletin:     https://aix.software.ibm.com/aix/efixes/security/perl_advisory7.asc
 Download:     https://www.ibm.com/resources/mrs/assets?source=aixbp
 Fixed In:     See Bulletin

(3) NOT FIXED - AIX is vulnerable to sensitive information exposure due to Perl - CVE-2023-2331486

 Type:         sec
 Score:        6.8
 Versions:     5.28.0.0-5.28.1.7
 APARs/CVEs:   CVE-2023-31486
 Last Update:  11/02/2023
 Bulletin:     https://aix.software.ibm.com/aix/efixes/security/perl_advisory7.asc
 Download:     https://www.ibm.com/resources/mrs/assets?source=aixbp
 Fixed In:     See Bulletin

3.) Then I ran another playbook to fix the issues.

[root@txansible01 Aix]# cat flrtVC-patch.yml

Here I put "check_only: no" to install the fixes. Also I did not specify "filesets" key, since I need to install all the fixes what ever applicable.

Running the playbook. apa flrtVC-patch.yml -e host=p10test

Summary has a changed status for the host txulp10atest, which seems it's patched.

[root@txansible01 Aix]# apa flrtVC-patch.yml -e host=p10test PLAY [Patch security and HIPER fixes of p10test host(s) and/or group(s)] **
TASK [Downloading & Patching security and HIPER fixes of p10test. Can take extensive amount of time depending on the number of fixes & the size] *
changed: [txulp10atest] changed: [txulp10btest] PLAY RECAP ** txulp10atest : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
txulp10btest : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

[root@txansible01 Aix]#

I can see the flrtvc.txt file has an updated time stamp as well. txulp10atest:/var/adm/ansible# ls -ltr total 40 -rw-r--r-- 1 root system 12918 Mar 8 11:26 flrtvc.txt drwxr--r-- 4 root system 4096 Mar 8 11:30 work txulp10atest:/var/adm/ansible#

But the issue is it staill says, nothing is fixed.

txulp10atest:/var/adm/ansible# ls -ltr total 40 -rw-r--r-- 1 root system 12918 Mar 8 11:26 flrtvc.txt drwxr--r-- 4 root system 4096 Mar 8 11:30 work txulp10atest:/var/adm/ansible# txulp10atest:/var/adm/ansible# cat flrtvc.txt|head -20 //////////////////////////////////////////////////////////// // IBM FLRTVC (v0.8.8) Report // Server: txulp10atest // Date: Fri Mar 8 11:26:53 CST 2024 // Report by: root // Vulnerable Filesets: 16 // Total Vulnerabilities: 19 // Total Fixes (not shown): 16 ////////////////////////////////////////////////////////////

Also I can see it has downloads some fixes to the system as well, inside the work folder. I believe these are the fixes applicable to the system.

txulp10atest:/var/adm/ansible# pwd /var/adm/ansible txulp10atest:/var/adm/ansible# ls -ltr total 40 -rw-r--r-- 1 root system 12918 Mar 8 11:26 flrtvc.txt drwxr--r-- 4 root system 4096 Mar 8 11:30 work txulp10atest:/var/adm/ansible# ls -ltr work total 827528 -rw-r--r-- 1 root system 9144320 Apr 12 2023 invscout_fix4.tar -rw-r--r-- 1 root system 1090615 Apr 24 2023 IJ46542s1a.230424.AIX73TL01SP01.epkg.Z -rw-r--r-- 1 root system 1091537 Apr 24 2023 IJ46541s5a.230424.AIX72TL05SP05.epkg.Z -rw-r--r-- 1 root system 1091730 Apr 24 2023 IJ46487s3a.230424.AIX73TL00SP03.epkg.Z -rw-r--r-- 1 root system 1091799 Apr 26 2023 IJ46487s2a.230425.AIX73TL00SP02.epkg.Z -rw-r--r-- 1 root system 1091526 Apr 26 2023 IJ46487s1a.230425.AIX73TL00SP01.epkg.Z -rw-r--r-- 1 root system 1091891 Apr 26 2023 IJ46576s4a.230426.AIX72TL05SP04.epkg.Z -rw-r--r-- 1 root system 1093806 May 3 2023 IJ46541s6a.230503.AIX72TL05SP06.epkg.Z -rw-r--r-- 1 root system 1092523 May 3 2023 IJ46542s2a.230503.AIX73TL01SP02.epkg.Z -rw-r--r-- 1 root system 148746 Jun 1 2023 IJ46727s2a.230509.AIX73TL01SP02.epkg.Z -rw-r--r-- 1 root system 146617 Jun 1 2023 IJ46694s6a.230509.VIOS3.1.4.20-21.epkg.Z -rw-r--r-- 1 root system 146617 Jun 1 2023 IJ46694s6a.230509.AIX72TL05SP06.epkg.Z -rw-r--r-- 1 root system 27258880 Aug 23 2023 openssh_fix15.tar -rw-r--r-- 1 root system 8355840 Oct 5 11:02 ntp_fix14.tar -rw-r--r-- 1 root system 32194560 Oct 12 09:02 libxml2_fix5.tar -rw-r--r-- 1 root system 9144320 Nov 30 11:02 invscout_fix5.tar -rw-r--r-- 1 root system 6010880 Dec 18 10:02 bind_fix25.tar -rw-r--r-- 1 root system 71680 Dec 18 10:02 aixwindows_fix.tar -rw-r--r-- 1 root system 192122880 Jan 9 15:02 kernel_fix6.tar -rw-r--r-- 1 root system 125890560 Jan 25 15:02 openssl_fix40.tar -rw-r--r-- 1 root system 4147200 Feb 2 14:02 printers_fix.tar -rw-r--r-- 1 root system 15534 Mar 5 21:11 FLRTVC-latest.zip drwxr-xr-x 10 root system 256 Mar 5 21:17 tardir -rw-r--r-- 1 root system 0 Mar 8 11:25 emgr.txt -rw-r--r-- 1 root system 116640 Mar 8 11:25 lslpp.txt drwxr-xr-x 3 root system 256 Mar 8 11:30 flrtvc_lpp_source txulp10atest:/var/adm/ansible#

To Reproduce Steps to reproduce the behavior: 1.) Run the patching Playbook.

Here I put "check_only: no" to install the fixes. Also I did not specify "filesets" key, since I need to install all the fixes what ever applicable.

Running the playbook. apa flrtVC-patch.yml -e host=p10test

Summary has a changed status for the host txulp10atest, which seems it's patched.

[root@txansible01 Aix]# apa flrtVC-patch.yml -e host=p10test PLAY [Patch security and HIPER fixes of p10test host(s) and/or group(s)] **
TASK [Downloading & Patching security and HIPER fixes of p10test. Can take extensive amount of time depending on the number of fixes & the size] *
changed: [txulp10atest] changed: [txulp10btest] PLAY RECAP ** txulp10atest : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
txulp10btest : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

[root@txansible01 Aix]#

2.) Observe the flirt report. You can see, still the patches have not been applied to the system. I can see the flrtvc.txt file has an updated time stamp as well. txulp10atest:/var/adm/ansible# ls -ltr total 40 -rw-r--r-- 1 root system 12918 Mar 8 11:26 flrtvc.txt drwxr--r-- 4 root system 4096 Mar 8 11:30 work txulp10atest:/var/adm/ansible#

But the issue is, it still says, nothing is fixed on the flirt report. txulp10atest:/var/adm/ansible# ls -ltr total 40 -rw-r--r-- 1 root system 12918 Mar 8 11:26 flrtvc.txt drwxr--r-- 4 root system 4096 Mar 8 11:30 work txulp10atest:/var/adm/ansible# txulp10atest:/var/adm/ansible# cat flrtvc.txt|head -20 //////////////////////////////////////////////////////////// // IBM FLRTVC (v0.8.8) Report // Server: txulp10atest // Date: Fri Mar 8 11:26:53 CST 2024 // Report by: root // Vulnerable Filesets: 16 // Total Vulnerabilities: 19 // Total Fixes (not shown): 16 ////////////////////////////////////////////////////////////

Expected behavior I expect the playbook to apply the fixes to the system and the filrt report saying, all the vulnerabilities are fixed.

Screenshots If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

Additional context Add any other context about the problem here.

Indfern commented 8 months ago

My Questions.

1.) Why the PB does not apply the applicable fixes to the system? I do not want to fix issues, file system by file system wise. I just need to fully patch my server in a single run of the PB, which should apply all the fixes to all the filesets.

2.) Am I using wrong switches in the PB? Please let me know what switches to put, for the server to get fully patched in a single go? I tried putting "filesets: all" to flrtVC-patch.yml PB, but that too failed.

3.) Since downloding patches takes time and we have very tight "Change Request Time Windows" for production systems, can we download and keep the patches beforehand and just do only the apply operation during the change window? If yes, what switches do i need to put in a new flirtdownload.yml PB? This PB, should only download the applicable fixes to the system, but not install them.

sumitradawn commented 8 months ago

We will look into this.

sumitradawn commented 8 months ago

We are able to reproduce the issue, will update shortly.

Indfern commented 8 months ago

Hi Sumit, I think I found the issue. I was using the switches wrong in the module. I was using “force:yes” when I did the checking for the fixes, and it removed all the installed fixes before generating the report. Once I set “force:no”, it generated the report fine. For the update playbook, I put “force:no” and now it’s working fine it seems. This is FYI.

Thanks.

Indika Fernando, Systems Engineer Ext 7483

From: sumitradawn @.> Sent: Monday, March 11, 2024 7:34 AM To: IBM/ansible-power-aix @.> Cc: Muthuthantrige Indika Fernando @.>; Author @.> Subject: Re: [IBM/ansible-power-aix] Subject: ibm.power_aix.flrtvc: module downloads the fixes, but does not install them on the system. (Issue #422)

--Sent by External Sender: @.***

We are able to reproduce the issue, will update shortly.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/IBM/ansible-power-aix/issues/422*issuecomment-1988338004__;Iw!!IzXfcBctN9fd5gk0hA!8F2hAxDzcNQ7hTLlO4uJ9NSw4F-fZmk3AlAPslBE_QeSnrDPWGzx_W3IIGweHkKBsCVU18a4js3aWDw8jSx6Fx7pumMu$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AXU662ZLKOF75LRICOCYICLYXWQDZAVCNFSM6AAAAABENJ7HKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBYGMZTQMBQGQ__;!!IzXfcBctN9fd5gk0hA!8F2hAxDzcNQ7hTLlO4uJ9NSw4F-fZmk3AlAPslBE_QeSnrDPWGzx_W3IIGweHkKBsCVU18a4js3aWDw8jSx6F7-SPl6a$. You are receiving this because you authored the thread.Message ID: @.***>

CONFIDENTIALITY. This electronic mail and any files transmitted with it may contain information proprietary to Mouser Electronics, Inc. or one of its subsidiaries or affiliates, and are intended solely for the use of the individual or entity to whom they are addressed, shall be maintained in confidence and not disclosed to third parties without the written consent of the sender. If you are not the intended recipient or the person responsible for delivering the electronic mail to the intended recipient, be advised that you have received this electronic mail in error and that any use, dissemination, forwarding, printing, or copying of this electronic mail is strictly prohibited. If you have received this electronic mail in error, please immediately notify the sender by return mail. Thank you for your compliance.

Indfern commented 8 months ago

Hi Sumit, Now I use below switches, and it works perfectly.

  1. Checking PB

@.*** Aix]# cat flrtVC-chk.yml

...

@.*** Aix]#

  1. Patching PB.

@.*** Aix]# cat flrtVC-patch.yml

...

@.*** Aix]#

Thanks.

Indika Fernando, Systems Engineer Ext 7483

From: Muthuthantrige Indika Fernando Sent: Monday, March 11, 2024 9:12 AM To: IBM/ansible-power-aix @.>; IBM/ansible-power-aix @.> Cc: Author @.***> Subject: RE: [IBM/ansible-power-aix] Subject: ibm.power_aix.flrtvc: module downloads the fixes, but does not install them on the system. (Issue #422)

Hi Sumit, I think I found the issue. I was using the switches wrong in the module. I was using “force:yes” when I did the checking for the fixes, and it removed all the installed fixes before generating the report. Once I set “force:no”, it generated the report fine. For the update playbook, I put “force:no” and now it’s working fine it seems. This is FYI.

Thanks.

Indika Fernando, Systems Engineer Ext 7483

From: sumitradawn @.**@.>> Sent: Monday, March 11, 2024 7:34 AM To: IBM/ansible-power-aix @.**@.>> Cc: Muthuthantrige Indika Fernando @.**@.>>; Author @.**@.>> Subject: Re: [IBM/ansible-power-aix] Subject: ibm.power_aix.flrtvc: module downloads the fixes, but does not install them on the system. (Issue #422)

--Sent by External Sender: @.**@.>

We are able to reproduce the issue, will update shortly.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/IBM/ansible-power-aix/issues/422*issuecomment-1988338004__;Iw!!IzXfcBctN9fd5gk0hA!8F2hAxDzcNQ7hTLlO4uJ9NSw4F-fZmk3AlAPslBE_QeSnrDPWGzx_W3IIGweHkKBsCVU18a4js3aWDw8jSx6Fx7pumMu$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AXU662ZLKOF75LRICOCYICLYXWQDZAVCNFSM6AAAAABENJ7HKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBYGMZTQMBQGQ__;!!IzXfcBctN9fd5gk0hA!8F2hAxDzcNQ7hTLlO4uJ9NSw4F-fZmk3AlAPslBE_QeSnrDPWGzx_W3IIGweHkKBsCVU18a4js3aWDw8jSx6F7-SPl6a$. You are receiving this because you authored the thread.Message ID: @.**@.>>

CONFIDENTIALITY. This electronic mail and any files transmitted with it may contain information proprietary to Mouser Electronics, Inc. or one of its subsidiaries or affiliates, and are intended solely for the use of the individual or entity to whom they are addressed, shall be maintained in confidence and not disclosed to third parties without the written consent of the sender. If you are not the intended recipient or the person responsible for delivering the electronic mail to the intended recipient, be advised that you have received this electronic mail in error and that any use, dissemination, forwarding, printing, or copying of this electronic mail is strictly prohibited. If you have received this electronic mail in error, please immediately notify the sender by return mail. Thank you for your compliance.

nitismis commented 8 months ago

Hi @Indfern You dont have to explicitly set force: no, it is default behavior. Anyways, Can we close the issue ? Thanks

Indfern commented 8 months ago

Hi Nitismis, Thanks for the reply. Yes, I'm ok to close out the issue. Please change the issue category to "User Error" if you can, as I was using the switches wrong, and it wasn't really a bug in the product. Thank you very much for your efforts on enhancing these modules as it makes our lives so much easy as sys admins. appreciate it very much. Also waiting for the new feature to do SP/ML upgrade on the alter disk rather than on the actual rootvg disk.

Thanks

sumitradawn commented 8 months ago

closing the issue.