Implement functinality to patch system based on recommended actions

[vpetersson]

We want to make it easy for users to patch their systems by having a simple one-liner to do this. Unfortunately, this can become somewhat troublesome when you have different configurations across the fleet.

As such, we want to extend the CLI for easier patching of packages.

We want to keep this as dynamic as possible. Hence, we could do something similar to wott-agent patch $ID, where $ID is the issue from the backend. This could either be CVE or a change.

Here's an example of how I envision a run to look like:

Example of patching a service.

$ sudo wott-agent patch 222

The patch will make the following changes to /etc/ssh/sshd_config

-#PasswordAuthentication yes
+PasswordAuthentication no

After the change, we will automatically restart the SSH daemon.

Do you want to apply the changes (Y/n)?
[...]

Example of upgrading packages/patching for CVE.

$ sudo wott-agent patch 223

The following packages will be upgraded as part of CVE-XYZ:

* colordiff
* libgdbm-compat4
* libgdbm5
* libperl5.26
* netbase
* perl
* perl-modules-5.26

Please note that upgrading packages may cause them the service(s) to restart.

Do you want to apply the changes (Y/n)?
[...]

Considerations:

• We need to make sure this works across distros
• We need to have a warning dialogue showing what happens before it is being applied
• After the patch, it needs to run the ping functionality to submit the new state

[vpetersson]

We want to demo this for an investor, so let's take some shortcuts to get the alpha version of this working. Here are some shortcuts:

• Instead of making an API call back to the back-end to lookup what an ID means, let's use names (e.g. wott-agent patch openssh-disable-password-auth).
• Let's limit the scope to the ssh recommended actions.
• Let's make sure to run a ping at the end of the run.
• Let's make sure to take a backup of the file prior to the change.

Outstanding tasks for MVP after #263:

• [x] Add comment on line before
• [x] Backup config file to /opt/wott/backup
• [x] Test and restart service using SIGHUP
• [x] Add warning message for when disabling password auth Warning: Before you disable password authentication, make sure that you have generated and installed your SSH keys on this server. Failure to do so will result in that you will be locked out. I have have my SSH key(s) installed: [y/N]

[vpetersson]

MVP is done Sprint 16. We've received great feedback on this. Now we need to revisit the original scope in Sprint 17.

[vpetersson]

We need to resume work on this. As next steps, I want to do the following:

• [ ] Port all CVE instructions to the agent (https://github.com/WoTTsecurity/api/issues/771).
  • [ ] AWS Linux
  • [ ] Ubuntu
• [ ] Hide 'Certificate expires...' when using patch.

Next sprint

• [ ] Display the actual diff as per the instructions in the initial ticket.
• [ ] Implement patch for 'Automatic security updates not enabled'
  • [ ] AWS Linux
  • [ ] Ubuntu

[rptrchv]

13 complexity points

[a-martynovich]

20