Add 'needs-reboot' logic

kfiresmith / patch_facts

Generate OS patch facts for Ansible

MIT License

3 stars 0 forks source link

Add 'needs-reboot' logic #1

Closed kfiresmith closed 3 years ago

kfiresmith commented 3 years ago

We should use OS tools to determine if a system needs to be rebooted for applied security patches to be active.

Red Hat 6+ variants have /usr/bin/needs-restarting as part of yum-utils. This can be run as a normal user and has the -r flag to simply return 0 if we don't need to restart and 1 if we do need to restart.

For Debian variants, the presence of /var/run/reboot-required is enough.

kfiresmith commented 3 years ago

Probably also worth looking into the needrestart package longer term.

kfiresmith commented 3 years ago

On RHEL/CentOS 6, needs-restarting is quite primitive in comparison to later versions. There is no -r switch, and the command always exits 0, so we'll have to do something with the output of the command instead.

Perhaps something hacky like:

restart="$(needs-restarting | wc -l)"

Output from command will be a list of procs that need to be reloaded, we'll count that, and if it's >0, we know we need to restart.

kfiresmith commented 3 years ago

Added this feature.