#!/bin/sh # # Program: HP-UX-SWA-global-audit # Version: 1.5 # Description: Unattended HP-UX SWA session # Inspired by: Doug O'Leary (ITRC HP-UX Forum) # Modified by: Dusan U. Baljevic (dusan.baljevic@ieee.org) # Last Modified: 10 Feb 2012 # # The idea is as follows (Doug O'Leary's suggestions in the ITRC Forum). # I extended his basic idea and added many more options and features: # # 1. Have a text file as follows: # # server1 11.11 # server2 11.31 # server3 11.23 # ... # # 2. Set up a separate file system (in my case I named it /swa) # That will be used for all SWA reporting and downloads. # # 3. Set up HP-UX native Apache server to display SWA reports via Web. # # 4. Set up SSH key exchange between the centralized SWA server # and remote machines. # # 5. The script can be run with various options: # # SCRIPT [-c] [-a PROXYDOM] [-f] [-g] [-u PROXYUSER] [-p PROXYPASS] \\ # [-s PROXYSERV] [-w PROXYPORT] [-d datestamp_of_catalog] \\ # [-n CATALOG_DIR] [-h] [-g] # -h Print help file # -a PROXYDOM Web proxy domain # -c Get SWA catalog file only # -d MMMYYYY Run SWA on already-downloaded datestamp-reference catalog (Dec2009) # -f If SWA get catalog fails, try curl command # -g Run SWA get (default is to run SWA report only) # -n CATALOG_DIR Run SWA on already-downloaded swa_catalog.xml in CATALOG_DIR # -p PROXYPASS Web proxy password # -s PROXYSERV Web proxy server (IP address or hostname) # -u PROXYUSER Web proxy username # -w PROXYPORT Web proxy port number # # Examples of usage: # # 1. To download the catalog only (by default, it will be saved # with MMMYYYY datestamp, in /swa/conf/swa-catalog-May2010.xml: # # HP-UX-SWA-global-audit.sh -c # # This is a very good candidate to run once a month and preserve # previous versions of catalog files that can be used to audit # the server whne not the latest but some older patch bundles are required. # # This request came from a critical customer who never installs latest # versions of patches. Instead, they apply N-1 version, where N is # the current release... # # 2. Run SWA report for a group of servers as listed in # /swa/conf/swa-hosts.conf based on older (previously downloaded) # catalog file, for example /swa/conf/swa-catalog-Apr2010.xml # # HP-UX-SWA-global-audit.sh -d Apr2010 # # 3. Run SWA report for a group of servers as listed in # /swa/conf/swa-hosts.conf based on latest catalog file # (which will be downloaded in real-time): # # HP-UX-SWA-global-audit.sh # # 4. Run SWA report for a group of servers as listed in # /swa/conf/swa-hosts.conf based on latest catalog file # (which will be downloaded in real-time), and then download # the patches into /swa/patches/HP-UX-11.XX/... directory # (example, /swa/patches/HP-UX-11.31/myhost-05May2010-swa-patches) # # HP-UX-SWA-global-audit.sh -g # # 5. To view the SWA reports - point the Web browser to: # # http://swa-server/SWA # # The HTML files are actually saved in /opt/hpws/apache/htdocs/SWA # and it assumes that the centralized server runs Apache Web. # # I tried to ensure there are no programming errors in the code. # Do not blame me if something goes wrong. # PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/swa/bin export PATH umask 022 SCRIPT="`basename $0`" USAGE="USAGE: $SCRIPT [-c] [-a PROXYDOM] [-f] [-g] [-u PROXYUSER] [-p PROXYPASS] \\ [-s PROXYSERV] [-w PROXYPORT] [-d datestamp_of_catalog] [-n CATALOG_DIR] [-h] [-g] -h Print help file -a PROXYDOM Web proxy domain -c Get SWA catalog file only -d MMMYYYY Run SWA based on already-downloaded datestamp-reference catalog (for example Dec2009) -f If SWA get catalog fails, try curl command -g Run SWA get (default is to run SWA report only) -n CATALOG_DIR Run SWA based on already-downloaded swa_catalog.xml in CATALOG_DIR -p PROXYPASS Web proxy password -s PROXYSERV Web proxy server (IP address or hostname) -u PROXYUSER Web proxy username -w PROXYPORT Web proxy port number " # The default method is to run "swa report" only. # SWAGET="NO" SWAREFDATE="" SWACAT="NO" SWAFORCE="NO" SWAOPT="" CATALOGDIR="" DATESTAMP=$(date +"%d%b%Y") DATESTAMP2=$(date +"%b%Y") # Process command line arguments. # while getopts fghca:d:n:u:p:s:w: c do case $c in a) PROXYDOM="$OPTARG" ;; c) SWACAT="YES" ;; d) SWAREFDATE="$OPTARG" ;; f) SWAFORCE="YES" ;; g) SWAGET="YES" ;; h) echo "$USAGE"; exit 0 ;; n) CATALOGDIR="$OPTARG" ;; p) PROXYPASS="$OPTARG" ;; s) PROXYSERV="$OPTARG" ;; u) PROXYUSER="$OPTARG" ;; w) PROXYPORT="$OPTARG" ;; \?) echo "$USAGE"; exit 1 ;; esac done shift `expr $OPTIND - 1` MAILADM="root" # Default SWA catalog SWADEF_CATALOG="ftp://ftp.itrc.hp.com/export/patches/swa_catalog.xml.gz" # SWA reporting (typically via Web) # if [ -d "/opt/hpws22/apache/htdocs" ] then SWA_REPORT_DIR="/opt/hpws22/apache/htdocs/SWA" else SWA_REPORT_DIR="/opt/hpws/apache/htdocs/SWA" fi # Preferrably a separate file system for SWA reports and patches # Under this directory, four subdirectories are needed: # conf, patches, analysis, tmp # SWA_CONF_DIR="/swa" if [ ! -d "$SWA_REPORT_DIR" ] then echo "ERROR: Directory \"$SWA_REPORT_DIR\" does not exist" exit 1 fi if [ ! -d "$SWA_CONF_DIR" ] then echo "ERROR: Directory \"$SWA_CONF_DIR\" does not exist" exit 1 else # Create directories if missing # mkdir ${SWA_CONF_DIR}/conf 2>/dev/null mkdir ${SWA_CONF_DIR}/patches 2>/dev/null mkdir ${SWA_CONF_DIR}/analysis 2>/dev/null mkdir ${SWA_CONF_DIR}/tmp 2>/dev/null fi # Customised SWA preferences # SWAPREF="${SWA_CONF_DIR}/conf/.swa.conf" if [ "$SWACAT" = "YES" ] then SWA_CATALOG="${SWA_CONF_DIR}/conf/swa_catalog-${DATESTAMP2}.xml" if [ -s "$SWA_CATALOG" ] then echo "ERROR: SWA catalog \"$SWA_CATALOG\" already exists" echo "INFO: Remove it and retry the command again" exit 1 fi swa step catalog -x catalog_max_age=0 \ -x catalog_source=$SWADEF_CATALOG \ -x catalog=$SWA_CATALOG 2>/dev/null if [ $? -eq 0 ] then echo "INFO: SWA catalog download into \"$SWA_CATALOG\" completed successfully" else echo "WARN: SWA catalog download into \"$SWA_CATALOG\" completed unsuccessfully" # Maybe try curl if it is installed? # Proxy details for curl (if it exist) # if [ "$SWAFORCE" = "YES" ] then if [ "$PROXYUSER" -a "$PROXYPASS" ] then if [ "$PROXYDOM" ] then CURLOPTS=" --proxy-user $PROXYDOM\\${PROXYUSER}:${PROXYPASS}" else CURLOPTS=" --proxy-user ${PROXYUSER}:${PROXYPASS}" fi fi if [ "$PROXYSERV" -a "$PROXYPORT" ] then CURLOPTS=" $CURL_OPTS --proxy ${PROXYSERV}:${PROXYPORT}" fi export CURLOPTS curl -U : $SWADEF_CATALOG 2>/dev/null | gzip -d - > $SWA_CATALOG if [ $? -eq 0 ] then echo "INFO: SWA catalog download via CURL nto \"$SWA_CATALOG\" completed successfully" exit 0 else echo "WARN: SWA catalog download via CURL into \"$SWA_CATALOG\" completed unsuccessfully" exit 1 fi fi exit 1 fi exit 0 fi if [ "$SWAREFDATE" ] then SWA_CATALOG="${SWA_CONF_DIR}/conf/swa_catalog-${SWAREFDATE}.xml" if [ -s "$SWA_CATALOG" ] then echo "INFO: Using previously downloaded SWA catalog \"$SWA_CATALOG\"" SWAOPT="-x catalog_max_age=-1 -x catalog=$SWA_CATALOG" else echo "ERROR: SWA catalog \"$SWA_CATALOG\" empty or does not exist" exit 1 fi else if [ "$CATALOGDIR" ] then SWA_CATALOG="${CATALOGDIR}/swa_catalog.xml" if [ -s "$SWA_CATALOG" ] then echo "INFO: Using previously downloaded SWA catalog \"$SWA_CATALOG\"" SWAOPT="-x catalog_max_age=-1 -x catalog=$SWA_CATALOG" else echo "ERROR: SWA catalog \"$SWA_CATALOG\" empty or does not exist" exit 1 fi else SWA_CATALOG="${SWA_CONF_DIR}/conf/swa_catalog.xml" echo "INFO: Using SWA catalog \"$SWA_CATALOG\"" SWAOPT="-x catalog=$SWA_CATALOG -x inventory_max_age=0" fi fi # Hosts file for SWA analysis. The entries are: # host1 11.11 # host2 11.23 # host3 11.31 # SWA_HOSTS="${SWA_CONF_DIR}/conf/swa-hosts.txt" if [ ! -s "$SWA_HOSTS" ] then echo "ERROR: SWA hosts file \"$SWA_HOSTS\" empty or does not exist" exit 1 fi # Directory for saving the reports # SWA_ANALYSIS_DIR="${SWA_CONF_DIR}/analysis" checkos() { myos="$1" case "$myos" in 11.11|11.23|11.31) continue ;; *) echo "ERROR: Invalid OS \"$myos\"" echo "INFO: Valid HP-UX releases are 11.11, 11.23, 11.31" next ;; esac } egrep -v ^# ${SWA_HOSTS} | while read host os do checkos $os echo "" echo "INFO: Running SWA report for host \"$host\"" swa report -s ssh://root@${host} $SWAOPT \ -x analyzers="QPK CRIT PCW SEC" -r none \ -x user_dir=${SWA_ANALYSIS_DIR} \ -x inventory_source=${SWA_ANALYSIS_DIR}/${host}-swa-inventory.xml \ -x html_report=${SWA_REPORT_DIR}/${host}-${DATESTAMP}-report.html \ -x analysis_file=${SWA_ANALYSIS_DIR}/${host}-swa-analysis.xml \ -x ssh_options="-o batchmode=yes" 2>/dev/null if [ $? -eq 0 ] then echo "INFO: SWA report for host \"$host\" completed successfully" if [ -d "$SWA_REPORT_DIR" ] then chmod 644 $SWA_REPORT_DIR/*.html $SWA_REPORT_DIR/*.htm 2>/dev/null fi else echo "WARN: SWA report for host \"$host\" completed unsuccessfully" echo "INFO: Check if SWA is installed on host \"$host\"" echo "INFO: Check if SSH operational on host \"$host\"" fi done if [ "$SWAGET" = "YES" ] then egrep -v ^# ${SWA_HOSTS} | while read host os do checkos $os # Where to save the SWA depots # SWA_DEPOT_DIR="${SWA_CONF_DIR}/patches/HP-UX-${os}/${host}-${DATESTAMP}-swa-patches" if [ -s "${SWA_ANALYSIS_DIR}/${host}-swa-analysis.xml" ] then swa get -t ${SWA_DEPOT_DIR} \ -x analysis_file=${SWA_ANALYSIS_DIR}/${host}-swa-analysis.xml \ -x allow_existing_depot=true -x swcache=${SWA_CONF_DIR}/tmp if [ $? -eq 0 ] then echo "INFO: SWA get patches for host \"$host\" completed successfully" else echo "WARN: SWA get patches for host \"$host\" completed unsuccessfully" fi else echo "ERROR: \"${SWA_ANALYSIS_DIR}/${host}-swa-analysis.xml\" empty or does not exist" fi done fi exit 0