SLES9: Apply Security Patches without New Kernel Patches Being Applied

Novell Cool Solutions: Tip
By Cameron Seader

Digg This - Slashdot This Updated: 2 Oct 2006

Application

If you have a need in your environment to apply Security updates without having a new Kernel being applyed, then the following should help you accomplish this goal.

Explanation

This script checks for available security updates and removes any kernel related update and applies the rest, and if there are no updates then it will append to /var/log/online_update.log stating that there are no updates available.

Script

Updated Script - 02 Oct 2006

Copy the text below into a file preferably named online_security_update.sh

--snip--

#!/bin/bash
# This script will calculate all security updates available for any SLES9 system and will remove the kernel from the patches to apply.
# The script will then download and install the patches, due to the nature of the online_update commands used.
# If no patches are available it will kick out a log of it in /var/log/online_update.log
# Note: this is only for SECURITY Updates. 

TMPPatches=`mktemp -t patches.XXXXXXXXXX` || exit 1
	 
touch /var/log/online_update.log

echo "Executing Online Update to calculate patches available..."

online_update -sd security | sed '/(Security)/ !d' | sed '/^ S / !d' | sed '/kernel/ d' | awk '{print $2}' | tr "\n" "," | sed '$s/.$//' >> $TMPPatches 
update=`<$TMPPatches`
if [ "$update" != "" ]; then
echo "Executing Online Update to patch your system..."
online_update -S $update
echo "Security Updates Successfully Applied."
echo "`date` - Security Updates Successfully Applied." >> /var/log/online_update.log
else 
echo "No Security Updates Available."
echo "`date` -  No Security Updates Available." >> /var/log/online_update.log
fi

rm $TMPPatches

--snip--

Once you have this shell script created you can save it in /usr/bin or something with the chmod 755 permissions on it. Now you are ready to set it up to run as a Cron Job at your desired date and time.

Enjoy!!

Reader Comments

• I have updated my script for eveyone. Thank You for the feedback. I have now included the mktemp in the script. Also please be particular about where this script will live. Enjoy! -Cameron
• sounds pretty handy...any chance of something that will do the same with the new SLES 10 crackpot update scheme?
• This script has some "nice" security holes: - any user can inject data by simply creating /tmp/patches.txt - any user can force files to be modified by symlinking them to /tmp/patches.txt Sorry, I can't recommend this script :-( If you want to have a secure script, use a mktemp-generated tempfile instead. --cboltz
• very good, but a better location for this script and tempfile would be /root/bin to keep users away.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com