Auto Baseline Creation

Just thinking out loud on something I’ve been looking at and I know it’s been covered a long time ago by @jgstew but there may be a shorter way to do it and I wanted to get thoughts on this…

A single Python or Powershell Script that starts by running an API GET call like this:

ids of bes fixlets whose ( month_and_year of source release date of it = (month_and_year of current date - 1*month) and display name of site of it contains "Patches for RHEL 7")

Or if you really want it in the true format:

https://yourserver.com:52311/api/query?relevance=names%20of%20bes%20fixlets%20whose%20(%20month_and_year%20of%20source%20release%20date%20of%20it%20=%20(month_and_year%20of%20current%20date%20-%201*month)%20and%20display%20name%20of%20site%20of%20it%20contains%20"Patches%20for%20RHEL%207")

It then parses those ID’s into XML file that you would use to POST into a new Baseline.

If you then ran that on the 1st of each month at midnight (as an example) then it would give you a Baseline for the previous months patches.

Of course this can be tinkered with to do anything like patches that are critical or anything else you want but I’m sure you get the idea.

Thoughts?

Is it possible? Is it easy?

I tried it in PowerShell but I’m royally rubbish with that (and Python) so wanted to gather thoughts before I wasted any more time on learning one of them to do this.

Yes, definitely possible, and we’ve done that in a number of customer environments.

In addition to the Fixlet IDs, you’ll also need the url of site of it and the name of the default action, at minimum, to include those into the baseline component sources.

One method is to retrieve only those three fields, apply them into a Baseline (which will appear unsynchronized, since it has links to source Fixlets but no copied relevance or action scripts); POST that, and then call the ‘synchronize’ REST resource for the new baseline to synch it with relevance and actionscript; otherwise you’ll also need to copy those from the source fixlets into the new baseline yourself.

Ahhh so as part of the same script, at the end I would run the Sync Baseline to gather the content from them and that would essentially be it done?

I like this a lot!

Just as a follow up to this - to make it easier for anyone else wanting to do this…

I’m now using this:

https://yourserver.com:52311/api/query?relevance=(names%20of%20it,%20ids%20of%20it,%20source%20release%20date%20of%20it,%20url%20of%20site%20of%20it,%20content%20id%20of%20default%20action%20of%20it)%20of%20bes%20fixlets%20whose%20(month_and_year%20of%20source%20release%20date%20of%20it%20=%20(month_and_year%20of%20current%20date%20-%201*month)%20and%20display%20name%20of%20site%20of%20it%20contains%20"Patches%20for%20RHEL%207")

This equates to:

(names of it, ids of it, source release date of it, url of site of it, content id of default action of it) of bes fixlets whose (month_and_year of source release date of it = (month_and_year of current date - 1*month) and display name of site of it contains "Patches for RHEL 7")

Definitely possible and totally customizable, we have automated that process in a way that we just define a human readable json file that contains the description of what we want to have in the baseline, we can define the order, the different options and also add custom fixlets that we push every month along with security updates.

1 Like

I just need to get better with PS or Python to now go do it :sweat_smile:

I do something similar for a monthly baseline refresh and deployment and housekeeping of stopped/expired actions. Its all PowerShell and covers multiple Linux distros and each is managed via a separate config XML so it easy to add new OS with no code changes.

My approach is somewhat different in that I get all the fixlet details and inject them into the baseline in a specific group as we have pre-patch and post-patch fixlets that run. You end up with a baseline that looks the same as if you’d exported it from the console. No need to sync it as it has all the actionscript direct from each fixlet but you can still manually sync it via the console if you need to. TBH when I originally created this, Linux patching and the REST API were very new to me and I based the process on the format of an exported baseline. If I have been more aware of just needing to use fixlet ID then sync it, I would probably have gone a different route

1 Like