# Automating glsa-check and notifications

## cspenc

I am in search of creating the ultimate self-updating machine (if this is possible).  glsa-check looks to be a great step in the right direction for this. As of now, I have this in an hourly cron job.

```

glsa-check -f all

```

However, this will keep my system updated, but I will have no idea what exactly has been installed unless I frequently log in to the system.  Is there an easy way to send email notifications of what has been installed.

Also, does the glsa-check do a restart of programs once they have been upgraded, such as things like samba or apache?

Thanks,

Curtis

----------

## teglsbo

I think you should be able to run this script from cron:

```
lisa sbin # cat glsa-mail.sh

#!/bin/sh

# 2004-05-27 Niels Teglsbo <niels@fabel.dk>: Initially taken from

# http://forums.gentoo.org/viewtopic.php?t=169728

# Lots of small changes and some bugfixes.

# script to check for any Gentoo advisory, notify admins via email

# and try to auto fix the vulnerabilities

# Requires Gentoolkit

#

# to be called from cron, eg.

# * */6 * * * glsa-mail.sh

#

# Released under the GPL.

# Author Giovanni Ferri <FonderiaDigitale@gechi.it>

# Gechi web site www.gechi.it

# change this! :)

email="root"

# If run from cron we need to have $CONFIG_PROTECT set

source /etc/profile

checkGLSA () {

mailfile="/tmp/GLSA_${RANDOM}"

# Note that IFS should contain a newline, not a space and a newline

IFS="

"

got=0

lines=`glsa-check --list 2>/dev/null | grep "^[0-9]\{6\}"`

for each in $lines; do

    GLSAn=`echo "$each" | cut -d' ' -f1`

    type=`echo "$each" | cut -d' ' -f2`

    case $type in

    *N*)

        got=1

        echo "$HOSTNAME could be affected by this vulnerability:" >> $mailfile

        echo >> $mailfile

        glsa-check --dump $GLSAn 2>/dev/null >> $mailfile

        ;;

    esac

done

}

checkGLSA

if [ "$got" == 1 ]; then

    # Auto-fixing vulnerabilities

    glsa-check -f all >> $mailfile 2>&1

    cat $mailfile \

        | mail $email -s 'new GLSA vulnerability found!! Check your machine.'

    rm -f $mailfile

fi

```

I have added "glsa-check -f all" to the original script as well as cleaning up the code.

I should probably add that I haven't tested this code very much, I just found it in the Italian forum and edited it to fit my needs. I'm almost looking forward to a vulnerability in my system to see what it does.

If you haven't forwarded root to an email address you read you should change the email-variable in the script to an email address you read.

To answer your other question:

I don't think emerge (which glsa-check calls) will do anything to running services.

----------

## Koon

GLSAs are updated when you do an "emerge sync" (see /usr/portage/metadata/glsa/), so running glsa-check hourly without updating the portage tree is not very useful.

Remember that you should not emerge sync every hour... So the solution might be to listen to the GLSA RDF feed and emerge sync / glsa-check when a new GLSA is detected. But you really should apply every update manually. Acting on a machine with root priviledges based on network-received information is not recommended...

GLSA RDF Feed :

http://www.gentoo.org/rdf/en/glsa-index.rdf

-K

----------

## teglsbo

Now I've made some ugly little scripts to do that. I think I'll wait and see if anyone else has done it right before I publish them - or rewrite them to be publishable.

Regarding automatic updates:

Do you have any plans for signing the portage tree?

----------

## cspenc

Thanks for all the good information.  I guess for now, the best thing is to proactively listen for new glsa's and periodically run an emerge sync and a glsa-check -l, and email the list of unapplied glsa's to the sysadmin if any are ever there. 

Thanks again for the help.

Curtis

----------

## Koon

 *teglsbo wrote:*   

> Do you have any plans for signing the portage tree?

 

There are definitely plans to sign the portage tree, but I am not sure of when this will be achieved.

-K

----------

## teglsbo

 *Koon wrote:*   

> But you really should apply every update manually. Acting on a machine with root priviledges based on network-received information is not recommended...

 

I would like to see a feature where you could do something like 

```
emerge -vD --preinst world
```

 in an ordinary user account. 

And then later as root you should be able to merge the packages to the filesystem manually.

If my machine wasn't that slow I could just emerge as root when I had a few minutes, but it often takes hours for it to compile.

----------

## teglsbo

 *Koon wrote:*   

> So the solution might be to listen to the GLSA RDF feed and emerge sync / glsa-check when a new GLSA is detected.

 

How long can it take before an update is in the rsync mirrors?

The update script might have to wait that long before syncing, or else it will just get the old portage tree and see that everything is fine.

----------

## Koon

 *teglsbo wrote:*   

> How long can it take before an update is in the rsync mirrors?

 

According to rsync mirror policy, the mirrors are synced every half hour.

-K

----------

## maxpayne

new to glsa(-check), i tried the following:

```
glsa-check -p all

```

and interesingly i noticed the following:

 *Quote:*   

> Checking GLSA 200404-01
> 
> The following updates will be performed for this GLSA:
> 
>      sys-apps/portage-2.0.50-r11 (2.0.50-r11)
> ...

 

anyone know why glsa tries to do an update of the same version of a program?

----------

