My Security team requires a monthly outstanding patch/update report. I currently have to produce this manually by doing a screen-scrape from the Content-Hosts screen and then copying it to an Excel(CSV) report e.g.:
Name
Subscription Status
Installable Updates - Security
Installable Updates - Bug Fixes
Installable Updates - Enhancements
Installable Updates - Package Count
OS
Environment
host1.test.local
Simple Content Access
0
0
0
0
RedHat 8.7
ontwikkeling
6
It would be really use the Content-Host screen output could be exported to CSV and even automatically created using Hammer.
Thanks for your reply. I have tried all the reports that I can see on Satellite 6.12 and tried to import some ones from Git but nothing seems to fit the bill. The problem is that my security team want the report to look pretty much exactly like what they see in the Content Hosts screen meaning three totals for each kind of patch/update.
The Cobit control says that I have to prove that there are no outstanding patches/ I have updated all the systems.
I already knew about this but unfortunately the report needs to simply have a (preferably alphabetical) list of the hosts along with the number of patches:
I think one can modify the template and add the ordering to it as well as select what columns should be present.
The other option is to start using the New detail page and select columns, that should be in the export, then click the export button there. That functionality was shown today at the community demo by @ofedoren. Given itās quite fresh, it will take a bit until it appears in Satellite.
I did some updates on my platform and the export button does now do what I need. It would be really useful if I could create this report via Hammer so it could be automatically produced.
The other killer feature would be if you could export/download the SCAP PDF reports.
if you tailor the Applied errata report template, that could be used both from UI, through API and also generated by hammer. That would be my recommendation. Iām attaching simple report that prints hosts and all errata (sum of security, bugfixes, enhancements). You would need to define the inputs according to the metadata or import the template through API.
<%#
name: Host - Applicable Errata
snippet: false
template_inputs:
- name: Hosts filter
required: false
input_type: user
description: Limit the report only on hosts found by this search query. Keep empty
for report on all available hosts.
advanced: false
value_type: search
resource_type: Host
- name: Errata filter
required: false
input_type: user
description: Limit the report only on errata found by this search query. Keep empty
for report on all available errata.
advanced: false
model: ReportTemplate
require:
- plugin: katello
ļæ¼ version: 3.16.0
-%>
<%- report_headers 'Host', 'Errata count' -%>
<%- errata_filter = input('Errata filter') -%>
<%- load_hosts(search: input('Hosts filter')).each_record do |host| -%>
<%- errata = host_applicable_errata_filtered(host, errata_filter).size -%>
<%- report_row(
'Host': host.name,
'Errata count': errata,
) -%>
<%- end -%>
<%= report_render order: 'Host' -%>
For the SCAP PDF reports, weād have to be converting HTML to PDF first. The easiest way to get PDF out of the HTML (aka full report) is to simply open a browser print dialog and save it as pdf. If you need more automated way, e.g. through hammer, you can download the entire HTML for a given report id and feed it to some processor like this
Thanks very much for your assistance. The PDF export works like a dream and I tuned it for RHEL-8 as follows:
# yum install https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6.1-2/wkhtmltox-0.12.6.1-2.almalinux8.x86_64.rpm
$ FILE=`hammer arf-report download-html --id 25164 --path /tmp/ | cut -d ":" -f 2`; F2=$(echo $FILE | sed 's/.html//'); /usr/local/bin/wkhtmltopdf $FILE $F2.pdf
$ hammer --no-headers arf-report list --fields id | while read A; do FILE=`hammer arf-report download-html --id $A --path /tmp/ | cut -d ":" -f 2`; F2=$(echo $FILE | sed 's/.html//'); /usr/local/bin/wkhtmltopdf $FILE $F2.pdf; done
I tried the report and strangely it gives a count of three errata whilst the GUI shows none? I tried to modify the report so it simply counted the amount of installable/missed RPMs as my COBIT control demands that I show my machines are all patched and up to date.
My report fails with: Safemode doesnāt allow to access āpkgā on #Safemode::ScopeObject
<%#
name: Host - Applicable Errata
snippet: false
template_inputs:
- name: Hosts filter
required: false
input_type: user
description: Limit the report only on hosts found by this search query. Keep empty
for report on all available hosts.
advanced: false
value_type: search
resource_type: Host
- name: Errata filter
required: false
input_type: user
description: Limit the report only on errata found by this search query. Keep empty
for report on all available errata.
advanced: false
model: ReportTemplate
require:
- plugin: katello
ļæ¼ version: 3.16.0
-%>
<%- report_headers 'Host', 'IP Address', 'Packages', 'Errata count' -%>
<%- errata_filter = input('Errata filter') -%>
<%- pkg_filter = input('Package filter') -%>
<%- load_hosts(search: input('Hosts filter')).each_record do |host| -%>
<%- errata = host_applicable_errata_filtered(host, errata_filter).size -%>
<% host.installed_packages.each do |pkg| -%>
<%- packages = pkg(host, pkg_filter).size -%>
<%- report_row(
'Host': host.name,
'IP Address': host.ip,
'Packages': packages,
'Errata count': errata,
) -%>
<%- end -%>
<%- end -%>
<%= report_render order: 'Host' -%>
Interesting, it may be that different method needs to be used in the report, Iām not expert on the content part, perhaps someone from @katello could help to tailor the report further.
The safe mode protects from using any potentially dangerous commands. Only methods/functions put to the allowlist (safe list) can be used. Iām trying to understand the logic behind
the pkg local variable refers to the installed host package, while you try to call it like a function. This is probably not the right approach. Iād first try to make sure the original report shows the same data as the UI. The difference may be Applicable vs Installable Errata. I believe Applicable means āerrata that the system is missing and should be updatedā while Installable means āerrata the are applicable and actually can be updated, meaning the host has access to the contentā. Could that be the case?