I have about 200 hosts that I need to run security patches on weekly.
A few things to keep in mind:
1. I cannot install anything into the windows environment, but I have basic tools (putty, plink, powershell, etc)
2. I cannot add anything to the linux environment (it's a stripped kernel with VERY specific options)
3. I must ALWAYS answer no to any prompt (update boot options, allow Wireshark for non-sudo, etc)
4. I must (obviously) always answer YES to downloading the required updates and allowing the disk space.
5. I am NOT afraid to send the password plain text, (I would include a clear history command when done) but I could be open to installing a key pair to make things smoother.
6. About every 3-4 months, we get a complete new release of linux to load, so anything I put on the linux machine (keys, accounts, etc) are wiped clean, and I have to re-add them. No way to build them into the vendor's release.
7. I can't CRON the updates, because occasionally the updates break the machines. (replace files that the client software relies on). I normally test a few machines on Monday, then run all the updates Tuesday. Can't wake up to 200 broken machines that need to be reimaged.
Right now, I have an excel list of IP's and I concatenate ("ssh <login>@",ip) and manually copy and paste that to powershell, use a macro keyboard to send sudo, password, "apt update; apt upgrade; exit" and then answer the prompts, type exit and move on to the next. Would like to make it more autonomous so I can drink my coffee.
Bookmarks