Advanced Patch Management Strategies

2 min read Web Security Fundamentals

Advanced Patch Management Strategies

Implement a comprehensive patch management workflow:

#!/bin/bash
# /usr/local/bin/patch-management.sh

# Configuration
LOG_FILE="/var/log/patch-management.log"
ADMIN_EMAIL="[email protected]"
BACKUP_DIR="/backup/pre-patch"
TEST_URLS=("https://example.com" "https://api.example.com/health")

# Function to log messages
log_message() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}

# Pre-update checks
pre_update_checks() {
    log_message "Starting pre-update checks"
    
    # Check disk space
    available_space=$(df -BG / | awk 'NR==2 {print $4}' | sed 's/G//')
    if [ "$available_space" -lt 5 ]; then
        log_message "ERROR: Insufficient disk space for updates"
        return 1
    fi
    
    # Test critical services
    for url in "${TEST_URLS[@]}"; do
        if ! curl -sf "$url" > /dev/null; then
            log_message "ERROR: Service check failed for $url"
            return 1
        fi
    done
    
    # Create configuration backup
    mkdir -p "$BACKUP_DIR"
    tar -czf "$BACKUP_DIR/config-$(date +%Y%m%d-%H%M%S).tar.gz" \
        /etc/apache2 /etc/nginx /etc/ssl 2>/dev/null
    
    log_message "Pre-update checks completed successfully"
    return 0
}

# Apply updates
apply_updates() {
    log_message "Applying system updates"
    
    # Update package lists
    apt update >> "$LOG_FILE" 2>&1
    
    # Simulate updates first
    apt-get -s upgrade >> "$LOG_FILE" 2>&1
    
    # Apply security updates
    DEBIAN_FRONTEND=noninteractive apt-get -y upgrade >> "$LOG_FILE" 2>&1
    
    # Check if reboot is required
    if [ -f /var/run/reboot-required ]; then
        log_message "System reboot required"
        echo "Reboot required for updates" | mail -s "Server Reboot Required" "$ADMIN_EMAIL"
    fi
}

# Post-update verification
post_update_verification() {
    log_message "Running post-update verification"
    
    # Check service status
    services=("apache2" "nginx" "mysql" "ssh")
    for service in "${services[@]}"; do
        if systemctl is-enabled "$service" 2>/dev/null | grep -q "enabled"; then
            if ! systemctl is-active "$service" | grep -q "active"; then
                log_message "WARNING: Service $service is not running"
                systemctl restart "$service"
            fi
        fi
    done
    
    # Test critical functionality
    for url in "${TEST_URLS[@]}"; do
        if ! curl -sf "$url" > /dev/null; then
            log_message "ERROR: Post-update service check failed for $url"
            # Trigger rollback procedure
            return 1
        fi
    done
    
    log_message "Post-update verification completed"
    return 0
}

# Main execution
main() {
    log_message "Starting patch management process"
    
    if pre_update_checks; then
        apply_updates
        
        if post_update_verification; then
            log_message "Patch management completed successfully"
            # Send success notification
            echo "Patch management completed successfully on $(hostname)" | \
                mail -s "Patch Management Success" "$ADMIN_EMAIL"
        else
            log_message "Post-update verification failed"
            # Send failure notification
            echo "Post-update verification failed on $(hostname). Manual intervention required." | \
                mail -s "URGENT: Patch Management Failure" "$ADMIN_EMAIL"
        fi
    else
        log_message "Pre-update checks failed, aborting patch management"
    fi
}

# Run main function
main