Reverse engineering AWS Systems Manager Patch Manager.
TLDR:
- SCAN: compare the baseline to installed packages and generate an inventory
- INSTALL: run
apt upgrade
for all packages in the baseline and generate an inventory
In detail:
- Check prereqs are installed eg: python, apt
- Create and chdir to /var/log/amazon/ssm/patch-baseline-operations/
- Download and extract the patch-baseline-operations tar file from the region-specific bucket.
- Run modules from the tar file:
import common_startup_entrance
common_startup_entrance.execute("os_selector", "PatchLinux", "{{SnapshotId}}",\
"{{Operation}}", "{{InstallOverrideList}}", \
"{{RebootOption}}", "{{BaselineOverride}}")
{{..}}
contain SSM document parameters that are substituted before execution by SSM.
common_startup_entrance comes from the tar file and does the following:
- Fetch snapshot_info for the instance using get_deployable_patch_snapshot_for_instance
- Download the patch baseline snapshot. The contents is similar to the output of the get-patch-baseline cli command. Patch baselines define which patches are automatically approved.
- Save snapshot to snapshot.json.
- main_entrance.py is launched and passed snapshot.json.
- Identify the OS and call relevant package manager entrance file, eg: for Ubuntu import apt_entrance.py and run
execute
passing the snapshot object. - The package manager scans or installs all the approved patchs. In the case of Ubuntu:
- SCAN: compare the apt cache to the baseline and identify installed_updates, installed_other, installed_rejected, missing_updates, not_applicable_packages.
- INSTALL: run
apt upgrade
and then compare the cache to the baseline.
- Generate a patch compliance summary (example) and save the patch state (the install state of packages in the baseline) to /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json (example)
- Saves it to /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json
- Upload the patch compliance summary using put_inventory if the hash has changed.