Pakiti

Monitoring patch status

Pakiti

Pakiti is a client-server tool to collect and evaluate data about packages installed on Linux machines, primarily meant to identify vulnerable SW that have not been properly updated. The EGI CSIRT operates the EGI Pakiti instance that is used to monitor the state of the EGI sites.

Pakiti client

The pakiti-client can be used to send package informations to pakiti.egi.eu.

If you have the proper credentials in the Configuration Database and submit your report with the correct SITE_NAME, you, your NGI-CSIRT and the EGI-CSIRT will be able to monitor the packages installed on your hosts and potentially vulnerabilities. The results can be accessed on the EGI Pakiti central instance.

Running the Pakiti client from CVMFS for EGI

If you have CVMFS installed and configured to mount grid.cern.ch, you can run pakiti by simply running:

$ /cvmfs/grid.cern.ch/pakiti/bin/pakiti-client \
    --url "https://pakiti.egi.eu/feed/" \
    --site SITE_NAME

Please remember to replace SITE_NAME by your actual site name

Manual installation

Installing the Pakiti client

The pakiti-client is now available from EPEL. If your machine already has EPEL enabled, the following command is enough to install it:

$ yum install pakiti-client

Running the Pakiti client for EGI

With the package and the configuration, the following commands will run the

pakiti-client and transmit all its data to the EGI CSIRT pakiti instance!

$ pakiti-client --url "https://pakiti.egi.eu/feed/" --site SITE_NAME

Please remember to replace SITE_NAME by your actual site name

Puppet Installation

The simplest way to configure and run the pakiti-client on a cluster is to use puppet: You just need to create a file and a manifest.

package { 'pakiti-client':
  ensure => 'present',
}
cron { 'pakiti-egi':
  ensure  => 'present',
  command => 'pakiti-client --url "https://pakiti.egi.eu/feed/" --site SITE_NAME',
  user    => 'nobody',
  hour    => fqdn_rand(24),
  minute  => fqdn_rand(60),
}