AAG and System Updates, Making it Easy!

One of the biggest problems we had when running our IBM i systems was knowing what PTFs we needed and when new PTFs are available. As a development shop we regularly come across issues that need support from IBM to help debug and understand the issues, the problem is every time we would contact IBM support the first question was always do you have all of the latest PTFs installed! That’s when we then started to dig around, get the latest PTFs and start the installation process before we went back to IBM and confirmed that the problem persisted. AAG now provides the notifications that we need to do something.

AAG Notification that PTF group updates are available

Shows the PTF groups that are not at the latest level

Another problem that we all face now is the ever increasing number of vulnerabilities that are being identified what seems to be every week! Just getting the information about what is happening and then looking through all of the available data to determine if you are affected takes a lot of effort. You need to figure out what LPP is involved, then what option it affects for those LPPs with multiple options. Once you have figured that out you need to find out what systems are running those LPPs and what level they are before you can identify the PTF that fixes that issue! We only have 13 LPARs to manage but just carrying out those checks can take us hours of effort just to find out what we need to download from IBM.

AAG notification that Security fixes are required
Shows the PTF required to fix and outstanding security bulletin

All of the above means that in most cases people don’t update their systems anywhere as near as they should do, that means they are exposed on a number of fronts. We realized that something needed to be done at the very least to make sure we have all of the latest security bulletins installed, the PTFs were less of a concern (if it ain’t broke don’t fix it mentality) but eventually we knew it needed to be managed far better than were were. After all just because a PTFs isn’t identified as fixing a security vulnerability doesn’t mean it is not, so we decided that they also needed some kind of better management/automated fixing.

When we started with the AAG/NG4i monitoring our plan was just to simply identify the PTF’s that are available but not installed, that alone would remove hours of effort each week from our current workload. So we set about developing a Nagios Check command that would look up what security bulletins we knew about from IBM that affected our IBM i instance (OS vserion / LPPs installed) and check the delta to provide a notification when PTFs were available but not installed. This helped us keep on top of things for a short while, the point was to keep pretty much up to date so missing a few PTFs for a few days/weeks would not be a problem. However we started to see CRITICAL exposures being identified regularly and this was something that we wanted to fix QUICKLY! So we built a couple of commands that would run on the IBM i and download the PTFs for either Group PTFs or the Security Bulletins which can be run directly on each of the IBM i instances. They have made our life so much easier that if we were looking at a solution and needed to buy a piece of software just doing this would more than cover the cost of AAG/NG4i.

Options to install PTF Groups and Security Bulletin fixes

Its hard to imagine what this looks like or put into writing so we have created a couple of videos that show exactly what the process is, these are based on our Nagios stack but they would be just the same when running on Nagios XI or one of the other derivatives.

Monitoring IBM PTFs with AAG

Monitoring IBM PTFs with AAG

Staying on top of IBM Security Bulletins with AAG

Staying on top of IBM Security Bulletins with AAG

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.