It's got its own static IP separate from the rest of my network. Can still be powered back up because the web interface doesn't let you do more than power on or off. I can still use a software to lock it down even further.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
So, we have some sort of partner action packed type hing with Microsoft. They rotate old versions of stuff out of what you can download, but I need the SQL 2008 key they used to have. It's now replaced with the 2012 key, instead. Anyone know if there's any way to get what once was?
From my understanding, the keys must be shown as the latest version, but they are backwards compatible... up to a point. My assumption is that 2008 isn't old enough where that should present a problem.
Now that you've said this, if this doesn't work, then it's your fault!
So, we have some sort of partner action packed type hing with Microsoft. They rotate old versions of stuff out of what you can download, but I need the SQL 2008 key they used to have. It's now replaced with the 2012 key, instead. Anyone know if there's any way to get what once was?
From my understanding, the keys must be shown as the latest version, but they are backwards compatible... up to a point. My assumption is that 2008 isn't old enough where that should present a problem.
Now that you've said this, if this doesn't work, then it's your fault!
Meh, I get blamed for everything here, might as well expand to a company I don't work for too, lol
While I agree that being insensitive is an issue, so is being oversensitive.
On a scale of 1 to 10, 10 being crazy, how crazy am I for putting our network based surge protector accessible to the interwebs?
Still needs username/password to access.
not very. I mean think about it, someone is going to crack that password so they can just... turn off your network. I wouldn't see the need to use anything other than a good password to lock it.
Would be an annoyance yes if they actually did that, but not a security risk. I mean the reason you did it was because you need to reboot the equipment its plugged into constantly so it turning off magically one day can easily be blamed on that faulty equipment as you change the password to something else :P.
So, WSUS's reporting is obnoxiously picky about how it reports patch compliance. If a patch is approved for any computer/group, all computers/groups think they "need" it and will fail to report at 100%. I'm looking for a patch reporting tool that doesn't have its head up its own ass in such a fashion. Anyone familiar with anything? I don't necessarily need patch deployment capabilities (though I might use them if they're well done), and the tool need not be free.
Argh, just had a typo I made in the name of an ODBC connection last week come back and bite me for about an hour and a half of panicked work. Thw worst part is that there is no way to explain it that does not make me look an idiot.
So, WSUS's reporting is obnoxiously picky about how it reports patch compliance. If a patch is approved for any computer/group, all computers/groups think they "need" it and will fail to report at 100%. I'm looking for a patch reporting tool that doesn't have its head up its own ass in such a fashion. Anyone familiar with anything? I don't necessarily need patch deployment capabilities (though I might use them if they're well done), and the tool need not be free.
Are you actually running reports or just using the failed/needed/installed columns of the computer group?
We have a very small environment of only about 75 clients and the columns have been really consistent and accurate, so I've never bothered with the reports.
I've mentioned it many times before, so pardon doing so again, but I just deployed SolarWinds Patch Manager earlier this year and the reporting feature is pretty spectacular. It integrates with WSUS, so if that's acting finicky, then Patch Manager may as well. Their support is fantastic and are willing to walk you through the setup as well as the reporting features if you want to do a free trial with them and see if it's what you want: http://www.solarwinds.com/patch-manager.aspx. It will require a few days of your time to setup and get used to.
While I agree that being insensitive is an issue, so is being oversensitive.
Argh, just had a typo I made in the name of an ODBC connection last week come back and bite me for about an hour and a half of panicked work. Thw worst part is that there is no way to explain it that does not make me look an idiot.
Who are you explaining it to? Sometimes you can just wrap in in enough jargon.
"I had to manually correct for errors in the initial ODBC config files."
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
Argh, just had a typo I made in the name of an ODBC connection last week come back and bite me for about an hour and a half of panicked work. Thw worst part is that there is no way to explain it that does not make me look an idiot.
Who are you explaining it to? Sometimes you can just wrap in in enough jargon.
"I had to manually correct for errors in the initial ODBC config files."
Also, it was an issue with the Flux Capacitor
Honestly, typos happen. I once thought a PC had disappeared and couldn't figure out where the hell it went. Turns out that I misspelled someone's name, which is why I couldn't get any of the connections to work.
Le_Goat on
While I agree that being insensitive is an issue, so is being oversensitive.
So, WSUS's reporting is obnoxiously picky about how it reports patch compliance. If a patch is approved for any computer/group, all computers/groups think they "need" it and will fail to report at 100%. I'm looking for a patch reporting tool that doesn't have its head up its own ass in such a fashion. Anyone familiar with anything? I don't necessarily need patch deployment capabilities (though I might use them if they're well done), and the tool need not be free.
Are you actually running reports or just using the failed/needed/installed columns of the computer group?
We have a very small environment of only about 75 clients and the columns have been really consistent and accurate, so I've never bothered with the reports.
I've mentioned it many times before, so pardon doing so again, but I just deployed SolarWinds Patch Manager earlier this year and the reporting feature is pretty spectacular. It integrates with WSUS, so if that's acting finicky, then Patch Manager may as well. Their support is fantastic and are willing to walk you through the setup as well as the reporting features if you want to do a free trial with them and see if it's what you want: http://www.solarwinds.com/patch-manager.aspx. It will require a few days of your time to setup and get used to.
I just need the failed/needed/installed, TBH. The part that annoys the shit out of me is that if you have a requirement to keep any servers/workstations at different patch levels for whatever software (different versions of IE, for example) any servers not approved for a certain patch will bitch about "needing/missing" it. I want to see if I'm 100% compliant on patches approved for each container, not each patch approved for any device anywhere in my environment at all.
I actually installed the SolarWinds Patch Manager trial on my SUS server this morning, and while it does look impressive, the sheer amount of options are - like many Solar Winds products - somewhat intimidating/overwhelming. Naturally they were emailing me before the goddamn download had even finished to ask me if they could quote me a price and help me install it, so I'll bounce my questions off them.
I looked at GFI LanGuard as well, but you seem to have to manually ignore patches on a domain/container/computer level to accomplish what I want, and that's more work than I'm hoping for.
This is the exact text of a script I found in my cron.daily directory which is the culprit for our root directory going read only and shutting down Samba and, as a result, DFS.
flags=-umc
/usr/sbin/tmpwatch "$flags" -x /tmp/.X11-unix -x /tmp/.XIM-unix \
-x /tmp/.font-unix -x /tmp/.ICE-unix -x /tmp/.Test-unix \
-X '/tmp/hsperfdata_*' 240 /tmp
/usr/sbin/tmpwatch "$flags" 720 /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
if [ -d "$d" ]; then
/usr/sbin/tmpwatch "$flags" -f 720 "$d"
fi
done
Any idea what that script is causing / to go read-only? And it apparently, somehow, writes a bunch of junk data to the drive, such that a fsck is necessary, and finds a couple dozen node errors like "should be 1, but is two" and "empty inode info". One reboot, one fsck and everything is back to normal. But it only started Tuesday? The script was last modified a week before that.
For what is matters, we have a 4 drive raid array for the / directory, which reads in fstab as ext3, but somewhere I remember reading that it's supposed to be xfs, though I don't know how/where linux would report that. Don't know much about xfs.
Now, I know the script doesn't start with #!/bin/sh, but could that really be it?
JamesKeenan on
0
Options
mightyjongyoSour CrrmEast Bay, CaliforniaRegistered Userregular
edited August 2013
Try running the commands yourself, one at a time? What changed when the script was modified?
I think the culprit will probably be in what tmpwatch is deleting, so figure a good place to start will be figuring out what the expression in the for statement is expanding to.
I doubt that the #!/bin/sh is the problem, bets are that bash is already the default shell.
You can check the filesystem type of all mounted filesystems by running mount with no args, I think.
I just need the failed/needed/installed, TBH. The part that annoys the shit out of me is that if you have a requirement to keep any servers/workstations at different patch levels for whatever software (different versions of IE, for example) any servers not approved for a certain patch will bitch about "needing/missing" it. I want to see if I'm 100% compliant on patches approved for each container, not each patch approved for any device anywhere in my environment at all.
Have you separated your servers into a completely different WSUS group? To be honest, I don't update servers via WSUS because I like to be hands-on about what is getting updated on the servers, but I have them 100% separated from all other nodes so that they don't get any of the updates via WSUS. The only client that shouts out ERROR is with one that has a messed up setting in proxycfg.exe that I changed in XP before upgrading to 7, which I can't figure out how to change using netsh. The good part is that because that client spits out errors on WSUS, I know the reporting function is working correctly.
I actually installed the SolarWinds Patch Manager trial on my SUS server this morning, and while it does look impressive, the sheer amount of options are - like many Solar Winds products - somewhat intimidating/overwhelming. Naturally they were emailing me before the goddamn download had even finished to ask me if they could quote me a price and help me install it, so I'll bounce my questions off them.
Yeah, they'll be a bit pushy for the sale, but if you get the quote, they fully shift towards making sure you're getting a working test drive; they even extended my trial by a month or so because of some bugs, but they were great with helping me out.
Le_Goat on
While I agree that being insensitive is an issue, so is being oversensitive.
Have you separated your servers into a completely different WSUS group? To be honest, I don't update servers via WSUS because I like to be hands-on about what is getting updated on the servers, but I have them 100% separated from all other nodes so that they don't get any of the updates via WSUS. The only client that shouts out ERROR is with one that has a messed up setting in proxycfg.exe that I changed in XP before upgrading to 7, which I can't figure out how to change using netsh. The good part is that because that client spits out errors on WSUS, I know the reporting function is working correctly.
Yes, they're in different WSUS groups. But, here's my problem. Lets say I have a bunch of servers in SUS Container A, and a bunch of servers in SUS Container B. The servers in SUS Container A are cleared to install IE 10, but because of some program compatibility issues, the servers in SUS Container B need to stay at IE 9. When I look at the servers in Container B, they will report they are 99% patched because they are "missing" IE 10, even though that patch is not approved for Container B. If a patch is approved for any container anywhere in SUS, all containers think they NEED it.
I want to be able to see if a container is 100% compliant with just the patches approved for that specific container. I want a report I can look at to tell in 10 seconds if I'm fully compliant with the patches I've approved, not go through each goddamn server to see if I'm at 99% because it's "missing" patches I don't even want it to have, or if it's actually, legitimately, missing a patch.
I can't afford to be hands-on with patching, there's just too many servers (well over 100) for me to waste that kind of time with. Shit, I don't even want to take the time to reboot them manually, so I'm compelled to have Patch Manager do that too.
Yeah, they'll be a bit pushy for the sale, but if you get the quote, they fully shift towards making sure you're getting a working test drive; they even extended my trial by a month or so because of some bugs, but they were great with helping me out.
Amusingly, the Sales Weasel who emailed me replied to my query about reporting saying that my question was "highly unusual" and he forwarded it to the engineers. "Highly unusual?" Do most people just approve everything for all servers or something?
Yes, they're in different WSUS groups. But, here's my problem. Lets say I have a bunch of servers in SUS Container A, and a bunch of servers in SUS Container B. The servers in SUS Container A are cleared to install IE 10, but because of some program compatibility issues, the servers in SUS Container B need to stay at IE 9. When I look at the servers in Container B, they will report they are 99% patched because they are "missing" IE 10, even though that patch is not approved for Container B. If a patch is approved for any container anywhere in SUS, all containers think they NEED it.
I want to be able to see if a container is 100% compliant with just the patches approved for that specific container. I want a report I can look at to tell in 10 seconds if I'm fully compliant with the patches I've approved, not go through each goddamn server to see if I'm at 99% because it's "missing" patches I don't even want it to have, or if it's actually, legitimately, missing a patch.
I know exactly what you're talking about now. I really don't think there is a workaround for that, because it's saying that a patch is available, just not installed. I've had that same problem with a .NET patch that I refused to install because of potential issues. All clients showed as 99%. Honestly, I just ignore that column unless it's below 99%, because anything lower means something else is missing. I pay more attention to the Need and Failed columns. What you're asking for would be beautiful, but I'm not sure how plausible it is. If you find out, let me know.
Amusingly, the Sales Weasel who emailed me replied to my query about reporting saying that my question was "highly unusual" and he forwarded it to the engineers. "Highly unusual?" Do most people just approve everything for all servers or something?
Well, Sales isn't exactly too knowledgeable with tech questions. They know enough to get their foot in the door long enough for the engineers to waltz through eventually.
Le_Goat on
While I agree that being insensitive is an issue, so is being oversensitive.
Thanks to spell check, I almost sent an email to my CFO saying "I apologize for any incontinence that this may cause you" when asking her to reboot. Glad I caught that one...
While I agree that being insensitive is an issue, so is being oversensitive.
I know exactly what you're talking about now. I really don't think there is a workaround for that, because it's saying that a patch is available, just not installed. I've had that same problem with a .NET patch that I refused to install because of potential issues. All clients showed as 99%.
Yeah, and that irritates the living shit out of me. I demand 100% compliance!
I pay more attention to the Need and Failed columns.
Unfortunately both stats give false positives. "Need" shows update count for updates that aren't approved in that SUS container. My SUS server "Needs" 61 patches currently, but the actual agent doesn't see anything, 'cause the server has all the patches its container has been approved for. Everything it "needs" are patches approved elsewhere. And Failed only populates if an installation is attempted and blows up. If the agent isn't communicating with SUS properly and doesn't see the update in the first place, it can't fail to show up on that list.
Promised update: Patch manager's "Approved Update Summaries by computer group" report under Windows SUS Analytics reports gives you a compliance percentage for the updates assigned to that specific WSUS group, but I can't find a way to have it then show you the names of the non-compliant devices. Waiting on SolarWinds to tell me if that's doable. Maybe a custom report based off this one or something.
Promised update: Patch manager's "Approved Update Summaries by computer group" report under Windows SUS Analytics reports gives you a compliance percentage for the updates assigned to that specific WSUS group, but I can't find a way to have it then show you the names of the non-compliant devices. Waiting on SolarWinds to tell me if that's doable. Maybe a custom report based off this one or something.
They should be able to create that for you. I had them create me a customized report which used the latest inventory task as the source data. The customized report showed every application (and its version) installed on managed clients. It was the final test I had them perform before coming to the decision to purchase their SMB version of the product.
Also, thanks for the update. I'm going to check that report out now. The program's vast options and abilities are more than I've had time to look through and try out.
Le_Goat on
While I agree that being insensitive is an issue, so is being oversensitive.
I looked into the report editing tool myself just now, and while you can add 'computer name' to a report, it comes from other data streams, not the "Approved Update Summaries by computer group" data stream. The report editor says cross-stream reports don't work, and the 'by computer group' data stream doesn't have any sort of computer/device name or even IP address for the client devices in it that I can see.
Of course, I've had my face in the Patch Manager UI for a total of about 6 hours now, so I am far from any sort of expert.
Makes it pretty damn easy to do expense reporting, if you're not using any of their fancy features it's free. If all you're looking to do is send in an expense report with your stuff it works pretty well.
We have Concur. It works and is pretty straightforward, it just takes a stupid amount of clicks to do anything.
Like lunch on a trip. Click the item (it populates with all charges from the company card, so that's something at least). In the new window that opens, hit Lunch. The Save.
Back at the first window, now click Attendees. In the new window that opens, select yourself. Click Add. Click Save.
The the first window, type a description. Click Save.
Have you separated your servers into a completely different WSUS group? To be honest, I don't update servers via WSUS because I like to be hands-on about what is getting updated on the servers, but I have them 100% separated from all other nodes so that they don't get any of the updates via WSUS. The only client that shouts out ERROR is with one that has a messed up setting in proxycfg.exe that I changed in XP before upgrading to 7, which I can't figure out how to change using netsh. The good part is that because that client spits out errors on WSUS, I know the reporting function is working correctly.
Yes, they're in different WSUS groups. But, here's my problem. Lets say I have a bunch of servers in SUS Container A, and a bunch of servers in SUS Container B. The servers in SUS Container A are cleared to install IE 10, but because of some program compatibility issues, the servers in SUS Container B need to stay at IE 9. When I look at the servers in Container B, they will report they are 99% patched because they are "missing" IE 10, even though that patch is not approved for Container B. If a patch is approved for any container anywhere in SUS, all containers think they NEED it.
I want to be able to see if a container is 100% compliant with just the patches approved for that specific container. I want a report I can look at to tell in 10 seconds if I'm fully compliant with the patches I've approved, not go through each goddamn server to see if I'm at 99% because it's "missing" patches I don't even want it to have, or if it's actually, legitimately, missing a patch.
I can't afford to be hands-on with patching, there's just too many servers (well over 100) for me to waste that kind of time with. Shit, I don't even want to take the time to reboot them manually, so I'm compelled to have Patch Manager do that too.
Yeah, they'll be a bit pushy for the sale, but if you get the quote, they fully shift towards making sure you're getting a working test drive; they even extended my trial by a month or so because of some bugs, but they were great with helping me out.
Amusingly, the Sales Weasel who emailed me replied to my query about reporting saying that my question was "highly unusual" and he forwarded it to the engineers. "Highly unusual?" Do most people just approve everything for all servers or something?
I think I got around that issue by explicitly "denying" the conflicting patches for that group. Then they no longer report as out of compliance. It's been a while since I dealt with that, but I think that's how I fixed it. Still haven't got a WSUS server spun up at my current job, so not 100% sure on that.
I think I got around that issue by explicitly "denying" the conflicting patches for that group. Then they no longer report as out of compliance. It's been a while since I dealt with that, but I think that's how I fixed it. Still haven't got a WSUS server spun up at my current job, so not 100% sure on that.
SUS doesn't work this way, unfortunately. The update is either universally declined (which does keep it from counting against compliance, but is a blanket deny for the whole SUS environment) or it is approved for install for some containers but not others, causing the un-approved containers to report less than 100% compliance. SUS's reporting simply sucks and sort of assumes you're going to approve all-or-nothing.
I did get a container based compliance reporting method from Patch manager, now I just need to see if I can follow that up with a simple method of chasing down non-compliant devices from that report.
I will never understand the fascination with toolbars.
User - IE is really slow!
Chamberlain - you have three different toolbars installed, one of which is a straight up browser hijack
User - I have no idea how those got there. By the way, check out this cool free version of solitaire that I downloaded!
I'd like to think if you could ever teach people they can google right from the goddamn address bar, that things like the google toolbar would wither and die. It's probably a pipe dream. On the same vein, Weatherbug. Do you really need the current, and probably inaccurate, temperature in your system tray? Watch the news, look out a goddamn window.
User - I have no idea how those got there. By the way, check out this cool free version of solitaire that I downloaded!
And that was one of my primary reasons why I've downgraded every user's local account on Windows 7. Want to install something? Okay, well it requires me putting in a domain admin's credentials... although Chrome seems to have some type of workaround and I'm not exactly pleased about it.
On the same vein, Weatherbug. Do you really need the current, and probably inaccurate, temperature in your system tray? Watch the news, look out a goddamn window.
The weather gadgets, apps, toolbars, and widgets drive me up the fucking wall. I love how users respond to my questions about why they want it installed with "But I have it on my home computer, so why can't I have it on this one?"
While I agree that being insensitive is an issue, so is being oversensitive.
User - I have no idea how those got there. By the way, check out this cool free version of solitaire that I downloaded!
And that was one of my primary reasons why I've downgraded every user's local account on Windows 7. Want to install something? Okay, well it requires me putting in a domain admin's credentials... although Chrome seems to have some type of workaround and I'm not exactly pleased about it.
It has the capability to install itself to the user's AppData (probably so that updates don't require your intervention)
End on
I wish that someway, somehow, that I could save every one of us
I love how users respond to my questions about why they want it installed with "But I have it on my home computer, so why can't I have it on this one?"
"Because your home computer is a filthy, disease ridden strumpet of a machine who will wantonly open her ports to any random request, and I refuse to allow you to bring our fine equipment down to the same level of indiscriminate anonymous connections."
User - I have no idea how those got there. By the way, check out this cool free version of solitaire that I downloaded!
And that was one of my primary reasons why I've downgraded every user's local account on Windows 7. Want to install something? Okay, well it requires me putting in a domain admin's credentials... although Chrome seems to have some type of workaround and I'm not exactly pleased about it.
It has the capability to install itself to the user's AppData (probably so that updates don't require your intervention)
Which is why I had to go deep in execution restrictions and NTFS permissions on my terminal servers used by high schoolers. These girls are crafty when it comes to installing games and chrome.
I love how users respond to my questions about why they want it installed with "But I have it on my home computer, so why can't I have it on this one?"
"Because your home computer is a filthy, disease ridden strumpet of a machine who will wantonly open her ports to any random request, and I refuse to allow you to bring our fine equipment down to the same level of indiscriminate anonymous connections."
In sum, your computer is a whore
While I agree that being insensitive is an issue, so is being oversensitive.
User - I have no idea how those got there. By the way, check out this cool free version of solitaire that I downloaded!
And that was one of my primary reasons why I've downgraded every user's local account on Windows 7. Want to install something? Okay, well it requires me putting in a domain admin's credentials... although Chrome seems to have some type of workaround and I'm not exactly pleased about it.
It has the capability to install itself to the user's AppData (probably so that updates don't require your intervention)
But should that really affect the initial install process?
While I agree that being insensitive is an issue, so is being oversensitive.
0
Options
jaziekBad at everythingAnd mad about it.Registered Userregular
Gotta be in at 5 in the morning tomorrow to do an upgrade to some systems in the US. :rotate: timezones. At least I can go home super early.
User - I have no idea how those got there. By the way, check out this cool free version of solitaire that I downloaded!
And that was one of my primary reasons why I've downgraded every user's local account on Windows 7. Want to install something? Okay, well it requires me putting in a domain admin's credentials... although Chrome seems to have some type of workaround and I'm not exactly pleased about it.
It has the capability to install itself to the user's AppData (probably so that updates don't require your intervention)
But should that really affect the initial install process?
By default, the user has full rights to their own profile directory. They can install whatever they want in there as long as it doesn't touch Program Files or HKLM keys.
Just remember that half the people you meet are below average intelligence.
User - I have no idea how those got there. By the way, check out this cool free version of solitaire that I downloaded!
And that was one of my primary reasons why I've downgraded every user's local account on Windows 7. Want to install something? Okay, well it requires me putting in a domain admin's credentials... although Chrome seems to have some type of workaround and I'm not exactly pleased about it.
It has the capability to install itself to the user's AppData (probably so that updates don't require your intervention)
But should that really affect the initial install process?
By default, the user has full rights to their own profile directory. They can install whatever they want in there as long as it doesn't touch Program Files or HKLM keys.
Very interesting... kind of defeats some of the purpose of restricting local rights, doesn't it? I must look into this more. Thanks for the information.
While I agree that being insensitive is an issue, so is being oversensitive.
Posts
Now that you've said this, if this doesn't work, then it's your fault!
not very. I mean think about it, someone is going to crack that password so they can just... turn off your network. I wouldn't see the need to use anything other than a good password to lock it.
Would be an annoyance yes if they actually did that, but not a security risk. I mean the reason you did it was because you need to reboot the equipment its plugged into constantly so it turning off magically one day can easily be blamed on that faulty equipment as you change the password to something else :P.
We have a very small environment of only about 75 clients and the columns have been really consistent and accurate, so I've never bothered with the reports.
I've mentioned it many times before, so pardon doing so again, but I just deployed SolarWinds Patch Manager earlier this year and the reporting feature is pretty spectacular. It integrates with WSUS, so if that's acting finicky, then Patch Manager may as well. Their support is fantastic and are willing to walk you through the setup as well as the reporting features if you want to do a free trial with them and see if it's what you want: http://www.solarwinds.com/patch-manager.aspx. It will require a few days of your time to setup and get used to.
Who are you explaining it to? Sometimes you can just wrap in in enough jargon.
"I had to manually correct for errors in the initial ODBC config files."
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
Honestly, typos happen. I once thought a PC had disappeared and couldn't figure out where the hell it went. Turns out that I misspelled someone's name, which is why I couldn't get any of the connections to work.
I just need the failed/needed/installed, TBH. The part that annoys the shit out of me is that if you have a requirement to keep any servers/workstations at different patch levels for whatever software (different versions of IE, for example) any servers not approved for a certain patch will bitch about "needing/missing" it. I want to see if I'm 100% compliant on patches approved for each container, not each patch approved for any device anywhere in my environment at all.
I actually installed the SolarWinds Patch Manager trial on my SUS server this morning, and while it does look impressive, the sheer amount of options are - like many Solar Winds products - somewhat intimidating/overwhelming. Naturally they were emailing me before the goddamn download had even finished to ask me if they could quote me a price and help me install it, so I'll bounce my questions off them.
I looked at GFI LanGuard as well, but you seem to have to manually ignore patches on a domain/container/computer level to accomplish what I want, and that's more work than I'm hoping for.
Any idea what that script is causing / to go read-only? And it apparently, somehow, writes a bunch of junk data to the drive, such that a fsck is necessary, and finds a couple dozen node errors like "should be 1, but is two" and "empty inode info". One reboot, one fsck and everything is back to normal. But it only started Tuesday? The script was last modified a week before that.
For what is matters, we have a 4 drive raid array for the / directory, which reads in fstab as ext3, but somewhere I remember reading that it's supposed to be xfs, though I don't know how/where linux would report that. Don't know much about xfs.
Now, I know the script doesn't start with #!/bin/sh, but could that really be it?
I think the culprit will probably be in what tmpwatch is deleting, so figure a good place to start will be figuring out what the expression in the for statement is expanding to.
I doubt that the #!/bin/sh is the problem, bets are that bash is already the default shell.
You can check the filesystem type of all mounted filesystems by running mount with no args, I think.
edit: also check dmesg too I guess.
Yeah, they'll be a bit pushy for the sale, but if you get the quote, they fully shift towards making sure you're getting a working test drive; they even extended my trial by a month or so because of some bugs, but they were great with helping me out.
Yes, they're in different WSUS groups. But, here's my problem. Lets say I have a bunch of servers in SUS Container A, and a bunch of servers in SUS Container B. The servers in SUS Container A are cleared to install IE 10, but because of some program compatibility issues, the servers in SUS Container B need to stay at IE 9. When I look at the servers in Container B, they will report they are 99% patched because they are "missing" IE 10, even though that patch is not approved for Container B. If a patch is approved for any container anywhere in SUS, all containers think they NEED it.
I want to be able to see if a container is 100% compliant with just the patches approved for that specific container. I want a report I can look at to tell in 10 seconds if I'm fully compliant with the patches I've approved, not go through each goddamn server to see if I'm at 99% because it's "missing" patches I don't even want it to have, or if it's actually, legitimately, missing a patch.
I can't afford to be hands-on with patching, there's just too many servers (well over 100) for me to waste that kind of time with. Shit, I don't even want to take the time to reboot them manually, so I'm compelled to have Patch Manager do that too.
Amusingly, the Sales Weasel who emailed me replied to my query about reporting saying that my question was "highly unusual" and he forwarded it to the engineers. "Highly unusual?" Do most people just approve everything for all servers or something?
Well, Sales isn't exactly too knowledgeable with tech questions. They know enough to get their foot in the door long enough for the engineers to waltz through eventually.
That is funny as shit.
I see what you did there.
Yeah, and that irritates the living shit out of me. I demand 100% compliance!
Unfortunately both stats give false positives. "Need" shows update count for updates that aren't approved in that SUS container. My SUS server "Needs" 61 patches currently, but the actual agent doesn't see anything, 'cause the server has all the patches its container has been approved for. Everything it "needs" are patches approved elsewhere. And Failed only populates if an installation is attempted and blows up. If the agent isn't communicating with SUS properly and doesn't see the update in the first place, it can't fail to show up on that list.
Yeah, just a "do you have what I told you to have, no more no less" counter would be so fantastic. If I sort one out, I'll report back.
Also, thanks for the update. I'm going to check that report out now. The program's vast options and abilities are more than I've had time to look through and try out.
Of course, I've had my face in the Patch Manager UI for a total of about 6 hours now, so I am far from any sort of expert.
Makes it pretty damn easy to do expense reporting, if you're not using any of their fancy features it's free. If all you're looking to do is send in an expense report with your stuff it works pretty well.
Like lunch on a trip. Click the item (it populates with all charges from the company card, so that's something at least). In the new window that opens, hit Lunch. The Save.
Back at the first window, now click Attendees. In the new window that opens, select yourself. Click Add. Click Save.
The the first window, type a description. Click Save.
Next item.
bleah
I think I got around that issue by explicitly "denying" the conflicting patches for that group. Then they no longer report as out of compliance. It's been a while since I dealt with that, but I think that's how I fixed it. Still haven't got a WSUS server spun up at my current job, so not 100% sure on that.
SUS doesn't work this way, unfortunately. The update is either universally declined (which does keep it from counting against compliance, but is a blanket deny for the whole SUS environment) or it is approved for install for some containers but not others, causing the un-approved containers to report less than 100% compliance. SUS's reporting simply sucks and sort of assumes you're going to approve all-or-nothing.
I did get a container based compliance reporting method from Patch manager, now I just need to see if I can follow that up with a simple method of chasing down non-compliant devices from that report.
User - IE is really slow!
Chamberlain - you have three different toolbars installed, one of which is a straight up browser hijack
User - I have no idea how those got there. By the way, check out this cool free version of solitaire that I downloaded!
This is what GPOs were made for, I guess.
The weather gadgets, apps, toolbars, and widgets drive me up the fucking wall. I love how users respond to my questions about why they want it installed with "But I have it on my home computer, so why can't I have it on this one?"
It has the capability to install itself to the user's AppData (probably so that updates don't require your intervention)
"Because your home computer is a filthy, disease ridden strumpet of a machine who will wantonly open her ports to any random request, and I refuse to allow you to bring our fine equipment down to the same level of indiscriminate anonymous connections."
Which is why I had to go deep in execution restrictions and NTFS permissions on my terminal servers used by high schoolers. These girls are crafty when it comes to installing games and chrome.
By default, the user has full rights to their own profile directory. They can install whatever they want in there as long as it doesn't touch Program Files or HKLM keys.