git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity

feat(M11+M12): Email notifications, audit hardening, deployment packaging, backup/DR, integration testing

Browse Source 
M11 - Email Notifications + Audit Logging Hardening:
- Email notifier (lettre crate) with templates for patch failure, job completion, maintenance reminders
- Audit log hash chaining (prev_hash + row_hash) for tamper-evident logging
- Periodic + on-demand audit integrity verification
- Audit logging for all config changes and certificate operations
- Frontend: email settings integration, audit integrity verification action

M12 - Deployment Packaging, Backup/DR, Integration Testing:
- scripts/backup.sh: Nightly pg_dump, CA backup (GPG), config backup (secrets excluded unless encrypted)
- scripts/setup.sh: Enhanced with backup dir, seed migration, backup cron, systemd target install
- systemd units: Restart=always, WatchdogSec, ReadWritePaths, security hardening
- systemd/patch-manager.target: Service target for coordinated lifecycle
- docs/runbooks/restore.md: Full DR runbook with RPO 24h / RTO 4h targets
- scripts/integration-test.sh: 9 test suites covering full API lifecycle
- scripts/performance-test.sh: NFR validation (dashboard <5s, CIDR /22 <10s, API <2s)
- docs/security-review.md: Comprehensive security control verification
- docs/compliance-mapping.md: HIPAA (6 sections) + PCI-DSS v4.0 (9 requirements) mapped
This commit is contained in:
Echo
2026-04-24 00:45:51 +00:00
parent 84ab92f4f0
commit 297bf1bd83
26 changed files with 2651 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
scripts/setup.sh
View File

@ -33,6 +33,7 @@ LOG_DIR="/var/log/patch-manager"
DATA_DIR="/opt/patch-manager"
FRONTEND_DIR="/usr/share/patch-manager/frontend"
BIN_DIR="/usr/local/bin"
BACKUP_DIR="/var/backups/patch-manager"
DB_NAME="patch_manager"
DB_USER="patch_manager"
SYSTEMD_DIR="/etc/systemd/system"
@ -63,7 +64,8 @@ mkdir -p \
"${CONFIG_DIR}/tls" \
"${LOG_DIR}" \
"${DATA_DIR}" \
"${FRONTEND_DIR}"
"${FRONTEND_DIR}" \
"${BACKUP_DIR}"
chown -R "${SERVICE_USER}:${SERVICE_GROUP}" \
"${CONFIG_DIR}" \
@ -72,6 +74,8 @@ chown -R "${SERVICE_USER}:${SERVICE_GROUP}" \
"${FRONTEND_DIR}"
chmod 750 "${CONFIG_DIR}/ca" "${CONFIG_DIR}/jwt"
chmod 700 "${BACKUP_DIR}"
info "Directories created."
# -----------------------------------------------------------------------
@ -152,6 +156,15 @@ fi
# 7. Install systemd units
# -----------------------------------------------------------------------
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Install systemd target
TARGET_SRC="${SCRIPT_DIR}/../systemd/patch-manager.target"
if [[ -f "${TARGET_SRC}" ]]; then
cp "${TARGET_SRC}" "${SYSTEMD_DIR}/patch-manager.target"
info "Installed systemd target: patch-manager.target"
fi
# Install service units
for unit in patch-manager-web.service patch-manager-worker.service; do
SRC="${SCRIPT_DIR}/../systemd/${unit}"
if [[ -f "${SRC}" ]]; then
@ -162,9 +175,40 @@ for unit in patch-manager-web.service patch-manager-worker.service; do
fi
done
# Install backup script
BACKUP_SRC="${SCRIPT_DIR}/backup.sh"
if [[ -f "${BACKUP_SRC}" ]]; then
cp "${BACKUP_SRC}" "${BIN_DIR}/backup.sh"
chmod 700 "${BIN_DIR}/backup.sh"
info "Installed backup script to ${BIN_DIR}/backup.sh"
fi
systemctl daemon-reload
info "systemd units installed and daemon reloaded."
# -----------------------------------------------------------------------
# 8. Run seed migration (default admin account)
# -----------------------------------------------------------------------
SEED_MIGRATION="${SCRIPT_DIR}/../migrations/002_seed_admin.sql"
if [[ -f "${SEED_MIGRATION}" ]]; then
info "Running seed migration for default admin account..."
sudo -u postgres psql -d "${DB_NAME}" -f "${SEED_MIGRATION}" 2>/dev/null || \
warn "Seed migration already applied or failed (may be idempotent)."
else
warn "Seed migration not found: ${SEED_MIGRATION}"
fi
# -----------------------------------------------------------------------
# 9. Install backup cron job
# -----------------------------------------------------------------------
CRON_LINE="0 2 * * * /usr/local/bin/backup.sh >> /var/log/patch-manager/backup.log 2>&1"
if crontab -l 2>/dev/null | grep -qF "backup.sh"; then
warn "Backup cron job already installed, skipping."
else
(crontab -l 2>/dev/null; echo "${CRON_LINE}") | crontab -
info "Nightly backup cron installed (02:00 daily)."
fi
# -----------------------------------------------------------------------
# Done
# -----------------------------------------------------------------------
@ -176,3 +220,4 @@ echo " 2. Build and install frontend: scripts/build-frontend.sh"
echo " 3. Review ${CONFIG_DEST}"
echo " 4. Enable services:"
echo " systemctl enable --now patch-manager-web patch-manager-worker"
echo " 5. (Optional) Set GPG_RECIPIENT in backup.sh for encrypted backups"