HP-UX Software Assistant Reference (November, 2010)
time specifying a different set of analyzers and a different analysis
file.
swa step report Given the results of swa step analyze, a summary of
recommended actions are written to standard output and
comprehensive results are written to the report subdirectory of the
directory specified by the user_dir extended option (the default
filename isswa_report.html). Example use case: run swa step
report multiple times, each time specifying a different standard
output report format. Another example is running swa step report
on each analysis file created by multiple runs of swa step
analyze.
swa step download Given the results of running swa step analyze, download
software recommended by the analysis (in the analysis file). The
software is downloaded into a directory controlled by the swcache
extended option. Example use case: if the system to perform the
analysis does not have Internet access, copy the analysis file to a
system with Internet access, and run the swa step download
command on that system.
swa step depot Given the results of running swa step analyze and swa step
download, package the downloaded software into a depot.
Depending on the extended options used, a new depot is created or
an existing depot is augmented. Example use case: if a depot server
system does not have Internet access, use swa step download to
download software to a separate system that does have internet
access. Then, copy the software to the swcache directory on your
depot server and use swa step depot to create your depot.
Security Considerations
The analysis that swa step performs relies on the integrity of the inventory to determine the
appropriate patches to install on the system. It is important that all protocols used to transmit the
inventory data are integrity protected and that the host used to generate the inventory data is
accurately represented. For example, use of swlist for gathering an inventory of a remote system
uses a clear-text, unauthenticated protocol that does not protect the integrity of the data. Using
Secure Shell to gather an inventory of a remote system uses an integrity protected (and encrypted)
protocol. Even when using Secure Shell, the analysis still relies on the source of the data (the remote
host) to accurately represent the software contents installed on that system.
Software download (swa step download) relies on the integrity of the analysis file to ensure
the integrity of patches before unpacking them. The analysis file gets MD5 checksum information
directly from the catalog. Therefore it is important that all transmissions of the catalog and/or
analysis file are integrity protected and that file permissions do not allow unnecessary modification.
Depot creation (swa step depot) relies on the integrity of the patches within the swcache
directory. Therefore, after unpacking the patches, it is important that all subsequent transmissions
of the patches are integrity protected and that file permissions do not allow unauthorized
modification. Deploying software using Software Distributor (using the swinstall command) has
security properties that are documented in the Software Distributor Administration Guide.
Options
swa step recognizes the following options:
-a analyzer Specifies an analyzer to use. Each analyzer represents a different
type of analysis that swa can perform. You may specify multiple
-a options. The supported analyzers are as follows:
CRIT patches that fix critical
problems
38