Patch Management User Guide for HP-UX 11.x Systems (5900-3011, April 2013)
Table Of Contents
- Patch Management User Guide for HP-UX 11.x Systems
- Contents
- 1 HP-UX patches and patch management
- 2 Quick start guide for patching HP-UX systems
- 3 HP-UX patch overview
- 4 Patch management overview
- Patch management life cycle
- HP service contracts
- Patch management and software change management strategies
- Establishing a software change management strategy
- Recommendations for software change management
- Consideration of HP patch rating
- Patch management and software depots
- Proactive patching strategy
- Reactive patching strategy
- Advanced topic: security patching strategy
- Advanced topic: scanning for security patches
- Testing the patches to be installed
- 5 What are standard HP-UX patch bundles?
- 6 Using the HP Support Center
- Obtaining an HPSC user account
- Useful pages on the HPSC
- Find individual patches
- Advanced topic: checking for special installation instructions
- Advanced topic: checking for all patch dependencies
- Standard patch bundles
- Custom patch bundles - run a patch assessment
- Support information digests
- Ask your peers in the forums
- Search knowledge base
- 7 Using software depots for patch management
- Common software distributor commands for patching
- Depot types
- Using depots
- Viewing depots
- Creating and adding to a directory depot
- Registering and unregistering directory depots
- Verifying directory depots
- Removing software from a directory depot
- Removing a directory depot
- Installing patches from a depot
- Custom patch bundles
- 8 Using HP-UX Software Assistant for patch management
- 9 Using Dynamic Root Disk for patch management
- 10 The Patch Assessment Tool
- 11 Support and other resources
- A Patch usage models
- Glossary
- Index
encounter known failures and to bring systems up to the latest level of security patches. You
can use this depot as the starting point for the next version of the periodic patch depot.
• Application depot — contains patches specific to a given application. This type of depot might
actually be a specific version of a periodic patch depot.
After you have identified the need that a specific depot will address, you should determine whether
a directory depot or a tape directory best suits your needs. Most often, directory depots will be
more useful for patch management. You must also select a location for the depot.
Choosing depot type and depot location
You should review the following considerations before creating and using depots:
• Do you require the depot to be available remotely for use by SD-UX commands such as the
swinstall command?
If you are creating a depot for remote access, you need a directory depot. You must place
the depot on a networked system that is accessible by all of the intended users, and you must
register the depot. See “Registering and unregistering directory depots” (page 74).
• Will the depot be heavily used?
You should ensure that both the system and the network are capable of meeting performance
needs based on the intended use. If multiple users will access the depot simultaneously, you
need a directory depot.
• What amount of disk space and what level of disk performance are required?
You should ensure that both the disk space and level of disk performance are capable of
meeting these needs. Depots can be large, and depot operations can involve a significant
amount of disk activity.
• Is the availability of the depot critical?
If the answer to this question is yes, you should consider high-availability storage solutions
such as disk arrays or mirroring.
• Does your organization need a heightened level of security?
If the answer to this question is yes, you should give additional consideration to safeguarding
the depot. Access Control Lists (ACLs) can play a role in depot security. See “Advanced topic:
access control lists” (page 75). In many cases, users of depots install software from the depot
as the root user. Therefore, any compromise of software in a depot could lead to a security
breach.
Although overlooked at times, a well-conceived depot-naming scheme can be very helpful. This is
especially true if you have multiple depots, and is even more important if multiple users will access
the depots.
• You should combine all the patches needed for a given purpose into a single depot.
• The depot should include all products (including patches) necessary to meet the dependencies
of patches in the depot.
• You can help limit risk by making only the necessary changes to the depot.
• You can reduce the size of a depot by removing superseded patches. See “Advanced topic:
removing superseded patches from a depot” (page 78).
Viewing depots
Use the swlist command to list the registered directory or tape depots on a local or remote
system. You can also use the swlist command to view the contents of a directory or tape depot.
This section provides examples of how to use the swlist command to view depots.
Viewing depots 69