Patch Management User Guide for HP-UX 11.x Systems (762796-001, March 2014)
Table Of Contents
- Patch Management User Guide for HP-UX 11.x Systems
- Contents
- 1 HP secure development lifecycle
- 2 HP-UX patches and patch management
- 3 Quick start guide for patching HP-UX systems
- 4 HP-UX patch overview
- 5 Patch management overview
- Patch management life cycle
- HP service contracts
- Patch management and software change management strategies
- Establishing a software change management strategy
- Recommendations for software change management
- Consideration of HP patch rating
- Patch management and software depots
- Proactive patching strategy
- Reactive patching strategy
- Advanced topic: security patching strategy
- Advanced topic: scanning for security patches
- Testing the patches to be installed
- 6 What are standard HP-UX patch bundles?
- 7 Using the HP Support Center
- Obtaining an HPSC user account
- Useful pages on the HPSC
- Find individual patches
- Advanced topic: checking for special installation instructions
- Advanced topic: checking for all patch dependencies
- Standard patch bundles
- Custom patch bundles - run a patch assessment
- Support information digests
- Ask your peers in the forums
- Search knowledge base
- 8 Using software depots for patch management
- Common software distributor commands for patching
- Depot types
- Using depots
- Viewing depots
- Creating and adding to a directory depot
- Registering and unregistering directory depots
- Verifying directory depots
- Removing software from a directory depot
- Removing a directory depot
- Installing patches from a depot
- Custom patch bundles
- 9 Using HP-UX Software Assistant for patch management
- 10 Using Dynamic Root Disk for patch management
- 11 The Patch Assessment Tool
- 12 Support and other resources
- 13 Documentation Feedback
- A Patch usage models
- Glossary
- Index
Patch commitment
Allowing for patch rollback does come at a cost, because the files required for patch rollback
consume disk space. If disk space is an issue on a system, you can commit the patches; a process
that deletes the associated rollback files, thereby freeing disk space. If disk space is not an issue
on a system, you should avoid committing the patches, and leave rollback files in place. If any
patch in a supersession chain is committed, all prior patches in the chain lose the ability to be
restored, and the save area disk space for those patches will also be reclaimed.
Do not undertake patch commitment without serious consideration of the consequences. When you
commit a patch, simple rollback of the patch is no longer possible. Because of this, you should
carefully select which patches should be committed. Good candidates include patches that were
thoroughly tested in the environment prior to installation, and patches that have been installed on
the system for a significant period of time and have not resulted in unwarranted conditions. Other
good candidates are patches that have been superseded multiple times. You should also consider
a patch's warning status and its HP rating before committing the patch.
To commit an individual patch, execute the swmodify command on the patch with the
patch_commit=true option. To commit the patch patch_id, enter this command:
swmodify -x patch_commit=true patch_id
You can add the -p option to this command so it will be executed in preview-only mode.
Advanced topic: patch cleanup utility
The patch utility called cleanup allows you to commit all patches that have been superseded a
specified number of times. You can execute this command in preview mode in order to see what
effect the command will have without actually making any changes. You should always use the
preview mode first. This is accomplished by including the -p option. The command has the following
format:
cleanup [-p] -c number
The cleanup utility is delivered by the following patches (and their superseding patches):
• PHCO_27779 (HP-UX 11.0, B.11.00)
• PHCO_27780 (HP-UX 11i v1, B.11.11)
• PHCO_32220 (HP-UX 11i v2, B.11.23)
• Shipped with SD-UX (HP-UX 11i v3, B.11.31)
For example, the following command will execute in preview mode. When executed without the
-p option, the command causes all patches superseded three or more times to be committed. The
patches to be committed are shown in the output of the command.
$ cleanup -p -c3
### Cleanup program started at 04/13/04 07:17:40
Preview mode enabled. No modifications will be made.
Commit patches superseded at least 3 time(s) on 'some_system'.
Obtaining superseded patch information...done.
The following patches superseded at least 3 time(s) can be committed:
Superseded # Times Superseded Disk Space in /var/adm/sw/save Superseded By
========== ================== ============================== =============
PHKL_23313 3 66560 bytes PHKL_26519
PHKL_26233 3 180224 bytes PHKL_28267
PHNE_23288 3 59392 bytes PHNE_23645
PHNE_26388 4 6581248 bytes PHNE_28103
PHNE_28103 3 6694912 bytes PHNE_28983
PHSS_21817 5 12379136 bytes PHSS_26619
PHSS_26492 3 8761344 bytes PHSS_27872
PHSS_26619 4 14969856 bytes PHSS_26622
PHSS_26622 3 27064320 bytes PHSS_26638
36 HP-UX patch overview