Patch Management User Guide for HP-UX 11.x Systems (762796-001, March 2014)
Table Of Contents
- Patch Management User Guide for HP-UX 11.x Systems
- Contents
- 1 HP secure development lifecycle
- 2 HP-UX patches and patch management
- 3 Quick start guide for patching HP-UX systems
- 4 HP-UX patch overview
- 5 Patch management overview
- Patch management life cycle
- HP service contracts
- Patch management and software change management strategies
- Establishing a software change management strategy
- Recommendations for software change management
- Consideration of HP patch rating
- Patch management and software depots
- Proactive patching strategy
- Reactive patching strategy
- Advanced topic: security patching strategy
- Advanced topic: scanning for security patches
- Testing the patches to be installed
- 6 What are standard HP-UX patch bundles?
- 7 Using the HP Support Center
- Obtaining an HPSC user account
- Useful pages on the HPSC
- Find individual patches
- Advanced topic: checking for special installation instructions
- Advanced topic: checking for all patch dependencies
- Standard patch bundles
- Custom patch bundles - run a patch assessment
- Support information digests
- Ask your peers in the forums
- Search knowledge base
- 8 Using software depots for patch management
- Common software distributor commands for patching
- Depot types
- Using depots
- Viewing depots
- Creating and adding to a directory depot
- Registering and unregistering directory depots
- Verifying directory depots
- Removing software from a directory depot
- Removing a directory depot
- Installing patches from a depot
- Custom patch bundles
- 9 Using HP-UX Software Assistant for patch management
- 10 Using Dynamic Root Disk for patch management
- 11 The Patch Assessment Tool
- 12 Support and other resources
- 13 Documentation Feedback
- A Patch usage models
- Glossary
- Index
Advanced topic: scanning for security patches
You can use the SWA Tool to identify security patches for installation. This tool also identifies
patches that have associated warnings. For more information about SWA, see Chapter 9: “Using
HP-UX Software Assistant for patch management” (page 89).
Testing the patches to be installed
The single most important action that can ensure the success of a software patch is to first test the
changes in a nonproduction environment. Every environment is unique, and patch testing can
uncover potential problems unique to the environment in which the patches will be installed. If you
test thoroughly, you can reduce the chance of encountering problems with new patches.
The level of testing you perform depends in part on the patch management strategy you choose.
For example, because proactive patching involves installing patches before a problem occurs, it
allows more time than reactive patching to complete a sufficient level of patch testing.
HP subjects all General Release (GR) and Special Release (SR) patches to extensive
testing. See Chapter 4: “HP-UX patch overview” (page 18) for more information about GR and SR
patches. However, it is impossible to test all permutations of all patches on all hardware
configurations. Therefore, prior to deploying the patches on production systems, you should test
the set of patches you intend to install in a test environment that closely simulates the production
configuration. Even if you are deploying a standard HP-UX patch bundle, you should still perform
testing. Deploying any patch without first testing it in an environment increases a system's exposure
to risk.
The following is an outline of a basic patch test scenario:
1. The patches to be installed are identified and acquired.
2. The acquired patches are installed on a test system and tested to a standard that your
organization considers acceptable. Many organizations break this step into multiple levels of
testing to accomplish distinct goals. If testing results in unsatisfactory results, you must perform
an investigation to identify the root cause of the problem before proceeding.
3. The tested patches are installed on production systems.
The success of your testing approach relies heavily on how closely the configuration of the test
environment matches the configuration of the production systems on which the tested patches will
be installed. Within hardware limits, it is a best practice to duplicate the production environment
as closely as possible.
Ideally, you have a test system that is identical to the production system on which patches are to
be installed, and you have sufficient time available to test all patches prior to deploying them. This
situation allows you to perform very effective testing to verify that the patches to be installed will
not result in unexpected or undesirable system behavior.
Many customers have a two- or three-tiered approach to testing. Patches are initially installed on
a system that is often referred to as the development system. These types of systems are used for
local development. In a three-tiered system, after certain organization-specific rules have been met,
the patches are installed on another system that is often referred to as the test system. The patches
must then meet another set of organization-specific rules. For example, many customers require
that the patches be installed on the test system for some specified period of time with no problems.
The amount of time varies widely and can be as short as a week. However, for many customers,
one to three months is considered a reasonable time frame for testing. Once these rules have been
satisfied, the patches are installed on one or more production systems. Customers who initially
install the patches on only a subset of their production systems typically monitor these systems for
several weeks prior to installing the patches on the remaining production systems. For reactive
patching, the longer testing time frames are usually not reasonable and a stripped-down approach
to testing is usually required.
54 Patch management overview