HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

301

302

303

304

305

306

307

308

309

310

security_patch_check(1M) security_patch_check(1M)

NAME

security_patch_check - check compliance with HP-UX security bulletins

SYNOPSIS

security_patch_check

[-a][

-n][-q | -qq][-c security-catalog]

[

- | -f ﬁlename |

-h depot | -h remote-host][-i ignore-ﬁle]

[

-m | -o [

bcdmprs]] [-r [url]] [-s os-version]

security_patch_check -t

[-a

][-n][-q | -qq][-c security-catalog]

[

-h depot | -h

remote-host][-i ignore-ﬁle]

[

-m | -o [

bcdmprs]] [-r [url]] [-s os-version]

security_patch_check -u

DESCRIPTION

Security Patch Check (SPC) analyzes the bulletin compliance of an HP-UX system. Most of the functional-

ity of SPC is superseded by Software Assistant (SWA), which is called using the

swa command. Software

Assistant can report on security bulletin compliance and many other types of issues in a variety of report

formats. In addition, SWA does automated patch dependency analysis, download, and depot creation. See

swa(1M) for details. The

security_patch_check

command remains for those features that are not

fully implemented in Software Assistant. This SPC man page gives some pointers to the

swa equivalents

security_patch_check

options, when applicable.

security_patch_check

will determine which minimal security patches, updates and manual actions

have yet to be applied to the system, and will generate a report listing the patches and actions recom-

mended that apply to the speciﬁc system analyzed. It is likely that the analysis will be incomplete for

products and operating systems that are obsolete or unsupported. This includes products from pre-

vious OS versions that remain after an OS update. If your system was updated from a prior OS, you may

choose to use the

-s option to identify additional issues that may have been announced for the prior OS

version.

Note: Security Patch Check does not support OS versions prior to HP-UX B.11.00, even with the

-s

option.

Normally, security_patch_check

will call the swlist command directly to do its analysis; see

swlist(1M). However, if the

- or -f option is speciﬁed, security_patch_check

will use standard

input (

-)oraﬁle(-f ﬁlename) as though it were output from a call to

swlist. Thus,

security_patch_check

can effectively analyze sets of systems and depots by sending it swlist out-

put from those sources. You can also choose whether to analyze superseded patches using the

-x show_superseded_patches=TRUE

option of swlist. Without the - or -f options, use the -t

option to control the analysis of superseded patches.

security_patch_check

must have local access to a security bulletin catalog to run its analysis.

security_patch_check

is able to download the most recent security patch catalog from an HP

HTTPS or FTP site.

security_patch_check

will perform the download if the -r option is used.

Refer to

-r in the Options subsection for important information on this option.

security_patch_check

will tell you about any patches with warnings which are present on your sys-

tem. (Note: the default is to analyze only active patches. If you want to analyze all installed patches, use

the

-t option.) These patches need not be security-related. If a patch with warnings is active on a system,

you should read its "Warn" ﬁeld. The Warn ﬁeld of every 11.x patch with warnings is in the security cata-

log. To ﬁnd the patch warnings that are applicable to your system, you may look up the patch records

manually in the catalog, after running the script, or you may run security_patch_check with the

-m (machine-parsable) option.

Before installing patches, you should be familiar with the general patching process. See the Patch Manage-

ment User Guide for HP-UX 11.x Systems, available on http://docs.hp.com, for an introduction to

patching. It is important that you read this document and understand the patching process. Patches that

are installed incorrectly or incompletely can cause a system to stop functioning in serious and

difﬁcult-to-recover ways. The instructions for updates (removals) and manual actions are covered in the

bulletins themselves, but you should be familiar with

swinstall and swremove before installing and

removing software. See swinstall(1M) and swremove(1M).

Patches: Hewlett-Packard provides standard HP-UX patch bundles of recommended patches that contain

ﬁxes to many security issues as well as other known system defects. The standard HP-UX patch bundles

are available electronically from HP IT Resource Center at http://itrc.hp.com. Openview patches

are available at http://support.openview.hp.com/patches.

302 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: December 2007 Update