HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)
s
security_patch_check(1M) security_patch_check(1M)
If closing patch-related security holes with the minimum system change is required, the Patch Database
(found at the IT Resource Center,
http://itrc.hp.com
) may be used in combination with
security_patch_check
to download the minimum set of patches with their dependencies. The Patch
Database will always display the set of patches that HP currently recommends. These patches may be
newer than those identified by
security_patch_check
.
Updates: In general, most HP-UX software is available from
http://software.hp.com
, from the
OE and AR media releases, and from the product-specific web sites on
http://www.hp.com
. The secu-
rity bulletin will normally have more specific source information.
Removal actions: Sometimes the only fix for software is to remove it. Generally, the security bulletin
will recommend an upgrade path to another product with the same functionality.
Manual actions: Security Patch Check may recommend a manual action when a packaged product or
patch does not completely solve the problem, or when the data available is partial or incomplete. Refer to
the bulletin for more information. The only way to indicate completed manual actions is to use an "ignore"
file. (See the
-i option in the Options section below.)
Monitoring security bulletins from HP and other sources is recommended as a security best practice. If you
think you have found a discrepancy between actions required on your system and those reported by Secu-
rity Patch Check, please report this discrepancy to
bulletin-corrections@security.hp.com
for investigation. HP appreciates reporting any discrepancies to us and assisting us to protect all of our
valued customers.
The default behavior of security_patch_check
is to use the security patch catalog located at
./security_catalog
to analyze localhost, and the ignore file at $HOME/.spc_ignore to decide
which bulletins to ignore. It will then run
swlist and will generate a report in an easy-to-read table for-
mat. These defaults can be overridden on the command line, or in the
/etc/sec_mgmt/spc/spc_config
file.
Additional Security Patch Check documentation (such as FAQs and README) may be found at
http://docs.hp.com
.
Options
Command line arguments cannot be clustered; for example,
-r -q is valid, but -rq
is not.
security_patch_check
supports the following options.
-a This option causes security_patch_check
to behave as though all ancestors (filesets) are
installed on the target system. This option is useful for analyzing a patch depot by itself.
- or -f filename
Using - causes security_patch_check
to read from standard input. Using -f filename causes
security_patch_check
to read from a file.
Both of these options can be used to analyze a set of depots. The data used by
security_patch_check
must be in the format that is generated by the following swlist com-
mand. Note that giving
security_patch_check
input in a different format can lead to
undefined results.
swlist -l fileset -a supersedes -a revision \
-a software_spec -a state
[-d][@ host]
where -d specifies a depot instead of a root file system, and @ host specifies a target host system.
See swlist(1M).
If either of these options is used, security_patch_check will not call swlist directly, but will
treat standard input or filename as though it were output from
swlist as described above. The -
and -f options are mutually exclusive. See the -s and -n options also.
Software Assistant includes additional caching functionality for system inventories, and uses a format
that is compatible with the ITRC patch assessment engine. See the inventory step in swa-step(1M)
for information on how to gather an inventory for SWA.
-c security-catalog
Specify the location of the locally cached security bulletin catalog. The default path to the security
bulletin catalog is ./security_catalog.
For similar functionality in SWA, the catalog extended option is equivalent to this option.
Software Assistant has additional options to control the caching and download of its catalog, including
the catalog_max_age and the download_cmd extended options. The Software Assistant
HP-UX 11i Version 2: December 2007 Update − 2 − Hewlett-Packard Company 303