HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

301

302

303

304

305

306

307

308

309

310

security_patch_check(1M) security_patch_check(1M)

catalog also contains additional patch information that allows patch dependency optimization and

additional types of analysis.

-h depot or -h remote-host

Run an analysis on a remote host or depot, rather than localhost (default). remote-host is an HP-UX

11.x system. depot is the full path to a directory-format or tape-format depot on a remote or local sys-

tem. Use of the

-h option is possible only if the user running

security_patch_check

has

SWACL permissions to

swlist. For remote hosts or depots, swagentd must be running on the

remote host. See swagentd(1M) and swacl(1M).

The Software Assistant equivalents are the

-s

option (similar to how this option is used by swlist)

or the

inventory_source

extended option.

-i ignore-file

Specify the ignore ﬁle. This ﬁle is useful in the case of actions which you have analyzed but cannot be

automatically detected by Security Patch Check. Perform all actions recommended by a given bul-

letin, and then put the security bulletin identiﬁer in the ﬁle to cross it off your "to do" list. This will

remove all actions associated with that particular bulletin from the report, including patches,

upgrades, removals, and manual actions. In the ignore-ﬁle, security_patch_check expects one bulletin

identiﬁer per line. Comments, preceded with a pound or hash sign (

#), are allowed either on their

own lines, or after action identiﬁers. A bulletin identiﬁer is in the same format as the "Bull" column

in the human-readable output, with the bulletin number, optionally followed by "r" and the revision

number of the bulletin. If the bulletin is revised, Security Patch Check will notify you again the next

time you download an updated catalog, in case the revision affects you. The default ﬁle is

$HOME/.spc_ignore

Software Assistant allows additional ﬂexibility to specify multiple ignore ﬁles and the ability to specify

a regular expression to match issues to ignore. There is also additional granularity available to ignore

individual actions within a given security bulletin. See the

ignore_file extended option in swa-

report(1M) for information on how to specify ignore ﬁles for SWA. The ﬁrst run of

swa report will

automatically convert the default Security Patch Check ignore ﬁle for that user into the SWA format.

-m Display output in a machine-parsable format. This format contains zero or more recommended-action

records in the format:

action-name

{<tab>ﬁeld-name:<tab>ﬁeld-text

[<tab><tab>more-ﬁeld-text]... }...

The record is for either a recommended action or patch with warnings (which is present on the target

system). Patches with warnings contain "with Warnings" in their Status ﬁeld. Recommended security

actions contain a SecBul ﬁeld. -m should not be used with the -o

option. Three ﬁelds that are

unique to the catalog used by

security_patch_check

will appear. The Min ﬁeld indicates the

oldest patch in the recommended patch’s chain that resolves the security issue. The MFset ﬁeld is the

list of ancestor ﬁlesets for the oldest patch, and the SecBul ﬁeld indicates in which security bulletins

the patch’s chain was introduced. There is no guarantee that the same ﬁelds will exist for each patch

record, or that the ﬁelds will be in a certain order. Notes are suppressed when

-m

is used. Warnings

and errors are written to standard error.

-n Suppress warnings about currently installed software whose state is neither conﬁgured nor available.

Software which is not in one of these states is misconﬁgured and should be ﬁxed.

-o [bcdmprs]

Alter the information printed by security_patch_check in the human-readable patch informa-

tion table. By default, the "#", "Bull", "Cnt", "Recommended", "Spec", "Reboot", "PDep", and "Descrip-

tion" columns appear. The full text of the patch records can be obtained only by running

security_patch_check with the -m option (instead of the -o option). Ordering of the options

passed to the

-o option is ignored. The table’s columns will be printed in the following order:

#, Recommended, [Bull], [Cnt], [Minimum], [Spec], [Reboot], [PDep], [Description].

"#" indicates the patch’s number within the table.

Note that -o should not be used with -m. -m overrides -o. The options passed to -o have the fol-

lowing effects:

b Print a "Bull" ﬁeld and show the highest-numbered security bulletin this recommended action

applies to.

304 Hewlett-Packard Company − 3 − HP-UX 11i Version 2: December 2007 Update