HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)
s
security_patch_check(1M) security_patch_check(1M)
c Print a "Cnt" field to indicate how many bulletins relate to this recommendation. For example:
1st = this is the first and only bulletin, 2nd = this is the 2nd of two, 3rd = this is the 3rd of three,
and so on.
d Print a "Description" field and show a description of each recommended action.
m Print a "Minimum" field and show the oldest patch in the chain of patches including the recom-
mended patch, which resolves the security problem.
p Print a "PDep" field and indicate whether each recommended patch has patch dependencies.
r Print a "Reboot" field and indicate whether each recommended patch/action requires a reboot.
s Print a "Spec" field and indicate whether each recommended patch/action has special instructions
associated with it or, in some cases, the nature of the special instructions. For example: "man"
indicates there are manual steps, "upd" indicates there are updates to be applied, and "warn"
indicates that the patch has warnings.
-q Operate in quiet mode. security_patch_check
will print a table or machine-parsable output
only if it determines that there are patches/actions missing from the system (or input data). Warnings
will be printed. Notes will be suppressed.
In Software Assistant, the
-q option can be used to decrease the verbosity level of standard error.
Refer to the report_when_no_issues
extended option in swa-report(1M) for information on how
to conditionally generate a report (on standard out) for SWA.
-qq Operate in very quiet mode. Warnings, which may be critical to system security (that is, patch warn-
ings, world-writable catalogs) are suppressed.
-qq implies -q.
-r [url]
Retrieve the latest security bulletin catalog from an HP HTTPS, HTTP, or FTP site, as specified by
url.
security_patch_check
will store the catalog in the location specified by the -c option, which
defaults to
./security_catalog
.
If the url is specified, then the catalog must be in
gzip format (must end in
.gz).
For more retrieval configuration details refer to the SECURITY CATALOG RETRIEVAL section
below.
Software Assistant uses a different catalog, called
swa_catalog.xml
(normally gzipped for
efficient retrieval). Software Assistant allows additional options to control catalog download and max-
imum age of the local catalog. If
swa_catalog.xml
is not found or is older than the specified
maximum age,
swa report will automatically attempt the catalog download step; no equivalent to
SPC’s -r option is required. Refer to the catalog_source
extended option in swa-report(1M) for
information on how to specify an alternate source URL for
swa_catalog.xml.gz
.
-s os-version
Specify the OS version. Without the -s option, security_patch_check
uses the software_spec
field of the OS-Core fileset to determine which OS is running on the target system. os-version should
be in the format
11.xx. This option is useful when analyzing a patch-only depot.
-t Gather information about superseded patches from a live host (default "localhost" or the host specified
with -h) for security_patch_check to analyze. The default behavior is to gather and analyze
only information on active patches. If you wish to analyze the full patch tree when using input from
standard input or from a file, then use the -x show_superseded_patches=TRUE
option on
the
swlist command (instead of -t on security_patch_check) to ensure that the full patch
tree is included when you generate the input. This analysis is useful before rolling back a patch to see
if it will activate a patch with warnings or a misconfigured patch.
-u Print usage message and exit. In SWA, use the -? option for SWA usage.
SECURITY ISSUES
Following the recommendations of security_patch_check
will result in a system that is up-to-date
with HP’s recommended security actions.
There are many security advisories that require manual actions on a system. Since some advisories or bul-
letins contain no patches and others contain both patches and manual actions, these advisories, if output by
security_patch_check, must be read and appropriate action taken.
HP-UX 11i Version 2: December 2007 Update − 4 − Hewlett-Packard Company 305