HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

301

302

303

304

305

306

307

308

309

310

security_patch_check(1M) security_patch_check(1M)

To access an archive of HP-UX security advisories, you must have an account on the ITRC. Go to

https://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin

security_patch_check

uses Perl’s tainting checks. This means that

security_patch_check

will exit if the command line options it receives contain any character besides a letter (

A-Za-z), number

(

0-9), slash (/

), dot (.), underscore (_), or dash (-). Keep this in mind when using

-c security-catalog

with the

-r option. Perl’s security features may also prevent some URLs from being used with the

-r

option on the command line.

security_patch_check

performs a check on the security catalog being used. It prints a warning in

case the catalog is world or group writable, or if one of its parent directories is world or group writable and

the sticky bit is not set on that directory.

When using FTP,

security_patch_check

does not validate the security patch catalog it downloads.

It is possible to download an invalid catalog if HP’s FTP site is being spoofed on the subnet where

security_patch_check

is running. For that reason, the default HTTPS download is the recom-

mended method. Note that if the prerequisites for HTTPS communication (OpenSSL and HP’s SSL-

Enabled Perl, also OpenSSL if CRL checking is needed) are not installed, then Security Patch Check will

default to HTTP.

security_patch_check

can be run by any user who has permissions to execute Perl and swlist.

SECURITY CATALOG RETRIEVAL

The following conﬁguration options deal mainly with the

-r option.

Proxy Settings

When using the -r option from behind a ﬁrewall which requires a proxy to be used for Internet connec-

tivity, the https_proxy , http_proxy ,orftp_proxy conﬁguration settings (depending on which

download protocol you intend to use) must indicate the proxy for the local subnet. The proxy settings tell

security_patch_check

how to perform transfers from behind the ﬁrewall. The default proxy

behavior can be conﬁgured in the

security_patch_check

conﬁguration ﬁle,

/etc/opt/sec_mgmt/spc/spc_config

, and behavior on a per-user basis can be speciﬁed as

environment variables in the user’s shell. The proxy URL must be in the form:

proxy-protocol

://proxy-address:port

For example:

https_proxy=http://myproxy.mynet.com:8088

A web proxy generally uses the HTTP protocol (even for proxying HTTPS and FTP data). If you specify a

URL on the command line and you wish to traverse a proxying ﬁrewall, then you must specify the proxy

which corresponds to that URL. For example, set the http_proxy option if the URL begins with

http://. Some protocols (such as telnet) do not do ﬁle transfers, and other protocols (such as

file)

cannot be used over a proxy.

Note: If you are running

security_patch_check

from within HP Systems Insight Manager, instead

of running the "Get Bulletin Catalog" tool, you can also download the catalog manually from one of the

above URLs and save the catalog to

/var/opt/sec_mgmt/security_catalog

. To allow HP Sys-

tems Insight Manager to use your proxy to get the catalog, you must set the

https_proxy

http_proxy ,orftp_proxy (and all other conﬁguration environment variables not set in the

security_patch_check clients’ conﬁguration ﬁle, /etc/opt/sec_mgmt/spc/spc_config

For example, insert

export ftp_proxy=http://myproxy.mynet.com:8088

into /etc/profile to enable FTP download through the speciﬁed proxy. The "Get Patch Catalog" tool

in HP Systems Insight Manager will read in /etc/profile before executing

security_patch_check.

HTTPS Speciﬁc Conﬁguration

Each of the following variables can be conﬁgured in the security_patch_check conﬁguration ﬁle,

/etc/opt/sec_mgmt/spc/spc_config, or as environment variables in the user shell. For each of

these variables, reasonable defaults are set in the conﬁguration ﬁle, and can be used as examples. By

default,

security_patch_check requires server certiﬁcate validation for all HTTPS requests. There-

fore, you must specify the trusted CA certiﬁcate used to issue the remote server’s certiﬁcate by correctly

setting either the HTTPS_CA_FILE or the HTTPS_CA_DIR variables below.

306 Hewlett-Packard Company − 5 − HP-UX 11i Version 2: December 2007 Update