HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

321

322

323

324

325

326

327

328

329

330

security_patch_check(1M) security_patch_check(1M)

NAME

security_patch_check - check security-bulletin compliance state of HP-UX 11.x system or depot

SYNOPSIS

security_patch_check

[-a][

-n][-q  -qq][-c security-catalog]

[

-  -f ﬁle 

-h depot  -h remote-host][-i ignore-ﬁle]

[

-m  -o [

bcdmprs]] [-r [url]] [-s os-version]

security_patch_check -t

[-a

][-n][-q  -qq][-c security-catalog]

[

-h depot  -h

remote-host][-i ignore-ﬁle]

[

-m  -o [

bcdmprs]] [-r [url]] [-s os-version]

security_patch_check -u

DESCRIPTION

The security_patch_check

command runs a bulletin-compliance analysis of an HP-UX system.

security_patch_check

will determine which minimal security patches, updates and manual actions

have yet to be applied to the system, and will generate a report listing the patches and actions recom-

mended that apply to the speciﬁc system analyzed. It is likely that the analysis will be incomplete for

products and operating systems that are obsolete or unsupported. This includes products from pre-

vious OS versions that remain after an OS update. If your system was updated from a prior OS, you may

choose to use the

-s option to identify additional issues that may have been announced for the prior OS

version.

Note: Security Patch Check does not support OS versions older than 11.00, even with the

-s option.

Normally,

security_patch_check

will call the swlist command directly to do its analysis; see

swlist(1M). However, if the

- or -f option is speciﬁed, security_patch_check

will use standard

input (

-)oraﬁle(-f ﬁlename) as though it were output from a call to

swlist. Thus,

security_patch_check

can effectively analyze sets of systems and depots by sending it swlist out-

put from those sources. You can also choose whether to analyze superseded patches using the

-x

show_superseded_patches=TRUE

option of swlist. (Without the - or -f options, use the -t

option to control the analysis of superseded patches.)

security_patch_check

must have local access to a security bulletin catalog to run its analysis.

security_patch_check

is able to download the most recent security patch catalog from an HP

HTTPS or FTP site.

security_patch_check

will perform the download if the -r option is used.

Refer to

-r in the Options subsection for important information on this option.

security_patch_check

will tell you about any patches with warnings which are present on your sys-

tem. (Note: the default is to analyze only active patches. If you want to analyze all installed patches, use

the

-t option.) These patches need not be security-related. If a patch with warnings is active on a system,

you should read its "Warn" ﬁeld. The Warn ﬁeld of every 11.x patch with warnings is in the security cata-

log. To ﬁnd the patch warnings that are applicable to your system, you may look up the patch records

manually in the catalog, after running the script, or you may run security_patch_check

with the

-m (machine-parsable) option.

Before installing patches, you should be familiar with the general patching process. See the Patch Manage-

ment User Guide for HP-UX 11.x Systems, available on

http://docs.hp.com

, for an introduction to

patching. It is important that you read this document and understand the patching process. Patches that

are installed incorrectly or incompletely can cause a system to stop functioning in serious and

difﬁcult-to-recover ways. The instructions for updates (removals) and manual actions are covered in the

bulletins themselves, but you should be familiar with swinstall(1M) and swremove(1M) before installing

and removing software.

Patches: Hewlett-Packard provides integrated bundles of recommended patches that contain ﬁxes to many

security issues as well as other known system defects. They are available on Support Plus media or elec-

tronically from Software Depot (

http://software.hp.com). Openview patches are available at

http://support.openview.hp.com/patches

If closing patch-related security holes with the minimum system change is required, the Patch Database

(found at the IT Resource Center,

http://itrc.hp.com) may be used in combination with

security_patch_check to download the minimum set of patches with their dependencies. The Patch

Database will always display the set of patches that HP currently recommends. These patches may be

newer than those identiﬁed by security_patch_check.

Updates: In general, most HP-UX software is available from software.hp.com, via the OEUR/AR

media releases, and from the product-speciﬁc web sites on http://www.hp.com. The security bulletin

326 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007