HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)
s
security_patch_check(1M) security_patch_check(1M)
will normally have more specific source information.
Removal actions: Sometimes the only fix for software is to remove it. Generally, the security bulletin will
recommend an upgrade path to another product with the same functionality.
Manual actions: Security Patch Check may recommend a manual action when a packaged product or
patch does not completely solve the problem, when human intelligence needs to be involved, or when the
data available is partial or incomplete. Refer to the bulletin for more information. The only way to indicate
completed manual actions is to use an "ignore" file. (see
-i option below.)
Monitoring security bulletins from HP and other sources is recommended as a security best practice. If you
think you have found a discrepancy between actions required on your system and those reported by Secu-
rity Patch Check, please report this discrepancy to
bulletin-corrections@security.hp.com
for investigation. HP appreciates reporting any discrepancies to us and assisting us to protect all of our
valued customers.
The default behavior of security_patch_check
is to use the security patch catalog located at
./security_catalog
to analyze localhost, and the ignore file at
$HOME/.spc_ignore
to decide
which bulletins to ignore. It will then run
swlist and will generate a report in an easy-to-read table for-
mat. These defaults can be overridden on the command line, or in the
/etc/sec_mgmt/spc/spc_config
file.
Additional Security Patch Check documentation (such as FAQs and an up-to-date README) may be found
at
http://docs.hp.com
Options
Command line arguments cannot be clustered; for example, -r -q is valid, but -rq
is not.
security_patch_check
supports the following options.
-a This option causes security_patch_check
to behave as though all ancestors (filesets) are
installed on the target system. This option is useful for analyzing a patch depot by itself.
- or -f filename
Using - causes security_patch_check
to read from standard input. Using -f filename causes
security_patch_check
to read from a file.
Both of these options can be used to analyze a set of depots. The data used by
security_patch_check
must be in the format that is generated by the following command.
Note that giving
security_patch_check
input in a different format can lead to undefined
results.
swlist -l fileset -a supersedes -a revision \
-a software_spec -a state
[-d][@ host]
where
-d specifies a depot instead of a root file system, and
@ host specifies a target host system.
See swlist(1M).
If either of these options is used,
security_patch_check
will not call swlist directly, but will
treat standard input or file
filename as though it were output from swlist as described above.
The - and -f options are mutually exclusive. See the -s and -n options also.
-c security-catalog
Use the security bulletin catalog located at the path security-catalog. The default path to the security
bulletin catalog is ./security_catalog.
-h depot or -h remote-host
Run an analysis on a remote host or depot, rather than localhost (default). remote-host is an HP-UX
11.x system. depot is the full path to a directory- or tape-format depot on a remote or local system.
Use of the -h option is possible only if the user running security_patch_check has SWACL
permissions to
swlist. For remote hosts or depots, swagentd must be running on the remote
host. See swagentd(1M) and swacl(1M).
-i ignore-file
Specifies the ignore file. This file is useful in the case of actions which you have analyzed but cannot
be automatically detected by Security Patch Check. Perform all actions recommended by a given bul-
letin, and then put the security bulletin identifier in the file to cross it off your "to do" list. This will
remove all actions associated with that particular bulletin from the report. (including patches,
upgrades, removals, and manual actions.) In the ignore-file, security_patch_check expects one bul-
letin identifier per line. Comments, preceded with a pound sign (#), are allowed either on their own
HP-UX 11i Version 3: February 2007 − 2 − Hewlett-Packard Company 327