HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

321

322

323

324

325

326

327

328

329

330

security_patch_check(1M) security_patch_check(1M)

By default security_patch_check

will store the catalog in

./security_catalog

, unless

the

-c option is used, in which case the catalog will be stored at the location speciﬁed by

-c.

If the url is speciﬁed, then the catalog must be in

gzip format (must end in .gz).

For more retrieval conﬁguration details refer to the SECURITY CATALOG RETRIEVAL section

below.

-s os-version

Specify the OS version. Without the -s

option, security_patch_check

uses the software_spec

ﬁeld of the OS-Core ﬁleset to determine which OS is running on the target system.

os-version

should be in the format 11.xx. This option is useful when analyzing a patch-only depot.

-t Gather information about superseded patches from a live host (default "localhost" or the host speciﬁed

with -h) for security_patch_check

to analyze. The default behavior is to gather and analyze

only information on active patches. If you wish to analyze the full patch tree when using input from

standard input or from a ﬁle, then use the

-x show_superseded_patches=TRUE

option on

the

swlist command (instead of -t on

security_patch_check

) to ensure that the full patch

tree is included when you generate the input. This analysis is useful before rolling back a patch to see

if it will activate a patch with warnings or a misconﬁgured patch.

-u Print usage message and exit.

SECURITY ISSUES

Following the recommendations of

security_patch_check will result in a system that is up-to-date

with HP’s recommended security actions.

There are many security advisories that require manual actions on a system. Since some advisories or bul-

letins contain no patches and others contain both patches and manual actions, these advisories, if output by

security_patch_check

, must be read and appropriate action taken.

To access an archive of HP-UX security advisories, you must have an account on the ITRC. Go to

http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin

security_patch_check

uses Perl’s tainting checks. This means that security_patch_check

will exit if the command line options it receives contain any character besides a letter (

A-Za-z), number

(

0-9), slash (/), dot (.), underscore (_), or dash (

-). Keep this in mind when using -c security-catalog

with the

-r option. Perl’s security features may also prevent some URLs from being used with the

-r

option on the command line.

security_patch_check

performs a check on the security catalog being used. It prints a warning in

case the catalog is world or group writable, or if one of its parent directories is world or group writable and

the sticky bit is not set on that directory.

When using FTP,

security_patch_check

does not validate the security patch catalog it downloads.

It is possible to download an invalid catalog if HP’s FTP site is being spoofed on the subnet where

security_patch_check

is running. For that reason, the default HTTPS download is the recom-

mended method. Note that if the prerequisites for HTTPS communication (OpenSSL and HP’s SSL-

Enabled Perl, also OpenSSL if CRL checking is needed) are not installed, then Security Patch Check will

default to HTTP.

security_patch_check can be run by any user who has permissions to execute Perl and

swlist.

SECURITY CATALOG RETRIEVAL

The following conﬁguration options deal mainly with the

-r option.

Proxy Settings

When using the -r option from behind a ﬁrewall which requires a proxy to be used for Internet connec-

tivity, the https_proxy , http_proxy ,orftp_proxy conﬁguration settings (depending on which

download protocol you intend to use) must indicate the proxy for the local subnet. The proxy settings tell

security_patch_check how to perform transfers from behind the ﬁrewall. The default proxy

behavior can be conﬁgured in the security_patch_check conﬁguration ﬁle,

/etc/opt/sec_mgmt/spc/spc_config, and behavior on a per-user basis can be speciﬁed as

environment variables in the user’s shell. The proxy URL must be in the form:

proxy-protocol

://proxy-address:port

For example:

HP-UX 11i Version 3: February 2007 − 4 − Hewlett-Packard Company 329