security_patch_check(1M)

NAME

security_patch_check — check security-bulletin compliance state of HP-UX 11.x system or depot

SYNOPSIS

security_patch_check -t [-a] [-n] [-q | -qq] [-c security-catalog] [-h depot | -h remote-host] [-i ignore-file] [-m | -o [bcdmprs]] [-r [url]] [-s os-version]

security_patch_check -u

DESCRIPTION

The security_patch_check command runs a bulletin-compliance analysis of an HP-UX system. security_patch_check will determine which minimal security patches, updates and manual actions have yet to be applied to the system, and will generate a report listing the patches and actions recommended that apply to the specific system analyzed. It is likely that the analysis will be incomplete for products and operating systems that are obsolete or unsupported. This includes products from previous OS versions that remain after an OS update. If your system was updated from a prior OS, you may choose to use the -s option to identify additional issues that may have been announced for the prior OS version.

Note: Security Patch Check does not support OS versions older than 11.00, even with the -s option.

Normally, security_patch_check will call the swlist command directly to do its analysis; see swlist(1M). However, if the - or -f option is specified, security_patch_check will use standard input (-) or a file (-f filename) as though it were output from a call to swlist. Thus, security_patch_check can effectively analyze sets of systems and depots by sending it swlist output from those sources. You can also choose whether to analyze superseded patches using the -x show_superseded_patches=TRUE option of swlist. (Without the - or -f options, use the -t option to control the analysis of superseded patches.)

security_patch_check must have local access to a security bulletin catalog to run its analysis. security_patch_check is able to download the most recent security patch catalog from an HP HTTPS or FTP site. security_patch_check will perform the download if the -r option is used. Refer to -r in the Options subsection for important information on this option. security_patch_check will tell you about any patches with warnings which are present on your system. (Note: the default is to analyze only active patches. If you want to analyze all installed patches, use the -t option.) These patches need not be security-related. If a patch with warnings is active on a system, you should read its "Warn" field. The Warn field of every 11.x patch with warnings is in the security catalog. To find the patch warnings that are applicable to your system, you may look up the patch records manually in the catalog, after running the script, or you may run security_patch_check with the -m (machine-parsable) option.

Before installing patches, you should be familiar with the general patching process. See the Patch Management User Guide for HP-UX 11.x Systems, available on http://docs.hp.com, for an introduction to patching. It is important that you read this document and understand the patching process. Patches that are installed incorrectly or incompletely can cause a system to stop functioning in serious and difficult-to-recover ways. The instructions for updates (removals) and manual actions are covered in the bulletins themselves, but you should be familiar with swinstall(1M) and swremove(1M) before installing and removing software.

Patches: Hewlett-Packard provides integrated bundles of recommended patches that contain fixes to many security issues as well as other known system defects. They are available on Support Plus media or electronically from Software Depot (http://software.hp.com). Openview patches are available at http://support.openview.hp.com/patches.

If closing patch-related security holes with the minimum system change is required, the Patch Database (found at the IT Resource Center, http://itrc.hp.com) may be used in combination with security_patch_check to download the minimum set of patches with their dependencies. The Patch Database will always display the set of patches that HP currently recommends. These patches may be newer than those identified by security_patch_check.

Updates: In general, most HP-UX software is available from software.hp.com, via the OEUR/AR media releases, and from the product-specific web sites on http://www.hp.com. The security bulletin will normally have more specific source information.

Removal actions: Sometimes the only fix for software is to remove it. Generally, the security bulletin will recommend an upgrade path to another product with the same functionality.

Manual actions: Security Patch Check may recommend a manual action when a packaged product or patch does not completely solve the problem, when human intelligence needs to be involved, or when the data available is partial or incomplete. Refer to the bulletin for more information. The only way to indicate completed manual actions is to use an "ignore" file. (see -i option below.)

Monitoring security bulletins from HP and other sources is recommended as a security best practice. If you think you have found a discrepancy between actions required on your system and those reported by Security Patch Check, please report this discrepancy to bulletin-corrections@security.hp.com for investigation. HP appreciates reporting any discrepancies to us and assisting us to protect all of our valued customers.

The default behavior of security_patch_check is to use the security patch catalog located at ./security_catalog to analyze localhost, and the ignore file at $HOME/.spc_ignore to decide which bulletins to ignore. It will then run swlist and will generate a report in an easy-to-read table format. These defaults can be overridden on the command line, or in the /etc/sec_mgmt/spc/spc_config file.

Additional Security Patch Check documentation (such as FAQs and an up-to-date README) may be found at http://docs.hp.com

Options

Command line arguments cannot be clustered; for example, -r -q is valid, but -rq is not. security_patch_check supports the following options.

-a

This option causes security_patch_check to behave as though all ancestors (filesets) are installed on the target system. This option is useful for analyzing a patch depot by itself.

- or -f filename

Using - causes security_patch_check to read from standard input. Using -f filename causes security_patch_check to read from a file.

Both of these options can be used to analyze a set of depots. The data used by security_patch_check must be in the format that is generated by the following command. Note that giving security_patch_check input in a different format can lead to undefined results.

swlist -l fileset -a supersedes -a revision \ 
     -a software_spec -a state [-d] [@ host]

where -d specifies a depot instead of a root file system, and @ host specifies a target host system. See swlist(1M).

If either of these options is used, security_patch_check will not call swlist directly, but will treat standard input or file filename as though it were output from swlist as described above. The - and -f options are mutually exclusive. See the -s and -n options also.

-c security-catalog

Use the security bulletin catalog located at the path security-catalog. The default path to the security bulletin catalog is ./security_catalog.

-h depot or -h remote-host

Run an analysis on a remote host or depot, rather than localhost (default). remote-host is an HP-UX 11.x system. depot is the full path to a directory- or tape-format depot on a remote or local system. Use of the -h option is possible only if the user running security_patch_check has SWACL permissions to swlist. For remote hosts or depots, swagentd must be running on the remote host. See swagentd(1M) and swacl(1M).

-i ignore-file

Specifies the ignore file. This file is useful in the case of actions which you have analyzed but cannot be automatically detected by Security Patch Check. Perform all actions recommended by a given bulletin, and then put the security bulletin identifier in the file to cross it off your "to do" list. This will remove all actions associated with that particular bulletin from the report. (including patches, upgrades, removals, and manual actions.) In the ignore-file, security_patch_check expects one bulletin identifier per line. Comments, preceded with a pound sign (#), are allowed either on their own lines, or after action identifiers. A bulletin identifier is in the same format as the "Bull" column in the human-readable output, with the bulletin number, optionally followed by "r" and the revision number of the bulletin. If the bulletin is revised, Security Patch Check will notify you again the next time you download an updated catalog, in case the revision affects you. The default file is $HOME/.spc_ignore.

-m

Display output in a machine-parsable format. This format contains zero or more recommended-action records in the format:

action-name:
{<tab>field-name:<tab>field-text
[<tab><tab>more-field-text]... }...

The record is for either a recommended action or patch with warnings (which is present on the target system). Patches with warnings contain "with Warnings" in their Status field. Recommended security actions contain a SecBul field. -m should not be used with the -o option. Three fields that are unique to the catalog used by security_patch_check will appear. The Min field indicates the oldest patch in the recommended patch's chain that resolves the security issue. The MFset field is the list of ancestor filesets for the oldest patch, and the SecBul field indicates in which security bulletins the patch's chain was introduced. There is no guarantee that the same fields will exist for each patch record, or that the fields will be in a certain order. Notes are suppressed when -m is used. Warnings and errors are written to standard error.

-n

Suppress warnings about currently installed patches whose state is neither configured nor available. A patch which is not in one of these states is misconfigured and should be fixed.

-o [bcdmprs]

Alter the information printed by security_patch_check in the human-readable patch information table. By default, the "#", "Bull", "Cnt", "Recommended", "Spec", "Reboot", "PDep", and "Description" columns appear. The full text of the patch records can be obtained only by running security_patch_check with the -m option (instead of the -o option). Ordering of the options passed to the -o option is ignored. The table's columns will be printed in the following order:

#, Recommended, [Bull], [Cnt], [Minimum], [Spec], [Reboot], [PDep], [Description].

"#" indicates the patch's number within the table.

Note that -o should not be used with -m. -m overrides -o. The options passed to -o have the following effects:

b: Print a "Bull" field and show the highest-numbered security bulletin this recommended action applies to.
c: Print a "Cnt" field to indicate how many bulletins relate to this recommendation. For example: 1st = this is the first and only bulletin, 2nd = this is the 2nd of 2, 3rd = 3rd of three, etc.
d: Print a "Description" field and show a description of each recommended action.
m: Print a "Minimum" field and show the oldest patch in the chain of patches including the recommended patch, which resolves the security problem.
p: Print a "PDep" field and indicate whether each recommended patch has patch dependencies.
r: Print a "Reboot" field and indicate whether each recommended patch/action requires a reboot.
s: Print a "Spec" field and indicate whether each recommended patch/action has special instructions associated with it or, in some cases, the nature of the special instructions. For example: "man" indicates there are manual steps, "upd" indicates there are updates to be applied, "warn" indicates that the patch has warnings, etc.

-q

Operate in quiet mode. security_patch_check will print a table or machine-parsable output only if it determines that there are patches/actions missing from the system (or input data). Warnings will be printed. Notes will be suppressed.

-qq

Operate in very quiet mode. Warnings, which may be critical to system security (that is, patch warnings, world-writable catalogs) are suppressed. -qq implies -q.

-r [url]

Retrieve the latest security bulletin catalog from an HP HTTPS, HTTP, or FTP site, as specified by url.

By default security_patch_check will store the catalog in ./security_catalog, unless the -c option is used, in which case the catalog will be stored at the location specified by -c.

If the url is specified, then the catalog must be in gzip format (must end in .gz).

For more retrieval configuration details refer to the SECURITY CATALOG RETRIEVAL section below.

-s os-version

Specify the OS version. Without the -s option, security_patch_check uses the software_spec field of the OS-Core fileset to determine which OS is running on the target system. os-version should be in the format 11.xx. This option is useful when analyzing a patch-only depot.

-t

Gather information about superseded patches from a live host (default "localhost" or the host specified with -h) for security_patch_check to analyze. The default behavior is to gather and analyze only information on active patches. If you wish to analyze the full patch tree when using input from standard input or from a file, then use the -x show_superseded_patches=TRUE option on the swlist command (instead of -t on security_patch_check) to ensure that the full patch tree is included when you generate the input. This analysis is useful before rolling back a patch to see if it will activate a patch with warnings or a misconfigured patch.

-u

Print usage message and exit.

SECURITY ISSUES

Following the recommendations of security_patch_check will result in a system that is up-to-date with HP's recommended security actions.

There are many security advisories that require manual actions on a system. Since some advisories or bulletins contain no patches and others contain both patches and manual actions, these advisories, if output by security_patch_check, must be read and appropriate action taken.

To access an archive of HP-UX security advisories, you must have an account on the ITRC. Go to http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin.

security_patch_check uses Perl's tainting checks. This means that security_patch_check will exit if the command line options it receives contain any character besides a letter (A-Za-z), number (0-9), slash (/), dot (.), underscore (_), or dash (-). Keep this in mind when using -c security-catalog with the -r option. Perl's security features may also prevent some URLs from being used with the -r option on the command line.

security_patch_check performs a check on the security catalog being used. It prints a warning in case the catalog is world or group writable, or if one of its parent directories is world or group writable and the sticky bit is not set on that directory.

When using FTP, security_patch_check does not validate the security patch catalog it downloads. It is possible to download an invalid catalog if HP's FTP site is being spoofed on the subnet where security_patch_check is running. For that reason, the default HTTPS download is the recommended method. Note that if the prerequisites for HTTPS communication (OpenSSL and HP's SSL-Enabled Perl, also OpenSSL if CRL checking is needed) are not installed, then Security Patch Check will default to HTTP.

security_patch_check can be run by any user who has permissions to execute Perl and swlist.

SECURITY CATALOG RETRIEVAL

The following configuration options deal mainly with the -r option.

Proxy Settings

When using the -r option from behind a firewall which requires a proxy to be used for Internet connectivity, the https_proxy, http_proxy, or ftp_proxy configuration settings (depending on which download protocol you intend to use) must indicate the proxy for the local subnet. The proxy settings tell security_patch_check how to perform transfers from behind the firewall. The default proxy behavior can be configured in the security_patch_check configuration file, /etc/opt/sec_mgmt/spc/spc_config, and behavior on a per-user basis can be specified as environment variables in the user's shell. The proxy URL must be in the form:

proxy-protocol://proxy-address:port

For example:

https_proxy=http://myproxy.mynet.com:8088 

A web proxy generally uses the HTTP protocol (even for proxying HTTPS and FTP data). If you specify a URL on the command line and you wish to traverse a proxying firewall, then you must specify the proxy which corresponds to that URL. For example, set the http_proxy option if the URL begins with http://. Some protocols (such as telnet) do not do file transfers, and other protocols (such as file) cannot be used over a proxy.

NOTE: If you are running security_patch_check from within Systems Insight Manager, instead of running the "Get Bulletin Catalog" tool, you can also download the catalog manually from one of the above URLs and save the catalog to /var/opt/sec_mgmt/security_catalog. To allow Systems Insight Manager to use your proxy to get the catalog, you must set the https_proxy, http_proxy, or ftp_proxy (and all other configuration environment variables not set in the security_patch_check clients' configuration file, /etc/opt/sec_mgmt/spc/spc_config).

For example, insert

export ftp_proxy=http://myproxy.mynet.com:8088

into /etc/profile to enable FTP download through the specified proxy. The "Get Patch Catalog" tool in Systems Insight Manager will read in /etc/profile before executing security_patch_check.

HTTPS Specific Configuration

Each of the following variables can be configured in the security_patch_check configuration file, /etc/opt/sec_mgmt/spc/spc_config, or as environment variables in the user shell. For each of these variables, reasonable defaults are set in the configuration file, and can be used as examples. By default, security_patch_check requires server certificate validation for all HTTPS requests. Therefore, you must specify the trusted CA certificate used to issue the remote server's certificate by correctly setting either the HTTPS_CA_FILE or the HTTPS_CA_DIR variables below.

CRLCHECK: When this variable is set to 1, security_patch_check will require the certificate revocation list to be updated and checked for the trusted CA certificate being used to validate the remote server. This means the CRLURL variable must also be set and only the certificate used to sign the downloaded revocation list can be used to validate the server connection. When enabled, this configuration provides the remote server a mechanism to revoke its certificate through the certificate authority, but also requires regular downloads from the certificate authority, which can lengthen the security_patch_check run time. If you do not wish to validate a revocation list, set this variable to 0.
CRLURL: Contains the URL where the certificate revocation list (CRL), for the trusted certificate being used to download the security catalog, can be downloaded. If you are behind a proxy then you will need to configure the proxy information for the protocol being used to download the CRL.
HTTPS_CA_DIR: A directory containing files, each of which consists of one PEM-encoded trusted CA certificate. If using certificates other than the defaults shipped by HP, note that these files should be indexed using the certificate's subject name hash value, in the form "hash.0". Use the OpenSSL utility, c_rehash, to index the certificates in the directory, creating the hash.0 format files for each certificate file in the directory which ends with the .pem extension.
HTTPS_CA_FILE: The fully qualified path to a file containing PEM-encoded CA certificates which will be trusted by security_patch_check.
OPENSSLDIR: The directory path containing the openssl and c_rehash binaries.

The security bulletin catalog can also be downloaded manually from any of the following URLs:

https://itrc.hp.com/service/patch/securityPatchCatalog.do? 
    item=security_catalog2.gz 

http://itrc.hp.com/service/patch/securityPatchCatalog.do? 
    item=security_catalog2.gz 

ftp://ftp.itrc.hp.com/export/patches/security_catalog2.gz 

EXAMPLES

Get the latest security patch catalog, and then analyze the local system; print (the default) human-readable report.

security_patch_check -r 

Get the latest security bulletin catalog, and then analyze localhost; write all output including warnings and errors to file report (using /usr/bin/sh). This is useful for using security_patch_check in a cron job to execute nightly.

security_patch_check -r > report 2>&1 

If you would prefer to have a report mailed to you, then you can use the following (using /bin/sh). This will put the standard output and standard error streams together and mail them to the given e-mail address.

security_patch_check.pl -r 2>&1 | mail user@hostname

Analyze localhost by downloading the latest security bulletin catalog, and take swlist output from file swout_output.

security_patch_check -f swout_output -r 

Analyze localhost, print in which security bulletins the recommended patches' or actions' chains were mentioned, whether the recommended patches or actions require reboot, and their descriptions.

security_patch_check -o brd 

Analyze remote host named machineA; give output in machine-parsable format.

security_patch_check -h machineA -m 

Analyze depot /patch_depot on machineA along with depot /fileset_depot on machineB. Assume that the depots are for HP-UX 11.00. security_patch_check takes swlist output from standard input.

swlist -l fileset -a supersedes \ 
     -a software_spec -a revision -a state -d \ 
     @ machineA:/patch_depot \ 
     machineB:/fileset_depot \ 
| 
security_patch_check -s  11.00" -" 

Analyze remote system machineA after downloading the security bulletin catalog. This example may be considered a typical usage of security_patch_check as a cron job.

security_patch_check -r -q -h machineA 

Analyze machineA; print a table in machine-readable format only if missing patches are found.

security_patch_check -h machineA -q -m 

RETURN VALUES

security_patch_check sets its exit status to one of the following values.

0: Indicates successful exit, whether or not missing actions were found.
1: Indicates an error in the command-line arguments.
2: Indicates security_patch_check received SIGQUIT, SIGINT, or SIGSTOP.
>2: Indicates other function-level run-time errors.

In the case of an error, security_patch_check prints an error message.

ENVIRONMENT

Security Patch Check uses the HOME environment variable to set default locations for the ignore file and the default trust store. If the tool is run by root without HOME set, Security Patch Check will default to using /var/opt/sec_mgmt/spc. Otherwise, the lack of a valid HOME will cause Security Patch Check to terminate with an error.

When security_patch_check is run with the -r option, proxy and trust store configuration variables should be set and exported in your shell environment.

The https_proxy, http_proxy, or ftp_proxy variable must indicate a proxy that the script can use, if your network requires the use of a proxy. Use the appropriate proxy variable based on the protocol you are using to download the security catalog.

If you are using the HTTPS protocol, then all the required trust store variables must be configured. Review the HTTPS Specific Configuration subsection above for details concerning the HTTPS_CA_FILE, HTTPS_CA_DIR, CRLCHECK, and CRLURL trust store environment variables.

The /etc/profile file must be altered to allow Systems Insight Manager to find the variables. Refer to the SECURITY CATALOG RETRIEVAL section above for more information.

AUTHOR

security_patch_check was developed by HP.

FILES

$HOME/.spc_ignore
./security_catalog
/etc/opt/sec_mgmt/spc_config