|HP-UX Reference > S
HP-UX 11i Version 3: February 2007
security_patch_check — check security-bulletin compliance state of HP-UX 11.x system or depot
security_patch_check [-a] [-n] [-q | -qq] [-c security-catalog] [- | -f file | -h depot | -h remote-host] [-i ignore-file] [-m | -o [bcdmprs]] [-r [url]] [-s os-version]
security_patch_check -t [-a] [-n] [-q | -qq] [-c security-catalog] [-h depot | -h remote-host] [-i ignore-file] [-m | -o [bcdmprs]] [-r [url]] [-s os-version]
The security_patch_check command runs a bulletin-compliance analysis of an HP-UX system. security_patch_check will determine which minimal security patches, updates and manual actions have yet to be applied to the system, and will generate a report listing the patches and actions recommended that apply to the specific system analyzed. It is likely that the analysis will be incomplete for products and operating systems that are obsolete or unsupported. This includes products from previous OS versions that remain after an OS update. If your system was updated from a prior OS, you may choose to use the -s option to identify additional issues that may have been announced for the prior OS version.
Note: Security Patch Check does not support OS versions older than 11.00, even with the -s option.
Normally, security_patch_check will call the swlist command directly to do its analysis; see swlist(1M). However, if the - or -f option is specified, security_patch_check will use standard input (-) or a file (-f filename) as though it were output from a call to swlist. Thus, security_patch_check can effectively analyze sets of systems and depots by sending it swlist output from those sources. You can also choose whether to analyze superseded patches using the -x show_superseded_patches=TRUE option of swlist. (Without the - or -f options, use the -t option to control the analysis of superseded patches.)
security_patch_check must have local access to a security bulletin catalog to run its analysis. security_patch_check is able to download the most recent security patch catalog from an HP HTTPS or FTP site. security_patch_check will perform the download if the -r option is used. Refer to -r in the Options subsection for important information on this option. security_patch_check will tell you about any patches with warnings which are present on your system. (Note: the default is to analyze only active patches. If you want to analyze all installed patches, use the -t option.) These patches need not be security-related. If a patch with warnings is active on a system, you should read its "Warn" field. The Warn field of every 11.x patch with warnings is in the security catalog. To find the patch warnings that are applicable to your system, you may look up the patch records manually in the catalog, after running the script, or you may run security_patch_check with the -m (machine-parsable) option.
Before installing patches, you should be familiar with the general patching process. See the Patch Management User Guide for HP-UX 11.x Systems, available on http://docs.hp.com, for an introduction to patching. It is important that you read this document and understand the patching process. Patches that are installed incorrectly or incompletely can cause a system to stop functioning in serious and difficult-to-recover ways. The instructions for updates (removals) and manual actions are covered in the bulletins themselves, but you should be familiar with swinstall(1M) and swremove(1M) before installing and removing software.
Patches: Hewlett-Packard provides integrated bundles of recommended patches that contain fixes to many security issues as well as other known system defects. They are available on Support Plus media or electronically from Software Depot (http://software.hp.com). Openview patches are available at http://support.openview.hp.com/patches.
If closing patch-related security holes with the minimum system change is required, the Patch Database (found at the IT Resource Center, http://itrc.hp.com) may be used in combination with security_patch_check to download the minimum set of patches with their dependencies. The Patch Database will always display the set of patches that HP currently recommends. These patches may be newer than those identified by security_patch_check.
Updates: In general, most HP-UX software is available from software.hp.com, via the OEUR/AR media releases, and from the product-specific web sites on http://www.hp.com. The security bulletin will normally have more specific source information.
Removal actions: Sometimes the only fix for software is to remove it. Generally, the security bulletin will recommend an upgrade path to another product with the same functionality.
Manual actions: Security Patch Check may recommend a manual action when a packaged product or patch does not completely solve the problem, when human intelligence needs to be involved, or when the data available is partial or incomplete. Refer to the bulletin for more information. The only way to indicate completed manual actions is to use an "ignore" file. (see -i option below.)
Monitoring security bulletins from HP and other sources is recommended as a security best practice. If you think you have found a discrepancy between actions required on your system and those reported by Security Patch Check, please report this discrepancy to email@example.com for investigation. HP appreciates reporting any discrepancies to us and assisting us to protect all of our valued customers.
The default behavior of security_patch_check is to use the security patch catalog located at ./security_catalog to analyze localhost, and the ignore file at $HOME/.spc_ignore to decide which bulletins to ignore. It will then run swlist and will generate a report in an easy-to-read table format. These defaults can be overridden on the command line, or in the /etc/sec_mgmt/spc/spc_config file.
Additional Security Patch Check documentation (such as FAQs and an up-to-date README) may be found at http://docs.hp.com
Command line arguments cannot be clustered; for example, -r -q is valid, but -rq is not. security_patch_check supports the following options.
Following the recommendations of security_patch_check will result in a system that is up-to-date with HP's recommended security actions.
There are many security advisories that require manual actions on a system. Since some advisories or bulletins contain no patches and others contain both patches and manual actions, these advisories, if output by security_patch_check, must be read and appropriate action taken.
To access an archive of HP-UX security advisories, you must have an account on the ITRC. Go to http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin.
security_patch_check uses Perl's tainting checks. This means that security_patch_check will exit if the command line options it receives contain any character besides a letter (A-Za-z), number (0-9), slash (/), dot (.), underscore (_), or dash (-). Keep this in mind when using -c security-catalog with the -r option. Perl's security features may also prevent some URLs from being used with the -r option on the command line.
security_patch_check performs a check on the security catalog being used. It prints a warning in case the catalog is world or group writable, or if one of its parent directories is world or group writable and the sticky bit is not set on that directory.
When using FTP, security_patch_check does not validate the security patch catalog it downloads. It is possible to download an invalid catalog if HP's FTP site is being spoofed on the subnet where security_patch_check is running. For that reason, the default HTTPS download is the recommended method. Note that if the prerequisites for HTTPS communication (OpenSSL and HP's SSL-Enabled Perl, also OpenSSL if CRL checking is needed) are not installed, then Security Patch Check will default to HTTP.
security_patch_check can be run by any user who has permissions to execute Perl and swlist.
SECURITY CATALOG RETRIEVAL
The following configuration options deal mainly with the -r option.
When using the -r option from behind a firewall which requires a proxy to be used for Internet connectivity, the https_proxy, http_proxy, or ftp_proxy configuration settings (depending on which download protocol you intend to use) must indicate the proxy for the local subnet. The proxy settings tell security_patch_check how to perform transfers from behind the firewall. The default proxy behavior can be configured in the security_patch_check configuration file, /etc/opt/sec_mgmt/spc/spc_config, and behavior on a per-user basis can be specified as environment variables in the user's shell. The proxy URL must be in the form:
A web proxy generally uses the HTTP protocol (even for proxying HTTPS and FTP data). If you specify a URL on the command line and you wish to traverse a proxying firewall, then you must specify the proxy which corresponds to that URL. For example, set the http_proxy option if the URL begins with http://. Some protocols (such as telnet) do not do file transfers, and other protocols (such as file) cannot be used over a proxy.
NOTE: If you are running security_patch_check from within Systems Insight Manager, instead of running the "Get Bulletin Catalog" tool, you can also download the catalog manually from one of the above URLs and save the catalog to /var/opt/sec_mgmt/security_catalog. To allow Systems Insight Manager to use your proxy to get the catalog, you must set the https_proxy, http_proxy, or ftp_proxy (and all other configuration environment variables not set in the security_patch_check clients' configuration file, /etc/opt/sec_mgmt/spc/spc_config).
For example, insert
into /etc/profile to enable FTP download through the specified proxy. The "Get Patch Catalog" tool in Systems Insight Manager will read in /etc/profile before executing security_patch_check.
HTTPS Specific Configuration
Each of the following variables can be configured in the security_patch_check configuration file, /etc/opt/sec_mgmt/spc/spc_config, or as environment variables in the user shell. For each of these variables, reasonable defaults are set in the configuration file, and can be used as examples. By default, security_patch_check requires server certificate validation for all HTTPS requests. Therefore, you must specify the trusted CA certificate used to issue the remote server's certificate by correctly setting either the HTTPS_CA_FILE or the HTTPS_CA_DIR variables below.
The security bulletin catalog can also be downloaded manually from any of the following URLs:
https://itrc.hp.com/service/patch/securityPatchCatalog.do? item=security_catalog2.gz http://itrc.hp.com/service/patch/securityPatchCatalog.do? item=security_catalog2.gz ftp://ftp.itrc.hp.com/export/patches/security_catalog2.gz
Get the latest security patch catalog, and then analyze the local system; print (the default) human-readable report.
Get the latest security bulletin catalog, and then analyze localhost; write all output including warnings and errors to file report (using /usr/bin/sh). This is useful for using security_patch_check in a cron job to execute nightly.
security_patch_check -r > report 2>&1
If you would prefer to have a report mailed to you, then you can use the following (using /bin/sh). This will put the standard output and standard error streams together and mail them to the given e-mail address.
security_patch_check.pl -r 2>&1 | mail user@hostname
Analyze localhost by downloading the latest security bulletin catalog, and take swlist output from file swout_output.
security_patch_check -f swout_output -r
Analyze localhost, print in which security bulletins the recommended patches' or actions' chains were mentioned, whether the recommended patches or actions require reboot, and their descriptions.
security_patch_check -o brd
Analyze remote host named machineA; give output in machine-parsable format.
security_patch_check -h machineA -m
Analyze depot /patch_depot on machineA along with depot /fileset_depot on machineB. Assume that the depots are for HP-UX 11.00. security_patch_check takes swlist output from standard input.
swlist -l fileset -a supersedes \ -a software_spec -a revision -a state -d \ @ machineA:/patch_depot \ machineB:/fileset_depot \ | security_patch_check -s 11.00" -"
Analyze remote system machineA after downloading the security bulletin catalog. This example may be considered a typical usage of security_patch_check as a cron job.
security_patch_check -r -q -h machineA
Analyze machineA; print a table in machine-readable format only if missing patches are found.
security_patch_check -h machineA -q -m
security_patch_check sets its exit status to one of the following values.
In the case of an error, security_patch_check prints an error message.
Security Patch Check uses the HOME environment variable to set default locations for the ignore file and the default trust store. If the tool is run by root without HOME set, Security Patch Check will default to using /var/opt/sec_mgmt/spc. Otherwise, the lack of a valid HOME will cause Security Patch Check to terminate with an error.
When security_patch_check is run with the -r option, proxy and trust store configuration variables should be set and exported in your shell environment.
The https_proxy, http_proxy, or ftp_proxy variable must indicate a proxy that the script can use, if your network requires the use of a proxy. Use the appropriate proxy variable based on the protocol you are using to download the security catalog.
If you are using the HTTPS protocol, then all the required trust store variables must be configured. Review the HTTPS Specific Configuration subsection above for details concerning the HTTPS_CA_FILE, HTTPS_CA_DIR, CRLCHECK, and CRLURL trust store environment variables.
The /etc/profile file must be altered to allow Systems Insight Manager to find the variables. Refer to the SECURITY CATALOG RETRIEVAL section above for more information.