topic Re: security patch check question in Operating System - HP-UX

security patch check question

kholikt — Wed, 30 Mar 2005 10:03:54 GMT

I have installed and run security patch check tool. Some of the vulnerability required manual action like changing permission of file. I just wondering after I fix the permission if I re-run security patch check script again the same vulnerability will appear. Is there any way that I can notify security patch check tool this warning can be ignore or fixed.

Re: security patch check question

Pete Randall — Wed, 30 Mar 2005 10:18:21 GMT

If you've fixed the permissions, the tool should not complain about it anymore.

Pete

Re: security patch check question

Theodore Pardike — Thu, 31 Mar 2005 08:53:24 GMT

I have found that you need to make an entry in .spc_ignore for these types of warnings to be ignored in the future.

Ted

Re: security patch check question

Keith Buck — Wed, 26 Oct 2005 12:24:12 GMT

Security Patch Check will warn about world-writeable directories in your search path because it may compromise the use of the tool. These can be eliminated by fixing the permissions of those directories.

Security Patch Check will also refer to bulletins with manual actions. For this, use of the .spc_ignore file is required, since Security Patch Check cannot automatically detect the fix (especially when run remotely)

-Keith

Re: security patch check question

Bill Hassell — Wed, 26 Oct 2005 14:21:36 GMT

AS mentioned, you need to create and edit a .spc_ignore file in your $HOME for root. Here is an example:

111r2 # very old Ignite issue
188r1 # Java 1.4.2.04 Java Web Start (1.0.1.01 or higher for HP-UX 11.x)
205r1 # TCP sequence numbers (implemented in nddconf)
231 # Visualize Conference (Xwindows) not applicable
239r1 # swacl for swinstall (allow/deny remote access to patch info)
150 # swacl -l host (removes remote probing of installed patches)
246r5 # sendmail.cf
253r8 # sendmail.cf
281r9 # sendmail.cf
304 # shar TMPDIR procedure + PHCO_30544
1047 # disable webadmin in /etc/rc.config.d
1099 # check downloads with MD5 checksums
280r1 # JSSE (not used)
235 # Remove old Java (n/a)
226 # Upgrade to latest (Java1.5)
1087 # Upgrade to latest (Java1.5)
267 # Remove old Java (n/a)
268 # Remove old Java (n/a)
295r2 # Remove old Java (n/a)
1044 # latest Java 1.5
187r1 # latest Java 1.5
1100 # Latest Java 1.5
1123 # Latest Apache suite (with Tomcat)
1137r1 # tcp/ip Remote Denial of Service / ip_pmtu_strategy=0
1138 # Radia mgmt (not used)

So the ID number is the first field and the rest are commants. Once I look at the manual actions required (and perform if necessary), I add the bulletin number to this file. From then on, the acknowledged warnings are then ignored and you can get a clean scan.