HPE Community
Operating System - HP-UX
1833178 Members
3162 Online
110051 Solutions
New Discussion

Announcing Software Assistant (SWA)

 
SOLVED
Go to solution
Bob E Campbell
Honored Contributor

‎01-26-2007 08:52 AM

‎01-26-2007 08:52 AM

Announcing Software Assistant (SWA)

SWA has been released on Software Depot. You can consider SWA to be an upgrade for the security_patch_check(1M) tool adding features from the ITRC itself. Some highlights:

* analyze remote systems
* download patches and patch bundles
* detection confidence reported for security issues
* 3 text report types
* HTML report links to patch and bulletin text

Team members will be looking for comments and questions in these forums. To learn more and download SWA please visit:

http://www.hp.com/go/softwaredepot
0 Kudos
Reply
16 REPLIES 16
Bob E Campbell
Honored Contributor

‎01-26-2007 10:14 AM

‎01-26-2007 10:14 AM

Re: Announcing Software Assistant (SWA)

A direct link has been established for Software Assistant! Save your button-clicking finger by using http://www.hp.com/go/swa.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎01-26-2007 03:15 PM

‎01-26-2007 03:15 PM

Re: Announcing Software Assistant (SWA)

Thanks Bob!

This looks very interesting indeed.

I will D/L and test on Monday.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
John Payne_2
Honored Contributor

‎01-26-2007 03:21 PM

‎01-26-2007 03:21 PM

Re: Announcing Software Assistant (SWA)

I've been using it for several months now, it really is a good product. I really like the "analyze remote systems" feature.

John
Spoon!!!!
0 Kudos
Reply
John Payne_2
Honored Contributor

‎01-29-2007 03:13 AM

‎01-29-2007 03:13 AM

Re: Announcing Software Assistant (SWA)

(Back to the top)

John
Spoon!!!!
0 Kudos
Reply
Denver Osborn
Honored Contributor

‎01-29-2007 04:47 AM

‎01-29-2007 04:47 AM

Re: Announcing Software Assistant (SWA)

Bob,

How does swa-get download the recommended patches? Can it download all recommended patches as a single gzipped tarball?

Thanks,
-denver
0 Kudos
Reply
Bob E Campbell
Honored Contributor

‎01-29-2007 04:59 AM

‎01-29-2007 04:59 AM

Re: Announcing Software Assistant (SWA)

Oh boy... time to start writing that white paper...

Once an SWA analysis has been performed, the patches and QPK bundles identified, the "swa get" command downloads to a staging directory (the software cache) if not already found. Once the cache is full it automatically copies the content into the specified depot.

The actual download can be controlled via a number of mechanisms, including the use of an external command such as curl. By default it is from the HP FFS servers via https.

We envisioned a central server with lots of disk space keeping a fairly large cache around, but are considering an option to download and place into the depot patch by patch for those that do not want to keep anything in the software cache (single-system model).
0 Kudos
Reply
Ivan Krastev
Honored Contributor

‎01-29-2007 05:05 AM

‎01-29-2007 05:05 AM

Re: Announcing Software Assistant (SWA)

Sounds good this remote analyze - will test it soon.


regards,
ivan
0 Kudos
Reply
Bob E Campbell
Honored Contributor

‎01-29-2007 05:16 AM

‎01-29-2007 05:16 AM

Re: Announcing Software Assistant (SWA)

D'Oh! Monday morning without enought caffeine....

The SWA catalog is downloaded via https, the patches and bundles are then grabbed via ftp. The downloads are validated by the MD5 sums found in the catalog.

I should never post until after dinner...
0 Kudos
Reply
Doug Burton
Respected Contributor

‎01-29-2007 06:56 AM

‎01-29-2007 06:56 AM

Re: Announcing Software Assistant (SWA)

I like it so far. Nice little web page by just running "swa report -r action" made the text and html output.

Open the web page and click on an "Issue" number and it takes you to the technical knowledge base document. Like I said, nice.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎01-29-2007 07:28 AM

‎01-29-2007 07:28 AM

Re: Announcing Software Assistant (SWA)

Strange thing for - no man page installed....

It would be nice instead of having to do a -a for all items you want but to also have a -e (exclude).

IE - we don't use QPK's here - as we get custom patch bundles from HP.

So I ran it like so:

/opt/swa/bin/swa report -r action -a SEC -a PCW -a PW -a CRIT

Came up with an interesting report on my recently patched ia64 test workstation.

Rgds...Geoff



Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Bob E Campbell
Honored Contributor

‎01-29-2007 07:45 AM

‎01-29-2007 07:45 AM

Re: Announcing Software Assistant (SWA)

Man pages should be installed, but MANPATH will not update for your shell unless you source /etc/MANPATH. They are found under /opt/swa/share/man.

The PW analyzer includes both critical and non-critical warnings, so the "-a PCW" is redundant (lots of discussions, but that is where we ended up).

The default analyzers QPK (Quality Pack update available), PCW (installed, active patch with critical warning), and SEC (applicable security bulletin) make a pretty short list. Give it a couple of weeks and let me know if you still think that an exclude option is important. Be aware that you can set your own defaults via options files. Look at the "Extended -x Options" section of the swa-report(1M) man page.

Bob
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-29-2007 07:52 AM

‎01-29-2007 07:52 AM

Re: Announcing Software Assistant (SWA)

Shalom,

Seems the attempt has been made to replace certain features I currently provide manually.

It would seem that Internet Access is required to run the swa get section, thereby requiring some kind of secondary exposure to use the tool.

What I mean is that your swa server needs Internet access to get the patches and bundles and remote access to other systems to analyze their needs and create bundles.

That causes problems with our security model. We would need to be able to gather information on systems on closed networks, provide it to the Internet exposed server, build the patch set and carry it back on USB key or whatever to get it to the closed system.

I'm not sure this tool can do that, but I'm going to have to play with it to be sure.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-29-2007 08:11 AM

‎01-29-2007 08:11 AM

Solution

Re: Announcing Software Assistant (SWA)

Doh!

I just realized I used the swainv tool to perform the task I just complained was impossible in my prior post.

Doh!

I'll stop typing now.

:-)

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Bob E Campbell
Honored Contributor

‎01-29-2007 08:15 AM

‎01-29-2007 08:15 AM

Re: Announcing Software Assistant (SWA)

Sneaker-net was built into the tool from the get go. The one area that the team did not agree on has some workarounds and will be addressed in a future release.

A by-product of the "report" major mode is the analysis file. All downloads and reports are generated from this file. By using media to relocate this file to an accessible machine the "get" major mode can then be used to create a depot. At that point it is a simple SD exercise to put the depot back onto media.

The other option is to move an inventory file from the secured box to the unsecured server. These files are cached, with the filename using the cksum of the target string. Unlike analysis files, we do not have the ability to override the cache naming convention so while doable the inventory export is not yet "friendly". I am assuming that this will be a popular enhancement.

Oh, the inventory format is generated by the same script (newer revision) used today for ITRC patch analysis (swainv, name makes sense now...huh ;-).

Bob
0 Kudos
Reply
Bob E Campbell
Honored Contributor

‎01-29-2007 08:20 AM

‎01-29-2007 08:20 AM

Re: Announcing Software Assistant (SWA)

I just realized that the swainv discussion is likely to become a FAQ. If you will post a question on using swainv with SWA I promise to answer it in all of its gory detail.

Note that if you have SSH access to the closed system from the open you could simply use the command line:

# swa report -s ssh://safebox

or similar. The need for that swainv posting is really about air-gap security.
0 Kudos
Reply
Bob E Campbell
Honored Contributor

‎01-29-2007 08:24 AM

‎01-29-2007 08:24 AM

Re: Announcing Software Assistant (SWA)

Sorry Steve and Denver, I thought I had assigned you both 5 points but must have clicked something wrong. I caught Steve next time, Denver you just have to post again.

I suppose I should close this announcement thread out but will give it a few days. Consider posting questions to new threads to help those who follow you.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.