HP-UX security patch bundle - does it exist?

Danny Webster · ‎06-02-2004

Hi all,

Forgive me if this has been covered - I cannot seem to find anything about it in these forums, or by googling it.

I'm after a security patch bundle, ala Solaris's cluster on Sunsolve. It's murder trying to find any security related patches on HP's website!

I see from the forums that there is a "security_patch_check" script - is this what i'm looking for? I.e, something with a set of recommended security patches all bundled up.

Hope i'm not blabbing, it's *almost* beer time.

Many thanks

Dan.

feck

Mel Burslan · ‎06-02-2004

as every system's security vulnerabilities are different, I do not believe there is such a bundle called security patch bundle, distributed by hp. The "Security Patch Check" tool (available free at : http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA )advises you what patches your system needs and you need to go to the patch database and bundle up the necessary patches into a depot yourself.

good thing is, if your systems are similar in nature, you can use this depot on all your servers.

________________________________
UNIX because I majored in cryptology...

Steven E. Protter · ‎06-02-2004

Securcity comes out in litle bitty pieces as needed. Here are ideas on how to keep track:

Security patch check(see prior post).

Sign up for security bullitens from the itrc homepage.

Sign up for CERT bullitens.

Think about running Bastille, because it nicely checks non-patch security issues.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

I can blab, but I don't want to keep you from your beer. Have one with me in mind Sir.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Danny Webster · ‎06-02-2004

Thanks for your help, this is exactly what I need - I just have to shake off the hangover enough to go and pull down individual patches now, and i'm sure there will be a lot of them :)

Once again, thanks for your help, oh and Steve, I had a few for you mate, trust me on that one ;)

Dan.

feck

John Carr_2 · ‎06-02-2004

Dan you can also use cpm_collect.sh which creates a file containing relevant info about the patches on your system which is then cross checked by HP and a report of secuirty patches recommended is produced have a look at the following thread

http://www5.itrc.hp.com/service/patch/addUpdateSystemsPage.do?BC=patch.breadcrumb.main|patch.breadcrumb.sbs|

John.

Danny Webster · ‎06-02-2004

Ah, fantastic! I will look into this one too,

thanks again

dan.

feck

John Carr_2 · ‎06-02-2004

Dan

A book worth reading

HP-UX 11i secuirty released by Prentice Hall
author Chris Wong ISBN: 0130330620

http://www.amazon.co.uk/exec/obidos/ASIN/0130330620/qid=1086257665/br=3-2/br_lfncs_b_2/202-5456180-5066258

John.

Danny Webster · ‎06-02-2004

John,

I actually own that book, it's at my girlfriend's house a long way away though. I started reading it but didn't actually finish it, but it looked good.

I obviously missed the chapter about patching, heh.

Cheers

dan.

feck

John Carr_2 · ‎06-02-2004

Dan

I think i might have to start studying for a PHD in drinking also its my favourite hobby too.

checkout the cpm_collect.sh script its real easy run it as any user on the server , upload the file and select options for reporting ie secuirty. The report looks good I cut and paste it into a mangement report and got full marks. it also allows you to select all recommended pathes and puts them into one install package to make installation simple no multi reboots. it also has the advantage of being real time upto date.

:-) John.

Joseph Loo · ‎06-02-2004

hi,

no doubt having the secuity patch checker is good but without the updated security catalog, if your server is not expose to the internet will be useless. to download:

ftp://ftp.itrc.hp.com/data/export/patches/security_catalog.gz
and download it to /tmp

# gunzip -d /tmp/security_catalog.gz
to unzip the file.

regards.

what you do not see does not mean you should not believe

Danny Webster · ‎06-02-2004

Joseph,

Thanks I will weave that into my new process of patching :)

John,

If you are looking for "academic" establishments to learn for your drinking PHD, I can suggest a few all over london ;)

Dan.

feck

Keith Buck · ‎06-03-2004

See also my survey question, asking for your input on comparisons between the itrc patch assessment tool (upload data and do server side analysis, web-based) and security_patch_check (download data and do client side analysis, command-line style)

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=426710

I'm interested in your input as a new user.

Using either of those tools today, don't forget about product updates and manual actions. These tools only cover _patches_ today.

Bastille is for proactive hardening rather than reactive security vulnerabilities; by making tradeoffs that decrease your exposure, you can head off future vulnerabilities. It's also intended to be educational, warning you about things like cleartext protocols, etc. where the security characteristics are clearly documented but probably aren't what you want to use if you're in a high threat environment.

Hope that helps.

-Keith

Danny Webster · ‎06-03-2004

thanks for your response Keith, I won't actually be running the tools in the end, i'm just formulating a security patch methodology for another team, so I don't know how much help I will be to you?

I'll have a butcher's hook anyway

Dan.

feck

Dave Unverhau_1 · ‎06-03-2004

Dan,

FYI...if you have a Proactive support contract (formerly PSS, CSS or BCS, now CS, P24, Proactive Essentials in the new support portfolio), you have an assigned HP RASE or RCAA who can create a security patch bundle for you.

If you have such support and don't know who that is, check with your Account Support Consultant.

Best Regards,

Dave

Romans 8:28

Keith Buck · ‎06-25-2004

FYI, my caveat above:

"Using either of those tools today, don't forget about product updates and manual actions. These tools only cover _patches_ today."

no longer applies for Security Patch Check B.02.00. It is available from

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA

This version covers all HP-UX security bulletins, including those with updates and manual actions.

Hope that helps.

-Keith

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

HP-UX security patch bundle - does it exist?

HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?

Re: HP-UX security patch bundle - does it exist?