HPE Community
Operating System - HP-UX
1827243 Members
2258 Online
109716 Solutions
New Discussion

Re: Patching Standards.

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

‎04-03-2006 06:09 AM

‎04-03-2006 06:09 AM

Patching Standards.

We run a diverse style of UNIX OS's. HP-UX, SOLARIS, AIX. One of our challenges is trying to figure out what to base our standars on about patching. Like, in the windows world, you need to be at SP2 or 3 or whatever. How do I go to my customer and say: you need to be at `what patch level` on your solaris systems because of `why`?

What do I base the need on?
Why would you need to be at a certain patch level in UNIX?

Also, is there a way to tell what patch level you are in the UNIX world, Solaris, HPUX?
UNIX IS GOOD
0 Kudos
Reply
8 REPLIES 8
Pete Randall
Outstanding Contributor

‎04-03-2006 06:25 AM

‎04-03-2006 06:25 AM

Re: Patching Standards.

Patch level (on HPUX):

swlist -l bundle |grep -i patch |more
BUNDLE B.11.11 Patch Bundle
BUNDLE11i B.11.11.0306.1 Required Patch Bundle for HP-UX 11i, June
2003
FEATURE11-11 B.11.11.0209.5 Feature Enablement Patches for HP-UX 11i,
Sept 2002
GOLDAPPS11i B.11.11.0312.4 Gold Applications Patches for HP-UX 11i v
1, December 2003
GOLDBASE11i B.11.11.0312.4 Gold Base Patches for HP-UX 11i v1, Decem
ber 2003
HWEnable11i B.11.11.0312.4 Hardware Enablement Patches for HP-UX 11i
v1, December 2003


Pete

Pete
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎04-03-2006 06:32 AM

‎04-03-2006 06:32 AM

Solution

Re: Patching Standards.

The easiest way on HP-UX is to use the semi-annual Quality Packs (or Standard Patch Bundles now for 11.23, I see). Look at HP-UX patch bundles here:

http://www1.itrc.hp.com/service/patch/mainPage.do

Of course, this is only part of the equation. These bundles don't include upgrades to software (e.g. CIFS Server or EMS) that you may be running on systems. It's actually beneficial to subscribe to the patch updates notification service so you get alerted to these kinds of things, as well as individual patches as they are released.

Depending on how sensitive your organization is to security patches, you may need to install some of these individual patches between standard patch bundle releases also. I've created custom bundles previously so I could easily identify what patch level beyond the Standard Patch bundle I had on any given system.
--
Jeff Traigle
Reply
Steven E. Protter
Exalted Contributor

‎04-03-2006 06:40 AM

‎04-03-2006 06:40 AM

Re: Patching Standards.

Hi Robert,

Basically, You must have the OS Bundle.

You should have the Hardware Enablement and both recent Gold Patches bundles.

In addition, to maintain your service contract you must keep current on security patches and bullitens. I have yet to meet anyone that lost their software contract for not doing this patching, but better safe than sorry.

We use security_patch_check to get the list of needed security patches.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Deoncia Grayson_1
Honored Contributor

‎04-03-2006 06:41 AM

‎04-03-2006 06:41 AM

Re: Patching Standards.

We normally apply patches on a semi-annual basis for our production environment but they are first placed on our test boxes. In your solaris environment you can join the patch update club and they will send you the latest patches for solaris through Big admin.

HP
swlist -l bundle |grep -i patch

Solaris
showrev -p

Aix
lslpp -L
If no one ever took risks, Michelangelo would have painted the Sistine floor. -Neil Simon
Reply
James R. Ferguson
Acclaimed Contributor

‎04-03-2006 06:43 AM

‎04-03-2006 06:43 AM

Re: Patching Standards.

Hi Robert:

Ask your folks "Why do you patch?" That should get them thinking. You can/should expect answers like "...to close a security hole"; "...to enable new features (both hardware and software)"; "...to repair a defect in some piece of software".

Now ask, do you want to be "reactive" or "proactive"?

An excellent baseline are the standard patch bundles:

http://us-support2.external.hp.com/estaff/bin/doc.pl/screen=estaffDocs/distrib_redir=1+1144089591|*?File=patches_main%2Fhpux_bundles_overview.htm&Log=SCR%3DHOME_SCREEN

This is one way to define a "level" of patches as you asked. You can use 'swlist" to see presence or absence of the bundles and/or additional patches.

I also like to summarize my Installed Patch Database with:

# show_patches

...which is a nice frontend to running 'swlist -l patch'.

I suggest that you read this too:

http://docs.hp.com/en/5991-4825/index.html

It begins by discussing patch management stratagies.

Regards!

...JRF...

Reply
sysadm_1
Valued Contributor

‎04-03-2006 08:03 PM

‎04-03-2006 08:03 PM

Re: Patching Standards.

Hi Robert,

check the document http://docs.hp.com/en/5991-4825/index.html

You can have a strategy of Proactive or Reactive patch management.Or a combination of these.

In my environment ,initially we are loading all the upto date patch bundles and once the server is live,we dont update the patches regularly unless untill we have a specific issue/requirement or any critical patches are released.


cheers!!
sysadm
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎04-04-2006 12:39 AM

‎04-04-2006 12:39 AM

Re: Patching Standards.

Hi Robert,

HP-UX : http://www1.itrc.hp.com/service/patch/search.do?BC=patch.breadcrumb.main|&pageContextName=hpux:::

Solaris :
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

AIX :

http://www-03.ibm.com/servers/eserver/support/aix/downloading.html

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
John M. Jones, III
Advisor

‎04-04-2006 12:51 AM

‎04-04-2006 12:51 AM

Re: Patching Standards.

Always as a standard,I would try to stay current quarterly update to Gold pack Application, Base, Hardware enabled and your diags as well. I would and have used links as Clay and Pete have indicated, as part of our stategy here. One must see what work for them and base it on a stategy. I utilize the patch analyst software and find them user friendly and yes,Works quite well. I see allot of HP Experts in the forum and not one hit on the site and patch analyst software. After you have ran you quarterly's take the time to perform/setup and test how effective this can be.You can do it now or do it later or the first words out of the mouth of the support desk is "What patch level are you at". Well worth the time and effort utilizing the patch analyst software. Regards
Michael
Those who forget the past are destined to re-live it
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.