Operating System - HP-UX
1830916 Members
1932 Online
110017 Solutions
New Discussion

Security Patch Auto Update Capability

 
Ken Kohl
New Member

Security Patch Auto Update Capability

We have the security patch check utility scripted to run once a week to notify us of the recommended security patches to add. Is HP planning on capability that will allow a user with the list from the security patch check utility to automatically download the security patches (BUT not install) and then provide notification that these patches are available?
6 REPLIES 6
harry d brown jr
Honored Contributor

Re: Security Patch Auto Update Capability

I beleive that HP is working on better patch management, but in the mean time you can use some of the utilities that they use to install patches.

Go to the custom patch management section and follow the instructions to do a patch assessment. select some patches and then perform a download using:

2. Select the desired format
====> download a script that will ftp the patches

put the script on a server in a NEW directory somewhere and execute it. It will un-shar these files:

README_get_patches, README_hp-ux, create_depot_hp-ux_11, get_patches, patch_manifest

You can modify the patch_manifest to contain your desired security patches and then execute get_patches to retreive them. Once you get them downloaded you can execute create_depot_hp-ux_11 to create a depot.

live free or die
harry
Live Free or Die
Keith Buck
Respected Contributor

Re: Security Patch Auto Update Capability

Ken,

Thank you for your input. We will incorporate your feedback into our planning process for new features.

I'd appreciate some more detail about your use model as well. For example:

1. what kind of notification would you expect? (email, OVO alert, etc.)

2. How would you like to see patch ratings handled?

3. Patch dependencies?

4. Patch warnings?

5. What kind of interface would you like/settle for? (GUI/TUI/CLI options)

6. How would you expect other (non-security) patches to fit into the picture?

7. Do you use a centralized administration model or do this on a per-system basis?

8. I notice that you're very clear that you wouldn't want automatic installation. Is this just so it can be scheduled, or would you plan to customize your actions based on patch documentation? What testing or analysis would you do between download and install?

9. What about notifying you that patches are available to download/install. This is a subtle difference from what you asked for, especially noticeable if you have a low bandwidth connection. However, it would give you the ability to customize what you download (itrc can automatically add dependencies into your shopping cart, etc.)

10. Any other thoughts?

Thanks again for your input.

-Keith
Ken Kohl
New Member

Re: Security Patch Auto Update Capability

For Keith Buck:

1. What kind of notification would you expect? (email, OVO alert, etc.)

Answer: In our case, an e-mail notification would work fine.

2. How would you like to see patch ratings handled?

Answer: Same as now is OK.

3. Patch dependencies?

Answer: If a patch is dependent on another patch, there should be a clear notification about which patch comes first, which comes second, etc.

4. Patch warnings?

Answer: ??

5. What kind of interface would you like/settle for? (GUI/TUI/CLI options)

Answer: GUI would be nice, but CLI is acceptable if it can be scripted to what we need to do..

6. How would you expect other (non-security) patches to fit into the picture?

Answer: I would expect to see the security patches to be grouped together then other patches in logical groupings maybe by the functional area the patches affect. I am mainly concerned with security but other patches could also be included.

7. Do you use a centralized administration model or do this on a per-system basis?

Answer: We currently address on a per-system basis, but would be looking to move towards central admin if the capability is available.

8. I notice that you're very clear that you wouldn't want automatic installation. Is this just so it can be scheduled, or would you plan to customize your actions based on patch documentation? What testing or analysis would you do between download and install?

Answer: The systems are used for production purposes. Anything that would disrupt processing is unacceptable. If an install of a patch requires a re-boot we would not want that to automatic. Our actions would be based on the criticality of the patch. High and we would address asap, low and there may be a delay before installation. We would plan on implementing patches first on a test environment to ensure all functions work prior to production implementation. So.. I guess I would like to see something like -
1) System runs patch check (automatically depending on need) and determines a list of os / application patches possibly needed.
2) System downloads the patches into a holding area.
3) Notification of available patches is provided to the admin (or multiple persons)
4) Admin reviews patches and selects which ones to implement (on test environment)
5)Once testing is complete, patches are scheduled for implementation onto production system(s) with possibly a scheduler available that may do the install at some pre-determined time (or immediately if necessary).
6) Once complete, and audit trail can be generated identifying what was installed, when, and by who. The audit trail would be a living file that records changes to the system (software as well as hardware if possible) from system implementation to system retirement to give a complete picture of the configuration.


9. What about notifying you that patches are available to download/install. This is a subtle difference from what you asked for, especially noticeable if you have a low bandwidth connection. However, it would give you the ability to customize what you download (itrc can automatically add dependencies into your shopping cart, etc.)

Answer: The notification can be gotten through your alert mail. But time is precious. Anything that can remove a manual step would help

10. Any other thoughts?

Answer: Healthcare is big on auditing. Being able to schedule a report that creates a system configuration profile with HW, SW, Applications, patches, etc. installed would assist with what we feel we need for good security.

Thanks again for your input.

-Keith
Steven E. Protter
Exalted Contributor

Re: Security Patch Auto Update Capability

I don't think that its truly possible to handle security patches properly in an automated way.

I think tools like security_patch_check can give you lists, and patch analsysis can help, but a systems administrator needs to read the patch notes and make a decision based on a lot of factors, including the organizations risk tolerance whether and how the patch should go in.

That being said, HP can improve the patch management system in general and the way security patches are handled in particular.

I have however been hacking away at a script that parses the output of security_patch check and produces a patch list for download.

It then uses an open depot utility called snarf to go get the patches.

The problem is my cute little script can't check dependencies, and thus the project is on hold.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Ken Kohl
New Member

Re: Security Patch Auto Update Capability

One additional thing. It would be easier if the patches were referenced the same.

The alert I received on 6/9 identifies numerous security updates, i.e. (HPSBUX01050 - SSRT3456 rev.0 HP-UX ftp remote unauthorized access Content type: HP-UX security bulletins document (ITRC Login Required)
OS: HP-UX,UNIX
Release date: Wed Jun 9 8:00:03 EDT 2004
URL: http://your.hp.com/m/S.asp?HB14091687091X3612507X395967)

However the results of the HPUX Security Patch Check (run on 6/13) did not list them (patches in the format of (1 PHCO_27345 275 No No Yes cumulative sh-posix(1).)

It would be much better if the patch check utility covered all security issues on one list that could be referenced back to all the list sent out during the week.

Is there a document or URL that you can send me that describes how all these fit together?


Keith Buck
Respected Contributor

Re: Security Patch Auto Update Capability

Ken,

Your most recent post actually consists of two separate issues.

1. "HPSBUX01050 - SSRT3456 rev.0 HP-UX ftp remote unauthorized access"

Propagation of data from this bulletin into the security catalog was delayed. Sorry for the inconvenience. Normally it can take a day or two, but please let HP know if it's more than that. This issue was corrected in the security catalog published on the 15th.

2. Covering all security issues.

Check out Security Patch Check version B.02.00, released yesterday afternoon. I plan to post a top-level itrc forums announcement about this after we've had a few downloads without issues. This version will warn you about potential manual actions and product upgrades in addition to patches. For manual items, after assessing your systems manually, the bulletin number (as displayed in the "Bull" column) can be appended to ~/.spc_ignore to have it stop reporting them (since completely automatic analysis is impossible for manual actions)

You can get this version here:

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA

Hope that helps.

-Keith