HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Security Patch Auto Update Capability
Operating System - HP-UX
1833017
Members
2458
Online
110048
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2004 11:47 PM
06-07-2004 11:47 PM
Security Patch Auto Update Capability
We have the security patch check utility scripted to run once a week to notify us of the recommended security patches to add. Is HP planning on capability that will allow a user with the list from the security patch check utility to automatically download the security patches (BUT not install) and then provide notification that these patches are available?
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2004 01:03 AM
06-08-2004 01:03 AM
Re: Security Patch Auto Update Capability
I beleive that HP is working on better patch management, but in the mean time you can use some of the utilities that they use to install patches.
Go to the custom patch management section and follow the instructions to do a patch assessment. select some patches and then perform a download using:
2. Select the desired format
====> download a script that will ftp the patches
put the script on a server in a NEW directory somewhere and execute it. It will un-shar these files:
README_get_patches, README_hp-ux, create_depot_hp-ux_11, get_patches, patch_manifest
You can modify the patch_manifest to contain your desired security patches and then execute get_patches to retreive them. Once you get them downloaded you can execute create_depot_hp-ux_11 to create a depot.
live free or die
harry
Go to the custom patch management section and follow the instructions to do a patch assessment. select some patches and then perform a download using:
2. Select the desired format
====> download a script that will ftp the patches
put the script on a server in a NEW directory somewhere and execute it. It will un-shar these files:
README_get_patches, README_hp-ux, create_depot_hp-ux_11, get_patches, patch_manifest
You can modify the patch_manifest to contain your desired security patches and then execute get_patches to retreive them. Once you get them downloaded you can execute create_depot_hp-ux_11 to create a depot.
live free or die
harry
Live Free or Die
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2004 06:33 AM
06-09-2004 06:33 AM
Re: Security Patch Auto Update Capability
Ken,
Thank you for your input. We will incorporate your feedback into our planning process for new features.
I'd appreciate some more detail about your use model as well. For example:
1. what kind of notification would you expect? (email, OVO alert, etc.)
2. How would you like to see patch ratings handled?
3. Patch dependencies?
4. Patch warnings?
5. What kind of interface would you like/settle for? (GUI/TUI/CLI options)
6. How would you expect other (non-security) patches to fit into the picture?
7. Do you use a centralized administration model or do this on a per-system basis?
8. I notice that you're very clear that you wouldn't want automatic installation. Is this just so it can be scheduled, or would you plan to customize your actions based on patch documentation? What testing or analysis would you do between download and install?
9. What about notifying you that patches are available to download/install. This is a subtle difference from what you asked for, especially noticeable if you have a low bandwidth connection. However, it would give you the ability to customize what you download (itrc can automatically add dependencies into your shopping cart, etc.)
10. Any other thoughts?
Thanks again for your input.
-Keith
Thank you for your input. We will incorporate your feedback into our planning process for new features.
I'd appreciate some more detail about your use model as well. For example:
1. what kind of notification would you expect? (email, OVO alert, etc.)
2. How would you like to see patch ratings handled?
3. Patch dependencies?
4. Patch warnings?
5. What kind of interface would you like/settle for? (GUI/TUI/CLI options)
6. How would you expect other (non-security) patches to fit into the picture?
7. Do you use a centralized administration model or do this on a per-system basis?
8. I notice that you're very clear that you wouldn't want automatic installation. Is this just so it can be scheduled, or would you plan to customize your actions based on patch documentation? What testing or analysis would you do between download and install?
9. What about notifying you that patches are available to download/install. This is a subtle difference from what you asked for, especially noticeable if you have a low bandwidth connection. However, it would give you the ability to customize what you download (itrc can automatically add dependencies into your shopping cart, etc.)
10. Any other thoughts?
Thanks again for your input.
-Keith
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2004 08:59 AM
06-09-2004 08:59 AM
Re: Security Patch Auto Update Capability
For Keith Buck:
1. What kind of notification would you expect? (email, OVO alert, etc.)
Answer: In our case, an e-mail notification would work fine.
2. How would you like to see patch ratings handled?
Answer: Same as now is OK.
3. Patch dependencies?
Answer: If a patch is dependent on another patch, there should be a clear notification about which patch comes first, which comes second, etc.
4. Patch warnings?
Answer: ??
5. What kind of interface would you like/settle for? (GUI/TUI/CLI options)
Answer: GUI would be nice, but CLI is acceptable if it can be scripted to what we need to do..
6. How would you expect other (non-security) patches to fit into the picture?
Answer: I would expect to see the security patches to be grouped together then other patches in logical groupings maybe by the functional area the patches affect. I am mainly concerned with security but other patches could also be included.
7. Do you use a centralized administration model or do this on a per-system basis?
Answer: We currently address on a per-system basis, but would be looking to move towards central admin if the capability is available.
8. I notice that you're very clear that you wouldn't want automatic installation. Is this just so it can be scheduled, or would you plan to customize your actions based on patch documentation? What testing or analysis would you do between download and install?
Answer: The systems are used for production purposes. Anything that would disrupt processing is unacceptable. If an install of a patch requires a re-boot we would not want that to automatic. Our actions would be based on the criticality of the patch. High and we would address asap, low and there may be a delay before installation. We would plan on implementing patches first on a test environment to ensure all functions work prior to production implementation. So.. I guess I would like to see something like -
1) System runs patch check (automatically depending on need) and determines a list of os / application patches possibly needed.
2) System downloads the patches into a holding area.
3) Notification of available patches is provided to the admin (or multiple persons)
4) Admin reviews patches and selects which ones to implement (on test environment)
5)Once testing is complete, patches are scheduled for implementation onto production system(s) with possibly a scheduler available that may do the install at some pre-determined time (or immediately if necessary).
6) Once complete, and audit trail can be generated identifying what was installed, when, and by who. The audit trail would be a living file that records changes to the system (software as well as hardware if possible) from system implementation to system retirement to give a complete picture of the configuration.
9. What about notifying you that patches are available to download/install. This is a subtle difference from what you asked for, especially noticeable if you have a low bandwidth connection. However, it would give you the ability to customize what you download (itrc can automatically add dependencies into your shopping cart, etc.)
Answer: The notification can be gotten through your alert mail. But time is precious. Anything that can remove a manual step would help
10. Any other thoughts?
Answer: Healthcare is big on auditing. Being able to schedule a report that creates a system configuration profile with HW, SW, Applications, patches, etc. installed would assist with what we feel we need for good security.
Thanks again for your input.
-Keith
1. What kind of notification would you expect? (email, OVO alert, etc.)
Answer: In our case, an e-mail notification would work fine.
2. How would you like to see patch ratings handled?
Answer: Same as now is OK.
3. Patch dependencies?
Answer: If a patch is dependent on another patch, there should be a clear notification about which patch comes first, which comes second, etc.
4. Patch warnings?
Answer: ??
5. What kind of interface would you like/settle for? (GUI/TUI/CLI options)
Answer: GUI would be nice, but CLI is acceptable if it can be scripted to what we need to do..
6. How would you expect other (non-security) patches to fit into the picture?
Answer: I would expect to see the security patches to be grouped together then other patches in logical groupings maybe by the functional area the patches affect. I am mainly concerned with security but other patches could also be included.
7. Do you use a centralized administration model or do this on a per-system basis?
Answer: We currently address on a per-system basis, but would be looking to move towards central admin if the capability is available.
8. I notice that you're very clear that you wouldn't want automatic installation. Is this just so it can be scheduled, or would you plan to customize your actions based on patch documentation? What testing or analysis would you do between download and install?
Answer: The systems are used for production purposes. Anything that would disrupt processing is unacceptable. If an install of a patch requires a re-boot we would not want that to automatic. Our actions would be based on the criticality of the patch. High and we would address asap, low and there may be a delay before installation. We would plan on implementing patches first on a test environment to ensure all functions work prior to production implementation. So.. I guess I would like to see something like -
1) System runs patch check (automatically depending on need) and determines a list of os / application patches possibly needed.
2) System downloads the patches into a holding area.
3) Notification of available patches is provided to the admin (or multiple persons)
4) Admin reviews patches and selects which ones to implement (on test environment)
5)Once testing is complete, patches are scheduled for implementation onto production system(s) with possibly a scheduler available that may do the install at some pre-determined time (or immediately if necessary).
6) Once complete, and audit trail can be generated identifying what was installed, when, and by who. The audit trail would be a living file that records changes to the system (software as well as hardware if possible) from system implementation to system retirement to give a complete picture of the configuration.
9. What about notifying you that patches are available to download/install. This is a subtle difference from what you asked for, especially noticeable if you have a low bandwidth connection. However, it would give you the ability to customize what you download (itrc can automatically add dependencies into your shopping cart, etc.)
Answer: The notification can be gotten through your alert mail. But time is precious. Anything that can remove a manual step would help
10. Any other thoughts?
Answer: Healthcare is big on auditing. Being able to schedule a report that creates a system configuration profile with HW, SW, Applications, patches, etc. installed would assist with what we feel we need for good security.
Thanks again for your input.
-Keith
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2004 09:20 AM
06-09-2004 09:20 AM
Re: Security Patch Auto Update Capability
I don't think that its truly possible to handle security patches properly in an automated way.
I think tools like security_patch_check can give you lists, and patch analsysis can help, but a systems administrator needs to read the patch notes and make a decision based on a lot of factors, including the organizations risk tolerance whether and how the patch should go in.
That being said, HP can improve the patch management system in general and the way security patches are handled in particular.
I have however been hacking away at a script that parses the output of security_patch check and produces a patch list for download.
It then uses an open depot utility called snarf to go get the patches.
The problem is my cute little script can't check dependencies, and thus the project is on hold.
SEP
I think tools like security_patch_check can give you lists, and patch analsysis can help, but a systems administrator needs to read the patch notes and make a decision based on a lot of factors, including the organizations risk tolerance whether and how the patch should go in.
That being said, HP can improve the patch management system in general and the way security patches are handled in particular.
I have however been hacking away at a script that parses the output of security_patch check and produces a patch list for download.
It then uses an open depot utility called snarf to go get the patches.
The problem is my cute little script can't check dependencies, and thus the project is on hold.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2004 04:17 AM
06-14-2004 04:17 AM
Re: Security Patch Auto Update Capability
One additional thing. It would be easier if the patches were referenced the same.
The alert I received on 6/9 identifies numerous security updates, i.e. (HPSBUX01050 - SSRT3456 rev.0 HP-UX ftp remote unauthorized access Content type: HP-UX security bulletins document (ITRC Login Required)
OS: HP-UX,UNIX
Release date: Wed Jun 9 8:00:03 EDT 2004
URL: http://your.hp.com/m/S.asp?HB14091687091X3612507X395967)
However the results of the HPUX Security Patch Check (run on 6/13) did not list them (patches in the format of (1 PHCO_27345 275 No No Yes cumulative sh-posix(1).)
It would be much better if the patch check utility covered all security issues on one list that could be referenced back to all the list sent out during the week.
Is there a document or URL that you can send me that describes how all these fit together?
The alert I received on 6/9 identifies numerous security updates, i.e. (HPSBUX01050 - SSRT3456 rev.0 HP-UX ftp remote unauthorized access Content type: HP-UX security bulletins document (ITRC Login Required)
OS: HP-UX,UNIX
Release date: Wed Jun 9 8:00:03 EDT 2004
URL: http://your.hp.com/m/S.asp?HB14091687091X3612507X395967)
However the results of the HPUX Security Patch Check (run on 6/13) did not list them (patches in the format of (1 PHCO_27345 275 No No Yes cumulative sh-posix(1).)
It would be much better if the patch check utility covered all security issues on one list that could be referenced back to all the list sent out during the week.
Is there a document or URL that you can send me that describes how all these fit together?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2004 07:27 AM
06-17-2004 07:27 AM
Re: Security Patch Auto Update Capability
Ken,
Your most recent post actually consists of two separate issues.
1. "HPSBUX01050 - SSRT3456 rev.0 HP-UX ftp remote unauthorized access"
Propagation of data from this bulletin into the security catalog was delayed. Sorry for the inconvenience. Normally it can take a day or two, but please let HP know if it's more than that. This issue was corrected in the security catalog published on the 15th.
2. Covering all security issues.
Check out Security Patch Check version B.02.00, released yesterday afternoon. I plan to post a top-level itrc forums announcement about this after we've had a few downloads without issues. This version will warn you about potential manual actions and product upgrades in addition to patches. For manual items, after assessing your systems manually, the bulletin number (as displayed in the "Bull" column) can be appended to ~/.spc_ignore to have it stop reporting them (since completely automatic analysis is impossible for manual actions)
You can get this version here:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA
Hope that helps.
-Keith
Your most recent post actually consists of two separate issues.
1. "HPSBUX01050 - SSRT3456 rev.0 HP-UX ftp remote unauthorized access"
Propagation of data from this bulletin into the security catalog was delayed. Sorry for the inconvenience. Normally it can take a day or two, but please let HP know if it's more than that. This issue was corrected in the security catalog published on the 15th.
2. Covering all security issues.
Check out Security Patch Check version B.02.00, released yesterday afternoon. I plan to post a top-level itrc forums announcement about this after we've had a few downloads without issues. This version will warn you about potential manual actions and product upgrades in addition to patches. For manual items, after assessing your systems manually, the bulletin number (as displayed in the "Bull" column) can be appended to ~/.spc_ignore to have it stop reporting them (since completely automatic analysis is impossible for manual actions)
You can get this version here:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA
Hope that helps.
-Keith
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP