Security Patch Check survey question

Keith Buck · ‎02-05-2004

Hi. I want to gather some information about customer usage of Security Patch Check. 2 points per fully answered question. If you don't currently use Security Patch Check, tell us why and feel free to answer the questions
anyway.

A. What mechanism do you use to transfer the security catalog to your server for processing? (e.g. manual download, direct ftp, via proxy, etc.) What mechanism
do you use to get the server data (i.e. local vs. remote analysis)

B. Do you do any scripting around the output of Security Patch Check? What kinds of things do you do with the output?

C. How important is client side analysis to you? (i.e. not sending any data back to HP) What information would be acceptable to send back to HP if required for security analysis?

D. Are you aware that itrc patch assessment also does security patch analysis (in addition to dependency analysis and non-security
patch analysis)? If you prefer one use model or the other, list any benefits/drawbacks of each for your needs.

E. How often do you run patch assessments, on how many machines, how do you collect the data, and what action do you usually take
(e.g. immediate deployment vs. a meeting to discuss risks/benefits)? What mechanism do you use for deployment once you've reached a
decision?

Thanks!

-Keith

Steven E. Protter · ‎02-05-2004

A. What mechanism do you use to transfer the security catalog to your server for processing? (e.g. manual download, direct ftp, via proxy, etc.) What mechanism
do you use to get the server data (i.e. local vs. remote analysis)

Local analysis. it was installed via Bastille. It runs in cron.

B. Do you do any scripting around the output of Security Patch Check? What kinds of things do you do with the output?

No. I read it weekly, download and install the patches during bi-weekly maintenance.

C. How important is client side analysis to you? (i.e. not sending any data back to HP) What information would be acceptable to send back to HP if required for security analysis?

If confidence is kept I see no issues with this so long as it does not involve any proprietary data.

D. Are you aware that itrc patch assessment also does security patch analysis (in addition to dependency analysis and non-security
patch analysis)? If you prefer one use model or the other, list any benefits/drawbacks of each for your needs.

Yes, I do that once a month on all systems.

E. How often do you run patch assessments, on how many machines, how do you collect the data, and what action do you usually take
(e.g. immediate deployment vs. a meeting to discuss risks/benefits)? What mechanism do you use for deployment once you've reached a
decision?

Once a month, test on a sandbox and roll out as part of my bi-weekley maintenance.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

H.Merijn Brand (procura · ‎02-05-2004

A. transfer

ftp, but I've change security_patch_check.pl to do that itself
ftp only on one system, others have symlinks over NFS to the same file
# /opt/sec_mgmt/spc/bin/security_patch_check
is entered by hand

B. Scripting

none (yet).
visual browsing. Actions vary with the importance I weigh to the messages and the time I have to deal with it

C. Importance

Well, since it's the only thing it does, I gues the output is pretty important :)
I /could/ agree with sending back data, but only if I have the chance to examine and filter the data before it is sent after a confirmation

D. Awareness

Either the question is to vague for me, or I'm not aware of this assesment at all (read: might never have used it)

E. Frequency

Whenever I think about it, which varies from 1 to 6 times a year, on 2 - 4 machines (10.20, 2 x 11.0, 1 x 11i) all seperate by hand
Since I update all machines with the latest available ExtSW (who cares about the name) pack's there is not much action for me anyway.
If I think I /do/ have to take action, I fetch the patch from ftp and install on each machine from prompt with swinstall

HTH, Enjoy, Have FUN! H.Merijn

Enjoy, Have FUN! H.Merijn

Geoff Wild · ‎02-05-2004

A. Never heard of the "Security Patch Check"

B. Never heard of the "Security Patch Check"

C. Very important - as long as HP is TRusted - then there are no issues sending any relevant information, software installed, patches...etc.

D. Don't use the itrc patch assessment

E. We have HP run Patch Assessments every 6 months on our CSS/PSS servers. 33 servers total and rising... Deployment starts at DEV, then moves to QA, then to PROD (about 3 months to deploy after receiving the patches). Deployment is from central Software Depot...

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Patrick Wallek · ‎02-05-2004

A. On most machines I let security_patch_check download the updated files itself. I have 2 machines in our DMZ which have no FTP access so I copy (via SSH scp) the files to those machines manually.

B. No scripting. I generally just get the list of patches, go to the ITRC patch DB, search for the necessary patches, bundle them and download them.

C. Client side is very important!!! Especially for machines in the DMZ. I would prefer not to have to send anything to HP. If I had to, I would prefer the minimum data necessary (ie. Server Model, OS level, software list and patch list).

D. Yes, but I thoroughly dislike the new patch assesment tool. I prefered the previous version where I could download and store the *.fs files from several machines and run the analysis.

E. On the 2 machines in our DMZ I usually run the security_patch_check tool at least once a week, if not twice. It entirely depends on the number of security bulletins HP issues. If the patches do not require a reboot I usually immediately install them. If they do require a reboot I schedule time to get them isntalled but usually do it withing 1 or 2 days.

Keith Buck · ‎02-06-2004

Some follow-on questions, based on existing responses:

Steven,

A. Do you use a proxy setting, or direct ftp?
D. benefits/drawbacks of SPC vs. itrc patch assess?
E. What tools do you use for deployment?

procura,
A. How did you change security_patch_check.pl? Was the existing auto-download functionality not sufficient? In what way?

D. click on "maintenance and support for hp procuts", then click on "custom patch bundles - run a patch assessment"

Thanks for all the feedback!

-Keith

Steven E. Protter · ‎02-06-2004

Sorry Keith,

A. Do you use a proxy setting, or direct ftp?
Direct ftp, thought I typed that. No proxy. Firewall is stateless.

D. benefits/drawbacks of SPC vs. itrc patch assess?
The patch assessment lets me create a custom patch download right on the site. The only downside is I have to upload my configuration. I think thats a good tradeoff.

We really don't have conversations about patch installation. They trust me until I break something. What I usually break is the sandbox, and thats why we bought one. If a patch is particularly scarey I initiate a meeting. Our test methodology(original post) really is good at catching most major problems.

E. What tools do you use for deployment?
SD-UX. I create large patch depots and install them during bi-weekly maintenance. Then I use sftp/scp to move the depot to new machines.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Mark Greene_1 · ‎02-06-2004

A. direct ftp to get the catalog, and we run it locally on each box. I just use the -r option on the security_patch_check command to refresh the catalog.

B. No scripting, just cut-n-paste the patches into a text file. We print the text files for each system and manually review for differences. On those occasions when the results are the same for all of our systems, we download the patches in a single tar ball and then copy that around.

C. Very. Nothing that tells them what I'm patching or how often I'm doing it. I don't want to have to worry about their data being compromised and thereby advertising to anyone about how secure my systems are or are not.

D. No I was not, but then I've not used that.

E. I tried monthly, but couldn't get internal support for that because of the reboot issue (we're a 24x7 shop). So I have to live with quarterly. I generally install all the patches unless they are for some hardware or software we are not running. As the Sr. Admin, I get to recommend what gets installed, and my perspective is to do everything unless there is a clear reason not to. I've never had to unintall a patch, but then I may just be lucky in that regard.

I try and create a single depot of patches which we copy to all the systems. Now that we are running 11i along with 11.0, I usually have to do two depots.

mark

the future will be a lot like now, only later

H.Merijn Brand (procura · ‎02-06-2004

This was from the time that only one system has internet (dial-up) access, and all others used it over NFS.

The reason is/was that symlinks ove nfs have their own timestamp, and I wanted to force-prevent that the machines without access wanted to (try to) fetch the file again.

l1:/opt/sec_mgmt/spc/bin 107 > ll /*/security_catalog
1741 lrwxrwxrwx 1 root sys 19 Feb 25 2003 /a5/security_catalog -> l1/security_catalog
8 -rw-rw-rw- 1 root sys 1560697 Aug 28 15:45 /l1/security_catalog
l1:/opt/sec_mgmt/spc/bin 108 > diff -pu /{a5,l1}/opt/sec_mgmt/spc/bin/security_patch_check
--- /a5/opt/sec_mgmt/spc/bin/security_patch_check 2001-10-18 23:50:14.000000000 +0200
+++ /l1/opt/sec_mgmt/spc/bin/security_patch_check 2002-11-27 14:17:43.000000000 +0100
@@ -181,6 +181,9 @@ if [ $retval = 0 ]; then
done
fi
done
+ cd /
+ rm -f security_catalog
+ wget --ftp-passive ftp://ftp.itrc.hp.com/export/patches/security_catalog
cd $current_location # get back to original location

if [ $writable_directory = yes ]; then
Exit 1
l1:/opt/sec_mgmt/spc/bin 109 > ll
total 67
13588 dr-xr-xr-x 2 bin bin 96 Nov 22 2002 .
13383 dr-xr-xr-x 4 bin bin 96 Nov 22 2002 ..
13591 -r-xr-xr-x 1 bin bin 7984 Nov 27 2002 security_patch_check
13596 -r-xr-xr-x 1 bin bin 59741 Oct 18 2001 security_patch_check.pl
l1:/opt/sec_mgmt/spc/bin 110 >

Not very impressive. But it's still how I use it.

Enjoy, Have FUN! H.Merijn

Enjoy, Have FUN! H.Merijn

Keith Buck · ‎02-13-2004

Procura,

If I understand what you did correctly, this should be taken care of with

security_patch_check -r

In version B.01.05 (available now from software.hp.com), it uses passive ftp by default, and the automatic retrieval will overwrite the current catalog.

Hope that helps.

Also hoping that bumping this thread back to the top gets me a few more responses :)

-Keith

Steven Sim Kok Leong · ‎02-14-2004

A. Been some years since I last administered HP-UX. For urgent patches, ftp. For periodic preventive maintenance, rely on HP's CD of patches and build depot so that I only need to reboot only once, in particular for PHKL kernel patches.

Nowadays, I need to perform security audits on servers including HP-UX ones. For checking missing security patches, an swlist (to check patches) is performed or sometimes, I just rely on certain scripts in the CIS security benchmark tool set.

Security Patch Check will be a very convenient tool to have in checking compliance with the security policy of keeping server up-to-date with security patches.

B. Only do custom-scripting around existing CIS security tools and swlist. Security Patch Check will be good to be packaged in my audit tools to generate security audit output.

C. Client side analysis is important in my security audits. It is definitely important that data is appropriately sanitized with perhaps an NDA appropriately signed for catch-all before it was relayed back to HP. The same concerns that apply to ISEE applies here.

D. I can't comment on this one.

E. Patch assessments are usually run during security audits on the servers. For purpose of audit, at least once a year. Recommendations (security risks will be made clear) will be suggested to the administrators who will evaluate the risks/benefits. Implementation details I usually leave to the system administrator, so long as the patch is installed.

Hope this helps. Regards.

Steven Sim Kok Leong

Lor · ‎05-03-2004

As a new user of security_patch_check, here is my 2 cents.
A) ftp
B) stores in each server the previous report and sends a notification ONLY when new output differs.
This way, I know a new catalog has been released and servers may require attention
C) I don't see the reason of sending back anything to HP
D) Never used itrc patch assessment.
Patch servers only if/when issues faced
E) Beta testing security_patch_check.

generic_1 · ‎05-03-2004

A. We use a Symantec product as one of our tools localy. This product generates a large report that we use to make decisions on our configuration.

B. We currently do no scripting around Security Patch Check.

C. I think Client side analysis is important because many companies dont want to release confidential information about their systems, even if the source is trusted. Also, the internal politics and approvals for releasing such data can often be difficult even though the vendor may offer awsome services.

D. I was not aware that the itrc patch analisys does security patch analisys. This is good to know.

E. We are moving towards Navadime, but currently is is mostly manual. I would guess we run assessments every few months on patches in general.

Joseph Loo · ‎05-03-2004

hi,

A. manual download. local analysis as well.

B. yes. run the command with option -c and log it to a file. go through the log and establish which of the patch should be apply.

C. it is okay. i manage and analyse the patch and if any problem, call support or itrc forum.

D. yes. but i use it once and assess that it may be too much information overload.

E. everytime there is a new security update or bulletin. test and check the patch has no problem on a test machine and wait for available downtime to patch the production servers.

regards.

what you do not see does not mean you should not believe

Michael Tully · ‎05-03-2004

(a) Manual download, local analysis

(b) No real scripting, basic cut and paste, get the patches from the ITRC download area, download as bundles.

(c) We have systems in a DMZ, so no analysis goes anywhere. Other systems get basic security patches as part of regular patch bundle updates.

(d) I've never used the assessment tool. I will be now and regularly.

(e) I use the security bulletins. Get the patch run it on a test server, and if it is ok, then arrange installation on the required servers, using our usual change control mechanism.

Anyone for a Mutiny ?

Dani Seely · ‎05-18-2004

Hey Keith,
A. We install the Security Patch Check tool via a DoD Security script checking tool for our program.

B. Yes. From the output of the patches, we perform an swlist dump to a file and check the output against the patches listed from the SPC tool to confirm whether the patches are loaded and the SPC tool is not detecting it.

C. We are not in a position we can point a DoD system to a remote non-DoD server to have patch checking performed.

D. How can I get assistance from ITRC to determine why some patches are listed as missing?

E. This is performed once a week. I am on distribution for the HPSBUX security bulletins. Once a security bulletin is released our program team downloads the patch, tests it against a test machine and regression test the product with the patch applied. If testing passes we incorporate the patch into our next "build version" and provide notification to our field sites to install the patch.

Together We Stand!

Keith Buck · ‎05-19-2004

Dani,

Thanks for the response.

A. How do you get the latest security_catalog to use with the tool?

D. Are there any specific patches you are having a problem with? I can pass that information along or perhaps just answer your question. In general, posting a question like that is one of the good things about the itrc forums, in that many people are reading them and might be able to help.

E. Don't forget to watch the HPSBGN and HPSBMA security bulletins too. Sometimes bulletins there can affect applications on HP-UX.

Thanks again for all the responses everyone!

-Keith

Dani Seely · ‎05-19-2004

Hey Keith,

A. They are provided by DISA, our Gov't Field Security Office.

D. No, none specifically right now. The output we received was: is missing 55 patch(es). All of them may NOT apply to . The review of the 55 listed patches was pretty simple and our approach is defined by apply the patch if we have the affected fileset installed.

E. Thanks, now you tell me! ;-} I just got burned by HPSBGN due to a CDE vulnerability. I hadn't seen this bulletin DoD CERT just released an IAVT for this issue so I had no advanced notice. I am signed up to receive HPSBUX related bulletins, how do I sign up to get HPSBGN and HPSBMA bulletins?

P.S., this new style of receiving HP security bulletins is a KILLER! It used to be smooth, I used to get them all, now there's these other prefix bulletins (rather than just HPSBUX). This transition happened back in Feb(?) and I've not been receiving very many bulletins lately. Is this just me or do you know if everyone is experiencing this same kind of hicup from this transition?

Together We Stand!

Keith Buck · ‎05-19-2004

A. So, the catalog itself is distributed through a central mechanism as part of the checking script once per week or so?

D. Ok. Note that -x patch_match_target from a depot will do the same thing, if the download time isn't an issue for you.

E. I have been submitting my own feedback through the "send feedback" link on the security bulletin websites. They responded saying that they are working on it.

My current subscription (said I have an HP-UX box, am interested in security and HP-UX OS) sends me HPSBUX, HPSBMA, HPSBPI, and HPSBGN bulletins. Just have to make sure you read them...

CDE should be in UX, generally? The recent WBEM/SSL bulletin was in HPSBMA because it affected management agents on Linux too.

Hope that helps.

-Keith

Dani Seely · ‎05-19-2004

Keith,
A. Correct. The updates are currently on a monthly basis, however, the requirement says that the patch assessment should be performed weekly.

D. Not sure what you mean: '-x patch_match_target' ... how do you use this?

E. So, I take it that you've personally been seeing this as well, and have heard from others regarding this same concern?

I am currently signed up to receive security alerts for HP-UX OS but so far HP sends me only HPSBUX bulletins. The only reference I have received to HPSBMA, HPSBPI, and HPSBGN bulletins is the following:

Since March 19th notifications of several other bulletins have been sent to the Subscriber's Choice mailing list, including the following:

HPSBTU01000 - SSRT3674 rev.0 Tru64 UNIX IPsec/IKE Potential HPSBUX01002 - SSRT4688 rev.0 HP-UX rpc.ypupdated remote unauth. access HPSBMA01003 - SSRT4679 rev.0 HP Web-enabled Management HPSBGN01004 - SSRT3614 HP OpenCall Multiservice Controller (OCMC) DoS HPSBUX01006 - SSRT2320 rev.0 HP-UX elevated privileges related HPSBPI01007 - SSRT4700 rev.0 HP Web Jetadmin denial of service HPSBGN01009 - SSRT4726 rev.0 Carrier Grade Invalid LAN Management HPSBMA01010 - SSRT4727 rev.0 OpenView Operations remote

Together We Stand!

Keith Buck · ‎05-19-2004

Dani,

Something like:

swinstall -x patch_match_target=true -s /path/to/depot \*

look at the man page for swinstall and search for patch_match_target.

As far as receiving bulletins, you can also check the archive page in the meantime, or you can contact your support rep and see if they can help.

Here's the security bulletin archive page, sorted by Document ID...

http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin

You can also do an itrc search for "MANUAL ACTIONS: Yes" and that will give you a sortable listing of bulletins that aren't covered by patches.

Hope that helps.

-Keith

Dani Seely · ‎05-19-2004

Hey Keith,
Thanks for the info regarding the archive page and the link.

The ITRC search for "MANUAL ACTIONS: Yes" did not give me everything I thought it would, but I think I can use it.

I'll play around in the morning with the swinstall command you mentioned.

Thanks!

Together We Stand!

Keith Buck · ‎05-25-2004

Dani,

Check out the new interface to subscribe to Security Bulletins. (right off the main itrc page) Just released yesterday and much improved. Don't forget to register for HP-UX, Management Agents, and Miscellaneous.

-Keith

Dani Seely · ‎05-26-2004

Thanks Keith.

I found the "subscribe to security bulletins & patch digests" area you were referring to. After confirming my registration I selected "recent driver and alerts updates" but was surprised to see that there were "No updates". I did find the "hp security bulletins archive" link but I couldn't open it. Anyway, I'm closer, and I appreciate you sending me the info. Hopefully I'll see all of the HP-UX related Security Bulletins now. Again, thanks!

Together We Stand!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Security Patch Check survey question

Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question

Re: Security Patch Check survey question