HPE Community
Operating System - HP-UX
1823913 Members
3326 Online
109667 Solutions
New Discussion юеВ

Security Patches

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

тАО06-21-2006 07:11 AM

тАО06-21-2006 07:11 AM

Security Patches

We use PatchLink to load our patches. But we want to start with only security patches.

How can you identify a security patch from its name? Is that possible, like PHSS_*** are security or something like that.

I dont want to run, security_patch_check if I can get around it. I need to know if there is a way to identify a security patch from the name. I dont believe so.
UNIX IS GOOD
0 Kudos
Reply
4 REPLIES 4
Jeff_Traigle
Honored Contributor

тАО06-21-2006 07:22 AM

тАО06-21-2006 07:22 AM

Re: Security Patches

PHSS are application patches. PHKL are kernel patches. PHNE are network patches. PHCO are common(?) patches. Security patches could exist in any of these categories so that isn't going to help you at all. I'm not sure how security_patch_check works since I've not looked at it.
--
Jeff Traigle
Reply
James R. Ferguson
Acclaimed Contributor

тАО06-21-2006 07:23 AM

тАО06-21-2006 07:23 AM

Solution

Re: Security Patches

Hi Robert:

No, the designation "PHSS" isn't a security patch. The "PH" stands for "PatcH". The "SS" is "SubSystem" -- patches for various subsystems.

PHCO are COmmand pathes.
PHNE are NEtwork patches.
PHKL are KerneL patches.

You can be virtually assured that PHNE and PHKL patches will require a reboot.

I don't know of any way from a patch's one-line description, either, to say with certainty that its a "security" patch.

Regards!

...JRF...
Reply
Steven E. Protter
Exalted Contributor

тАО06-21-2006 09:25 AM

тАО06-21-2006 09:25 AM

Re: Security Patches

Shalom Robert,

Security patches come in all shapes and sizes.

You identify them by installing and running security_patch_check.

Patch Link does make an effort to identify these patches and you can rely on their grouping. I would check up on their list once in a while.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Bill Hassell
Honored Contributor

тАО06-21-2006 01:39 PM

тАО06-21-2006 01:39 PM

Re: Security Patches

You MUST run security_patch_check unless you want to search through hundreds of security bulletins. spc is just a simple Perl script that uses a downloaded database of all the patches PLUS manual changes that need to be checked. The security catalog (oddly named: security_catalog) is downloaded prior to every analysis. Then a report provides:

- any patch with a problem (ie, recalled, not configured, etc)

- all missing security patches

- all manual checks and changes specified by security bulletins

There is no bundle of security patches (it would change daily). Instead, you download the spc program, run it to get an analysis and then address all of the issues. This is not a simple task since many issues do not have a patch but may require a configuration change depending on your system.

You can download the (plain text) security_catalog manually from: ftp://ftp.itrc.hp.com/export/patches/security_catalog2.gz
and use that as your guide for patches. And for details on the actual security issue, you'll need: http://www.itrc.hp.com/service/cki/secBullArchive.do to find special procedures and non-patch items.

spc will save you days to weeks of time analyzing your systems. You definitely want to use spc.



Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.