Re: Software Assistant (the new Security Patch Check)

Keith Buck · ‎02-08-2007

As already announced on the System Administration Forum, HP recently released Software Assistant as the new, recommended way to maintain security bulletin currency on your HP-UX systems. We want to get feedback on how well this new tool does or does not meet your security requirements in this area. Here are some specific areas we are interested in:

1. how it works with your network topology (firewalls, proxies, airgaps, etc.)

2. regulatory compliance (SOX, HIPAA, FDA, FDIC, or however it applies to you)

3. how it compares to other tools you use in this space (features you want or benefits you see)

4. of the Security Patch Check features that aren't yet implemented in SWA, which would you have trouble living without (SWA includes SPC for now, and the differences are documented under "Known Problems, SWA C.01.00 Release, January 2007" in the release notes at http://docs.hp.com/en/5991-7532/index.html)

5. Other?

John Payne_2 · ‎02-09-2007

Hi Keith,

you likely already have all the feedback from me already, but it helps to bounce the thread back to the top so people see it, so here it goes:

I use the https_proxy option to download the catalog and grab the downloads. The machine I run swa from is not accessible from the Internet, it's nice to have this.

Nearly all the machines I connect to with SWA are locally accessable to the machine I'm running swa from. The ssh option helps with this also.

I have completely replaced the use of security_patch_check with SWA. I have no plans to use security_patch_check anymore, and do not miss the "missing" functionality.

Thanks
John

Spoon!!!!

Sam McKnight · ‎07-08-2008

I am coming in on this thread late but I see it is still open. On my hp-ux 11.11 system, I have used spc for over three years to maintain security. Each night spc downloads the security catalog and analyzes my system. In my preoccupation with security, I have paid less attention to the other upgrades found in the qpk.

Last weekend, I was pleasantly surprised when I finally tried swa. I ran swa report and swa get. Then, I upgraded my system from the downloaded depot. I took a number of precautions before installing the software in the depot but when I finally did install the software, it seemed to work fine. If I find no problem, I will run swa clean in several days.

One issue remains. Should I be able to run swa as an automated process every night like I have been doing with spc? I have found no documentation to support the automated running of swa. Can I divert the output to email the way spc is done?

Thanks for your help.

Sam McKnight

John Payne_2 · ‎07-08-2008

You can run "swa report" out of cron, if you would like, it would be very easy to have the report emailed out at the end of the cron job.

John

Spoon!!!!

Keith Buck · ‎07-08-2008

In fact, Bastille can be used to configure a nightly cron job to check security bulletins using SPC among other things. Later versions of Bastille will run SWA instead of SPC, if it is installed.

You could also automate the "get" portion if you wanted to so you have a depot ready for installation when desired. It would be a fairly short shell script.

Hope that helps.

-Keith

Sam McKnight · ‎07-09-2008

John and Keith,

Thanks for your response. I like the idea of continuing to have bastille do the nightly check with swa.

You gave me all the help I need. Because I did not start the thread, I don't think I can assign points.

Sam McKnight

Bob E Campbell · ‎07-09-2008

While you *can* schedule a "swa get" and a swinstall of the resulting depot I personally do not recommend that for a few reasons.

#1 Manual Deps and SII

When "swa get" builds a depot it will generate a file at the depot root called readBeforeInstall.txt. There might be special operations or other content to be added to the depot. Usually it can be ignored, but I always think it should be reviewed.

#2 Backups

I like to make sure I have a successful recovery image or DRD clone and a data full-backup ready just in case.

#3 Flexibility

When you are ready to go live you can still use an at(1) job (or HPSIM for multi-system) to deploy at 3 AM.

I think having "swa report" in a cron job is a great idea. Set a bookmark to the HTML report and system status is always at your finger tips.

Keith Buck · ‎07-09-2008

A quick clarification:

I didn't mean to imply that scheduling the "swinstall" was a good idea...just the swa get (and even that has its issues including a lot of extra processing time so it may not fit every environment). I think Bob gave the reasons for being very purposeful about the swinstall and the rest of the actions.

Also, to update the initial comments, the current version of SWA no longer bundles Security Patch Check, and plans are to completely deprecate SPC in the near future. So far, we have only heard good things from folks who have switched, and are happy that SWA is working so well for everyone we have heard from.

-Keith

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Software Assistant (the new Security Patch Check)

Software Assistant (the new Security Patch Check)