Install Security Patches

A security patch review should be performed to determine if any security patches should be installed. Each patch for a product currently installed on the system should be analyzed to determine if it needs to be installed. First, you should check to see if it's already installed from either the install media or the patch bundle. If not, you can look at the patch .text file for details about the patch, including dependencies, filesets effected, and files patched. You can determine filesets installed on the system by executing swlist -l fileset .

Just because a patch exists doesn't mean that you need to install it, though it is usually safe to do so. Some patches may fix buffer overrun defects or other attack channels in set-uid root commands or root processes. If you plan to remove the set-uid bits you may choose not to install them. You may also not have a program configured (for example, rlogind listening on the network), but sometimes it can be difficult to determine if a defect is remotely or locally exploitable.

Security Patch Check for HP-UX (B6834AA)

Security patch check is a Perl script that runs on HP-UX 11.X systems. It performs an analysis of the filesets and patches installed on an HP-UX machine, and generates a listing (report) of recommended security patches. In order to determine which patches are missing from a system, security_patch_check must have access to a listing, or catalog, of security- related patches. The following command will download the patch catalog from the HP site:

 security_patch_check -r 

Since new security patches can be released at any time, security_patch_check depends on a patch catalog stored on an HP server. This catalog is updated nightly. To help automate the process of checking for security patches missing from a system, security_patch_check is able to download the most recently generated catalog from an HP FTP site. To download a catalog from an HP ftp site, you must have ftp access to the public Internet, either directly or through a proxy server. Define the proxy by setting the ftp_proxy environment variable.

 export ftp_proxy=<protocol of proxy>://address:port 

Once security_patch_check has access to a security patch catalog, it will create a list of the patches which are both applicable and not installed. Note that although the security patch catalog contains the most recent and highest rated patches, security_patch_check will recommend a patch only if it addresses a security problem not already addressed by an installed patch.

If you do not want to install Perl on the system, securty_patch_check can be run on another system using a swlist from the original system as input. The tool can be run remotely from a management system, pointing to a production system. For this to work the "Perl" and "Security Patch Check" filesets must be installed on the management system. You must also consider appropriate swacl settings to allow yourself remote swlist access but not others (default is open ).

There is another method which does not require enabling swlist access to the system. You can copy the swlist output of a production system to a management server and point security_patch_check to the swlist output.