security_patch_check(1M)security_patch_check(1M)NAMEsecurity_patch_check - replaced by swa(1M)SYNOPSIS
| security-catalog]
| | depot | remote-host] ignore-file]
| [url]] os-version]
| security-catalog]
depot | remote-host] ignore-file]
| [url]] os-version]
DESCRIPTION
The utility has been replaced by Software Assistant. See swa(1M).
After November 1, 2008 the use of the option will generate a compatible
report through the command. Other options will either be ignored or
will cause to terminate with an error.
Previous versions of Security Patch Check will continue to function as
intended until the security catalog is no longer provided. The secu‐
rity catalog will be available until at least November 1, 2008.
Unless otherwise specified, the remainder of this section describes the
behavior of Security Patch Check before November 1, 2008.
Security Patch Check analyzes the bulletin compliance of an HP-UX sys‐
tem. Most of the functionality of Security Patch Check is superseded
by Software Assistant, called using the command. Software Assistant
can report on security bulletin compliance and many other types of
issues in a variety of report formats. In addition, SWA does automated
patch dependency analysis, download, and depot creation. See swa(1M)
for details. The command remains for those features that are not fully
implemented in Software Assistant. This Security Patch Check man page
gives some pointers to the equivalents of options, when applicable.
will determine which minimal security patches, updates and manual
actions have yet to be applied to the system, and will generate a
report listing the patches and actions recommended that apply to the
specific system analyzed. It is likely that the analysis will be
incomplete for products and operating systems that are obsolete or
unsupported. This includes products from previous OS versions that
remain after an OS update. If your system was updated from a prior OS,
you may choose to use the option to identify additional issues that may
have been announced for the prior OS version.
Note: Security Patch Check does not support OS versions prior to HP-UX
B.11.00, even with the option.
Normally, will call the command directly to do its analysis; see
swlist(1M). However, if the or option is specified, will use standard
input or a file filename) as though it were output from a call to Thus,
can effectively analyze sets of systems and depots by sending it output
from those sources. You can also choose whether to analyze superseded
patches using the option of (Without the or options, use the option to
control the analysis of superseded patches.)
must have local access to a security bulletin catalog to run its analy‐
sis. is able to download the most recent security patch catalog from
an HP HTTPS or FTP site. will perform the download if the option is
used. Refer to in the subsection for important information on this
option. will tell you about any patches with warnings which are
present on your system. (Note: the default is to analyze only active
patches. If you want to analyze all installed patches, use the
option.) These patches need not be security-related. If a patch with
warnings is active on a system, you should read its "Warn" field. The
Warn field of every 11.x patch with warnings is in the security cata‐
log. To find the patch warnings that are applicable to your system,
you may look up the patch records manually in the catalog, after run‐
ning the script, or you may run with the (machine-parsable) option.
Before installing patches, you should be familiar with the general
patching process. See the available on for an introduction to patch‐
ing. It is important that you read this document and understand the
patching process. Patches that are installed incorrectly or incom‐
pletely can cause a system to stop functioning in serious and diffi‐
cult-to-recover ways. The instructions for updates (removals) and man‐
ual actions are covered in the bulletins themselves, but you should be
familiar with swinstall(1M) and swremove(1M) before installing and
removing software.
Patches: Hewlett-Packard provides standard HP-UX patch bundles of rec‐
ommended patches that contain fixes to many security issues as well as
other known system defects. The standard HP-UX patch bundles are
available electronically from HP IT Resource Center at Openview patches
are available at
If closing patch-related security holes with the minimum system change
is required, the Patch Database (found at the IT Resource Center, may
be used in combination with to download the minimum set of patches with
their dependencies. The Patch Database will always display the set of
patches that HP currently recommends. These patches may be newer than
those identified by
Updates: In general, most HP-UX software is available from via the OE
and AR media releases, and from the product-specific web sites on The
security bulletin will normally have more specific source information.
Removal actions: Sometimes the only fix for software is to remove it.
Generally, the security bulletin will recommend an upgrade path to
another product with the same functionality.
Manual actions: Security Patch Check may recommend a manual action when
a packaged product or patch does not completely solve the problem, or
when the data available is partial or incomplete. Refer to the bul‐
letin for more information. The only way to indicate completed manual
actions is to use an "ignore" file. (See option below.)
Monitoring security bulletins from HP and other sources is recommended
as a security best practice. If you think you have found a discrepancy
between actions required on your system and those reported by Security
Patch Check, please report this discrepancy to for investigation. HP
appreciates reporting any discrepancies to us and assisting us to pro‐
tect all of our valued customers.
The default behavior of is to use the security patch catalog located at
to analyze localhost, and the ignore file at to decide which bulletins
to ignore. It will then run and will generate a report in an
easy-to-read table format. These defaults can be overridden on the
command line, or in the file.
Additional Security Patch Check documentation (such as FAQs and README)
may be found at
Options
Command line arguments cannot be clustered; for example, is valid, but
is not. supports the following options:
This option causes
to behave as though all ancestors (filesets) are installed on
the target system. This option is useful for analyzing a patch
depot by itself.
ignores this option.
Using
causes to read from standard input. Using causes to read from a
file.
Both of these options can be used to analyze a set of depots.
The data used by must be in the format that is generated by the
following command. Note that giving input in a different format
can lead to undefined results.
where specifies a depot instead of a root file system, and spec‐
ifies a target host system. See swlist(1M).
If either of these options is used, will not call directly, but
will treat standard input or filename as though it were output
from as described above. The and options are mutually exclu‐
sive. See the and options also.
Using or causes to terminate with an error.
The command includes additional caching functionality for system
inventories, and uses a format that is compatible with the ITRC
patch assessment engine. See the command in swa-step(1M) for
information on how to gather an inventory within
Specify the location of the locally cached security bul‐
letin catalog.
The default path to the security bulletin catalog is
ignores this option.
When converting to use the extended option for similar function‐
ality. The command has additional options to control the
caching and download of its catalog, including the and the
extended options. The Software Assistant catalog also contains
additional patch information that allows patch dependency opti‐
mization and additional types of analysis.
Run an analysis on a remote host or depot, rather than
localhost (default).
remote-host is an HP-UX 11.x system. depot is the full path to
a directory- or tape-format depot on a remote or local system.
Use of the option is possible only if the user running has swacl
permissions to For remote hosts or depots, must be running on
the remote host. See swagentd(1M) and swacl(1M).
Using -h depot or -h remote-host causes to terminate with an
error.
The equivalents are the option (similar to how this option is
used by or the extended option.
Specifies the ignore file.
This file is useful in the case of actions which you have ana‐
lyzed but cannot be automatically detected by Security Patch
Check. Perform all actions recommended by a given bulletin, and
then put the security bulletin identifier in the file to cross
it off your "to do" list. This will remove all actions associ‐
ated with that particular bulletin from the report, including
patches, upgrades, removals, and manual actions. In the
ignore-file, security_patch_check expects one bulletin identi‐
fier per line. Comments, preceded with a pound or hash sign are
allowed either on their own lines, or after action identifiers.
A bulletin identifier is in the same format as the "Bull" column
in the human-readable output, with the bulletin number, option‐
ally followed by "r" and the revision number of the bulletin.
If the bulletin is revised, Security Patch Check will notify you
again the next time you download an updated catalog, in case the
revision affects you. The default file is
ignores this option.
The command allows additional flexibility to specify multiple
ignore files and the ability to specify a regular expression to
match issues to ignore. There is also additional granularity
available to ignore individual actions within a given security
bulletin. See the extended option in swa-report(1M) for infor‐
mation on how to specify ignore files for The first run of will
automatically convert the default ignore file for that user into
the new format.
Display output in a machine-parsable format.
This format contains zero or more recommended-action records in
the format:
[<tab><tab>more-field-text]... }...
The record is for either a recommended action or patch with
warnings (which is present on the target system). Patches with
warnings contain "with Warnings" in their Status field. Recom‐
mended security actions contain a SecBul field. should not be
used with the option. Three fields that are unique to the cata‐
log used by will appear. The Min field indicates the oldest
patch in the recommended patch's chain that resolves the secu‐
rity issue. The MFset field is the list of ancestor filesets
for the oldest patch, and the SecBul field indicates in which
security bulletins the patch's chain was introduced. There is
no guarantee that the same fields will exist for each patch
record, or that the fields will be in a certain order. Notes
are suppressed when is used. Warnings and errors are written to
standard error.
The command is called to generate a report compatible in form to
the format. The fields displayed and ordering may change, but
will conform to the original specification as shown above.
Suppress warnings about currently installed software
whose state is
neither configured nor available. Software which is not in one
of these states is misconfigured and should be fixed.
ignores this option.
Alter the information printed by
in the human-readable patch information table. By default, the
"#", "Bull", "Cnt", "Recommended", "Spec", "Reboot", "PDep", and
"Description" columns appear. The full text of the patch
records can be obtained only by running with the option (instead
of the option). Ordering of the options passed to the option is
ignored. The table's columns will be printed in the following
order:
#, Recommended, [Bull], [Cnt], [Minimum], [Spec], [Reboot],
[PDep], [Description].
"#" indicates the patch's number within the table.
Note that should not be used with overrides The options passed
to have the following effects:
Print a "Bull" field
and show the highest-numbered security bulletin this rec‐
ommended action applies to.
Print a "Cnt" field
to indicate how many bulletins relate to this recommenda‐
tion. For example: 1st = this is the first and only bul‐
letin, 2nd = this is the 2nd of 2, 3rd = 3rd of three,
etc.
Print a "Description" field
and show a description of each recommended action.
Print a "Minimum" field
and show the oldest patch in the chain of patches includ‐
ing the recommended patch, which resolves the security
problem.
Print a "PDep" field
and indicate whether each recommended patch has patch
dependencies.
Print a "Reboot" field
and indicate whether each recommended patch/action
requires a reboot.
Print a "Spec" field
and indicate whether each recommended patch/action has
special instructions associated with it or, in some
cases, the nature of the special instructions. For exam‐
ple: "man" indicates there are manual steps, "upd" indi‐
cates there are updates to be applied, "warn" indicates
that the patch has warnings, etc.
ignores this option.
Operate in quiet mode.
will print a table or machine-parsable output only if it deter‐
mines that there are patches/actions missing from the system (or
input data). Warnings will be printed. Notes will be sup‐
pressed.
ignores this option.
Operate in very quiet mode.
Warnings, which may be critical to system security (that is,
patch warnings, world-writable catalogs) are suppressed.
implies
ignores this option.
Retrieve the latest security bulletin catalog
from an HP HTTPS, HTTP, or FTP site, as specified by url.
will store the catalog in the location specified by the option,
which defaults to
If the url is specified, then the catalog must be in format
(must end in
For more retrieval configuration details refer to the section
below.
ignores this option.
The command uses a different catalog (swa_catalog.xml or
swa_catalog.xml.gz) and allows additional options to control
catalog download and aging. If swa_catalog.xml is not found or
is older than the specified maximum age, will automatically
attempt to retrieve an update. Refer to the extended option in
swa-report(1M) for information on how to specify an alternate
source URL for swa_catalog.xml.gz.
Specify the OS version.
Without the option, uses the software_spec field of the OS-Core
fileset to determine which OS is running on the target system.
should be in the format This option is useful when analyzing a
patch-only depot.
ignores this option.
Gather information about superseded patches from a live
host
(default "localhost" or the host specified with for to analyze.
The default behavior is to gather and analyze only information
on active patches. If you wish to analyze the full patch tree
when using input from standard input or from a file, then use
the option on the command (instead of on to ensure that the full
patch tree is included when you generate the input. This analy‐
sis is useful before rolling back a patch to see if it will
activate a patch with warnings or a misconfigured patch.
ignores this option.
(Use the
option for Print usage message and exit.
SECURITY ISSUES
This section is valid until November 1, 2008.
Following the recommendations of will result in a system that is
up-to-date with HP's recommended security actions.
There are many security advisories that require manual actions on a
system. Since some advisories or bulletins contain no patches and oth‐
ers contain both patches and manual actions, these advisories, if out‐
put by must be read and appropriate action taken.
To access an archive of HP-UX security advisories, you must have an
account on the ITRC. Go to
uses Perl's tainting checks. This means that will exit if the command
line options it receives contain any character besides a letter number
slash dot underscore or dash Keep this in mind when using with the
option. Perl's security features may also prevent some URLs from being
used with the option on the command line.
performs a check on the security catalog being used. It prints a warn‐
ing in case the catalog is world or group writable, or if one of its
parent directories is world or group writable and the sticky bit is not
set on that directory.
When using FTP, does not validate the security patch catalog it down‐
loads. It is possible to download an invalid catalog if HP's FTP site
is being spoofed on the subnet where is running. For that reason, the
default HTTPS download is the recommended method. Note that if the
prerequisites for HTTPS communication (OpenSSL and HP's SSL-Enabled
Perl, also OpenSSL if CRL checking is needed) are not installed, then
Security Patch Check will default to HTTP.
can be run by any user who has permissions to execute Perl and
SECURITY CATALOG RETRIEVAL
This section is valid until November 1, 2008. After that date, proxy
environment variables ftp_proxy, http_proxy, and https_proxy (discussed
in the subsection below) will continue to be recognized.
The following configuration options deal mainly with the option.
Proxy Settings
This subsection is valid until November 1, 2008. However, proxy envi‐
ronment variables ftp_proxy, http_proxy, and https_proxy will continue
to be recognized when set in the user's shell when the option is used.
When using the option from behind a firewall which requires a proxy to
be used for Internet connectivity, the or configuration settings
(depending on which download protocol you intend to use) must indicate
the proxy for the local subnet. The proxy settings tell how to perform
transfers from behind the firewall. The default proxy behavior can be
configured in the configuration file, and behavior on a per-user basis
can be specified as environment variables in the user's shell. The
proxy URL must be in the form:
For example:
A web proxy generally uses the HTTP protocol (even for proxying HTTPS
and FTP data). If you specify a URL on the command line and you wish
to traverse a proxying firewall, then you must specify the proxy which
corresponds to that URL. For example, set the option if the URL begins
with Some protocols (such as do not do file transfers, and other proto‐
cols (such as cannot be used over a proxy.
NOTE: If you are running from within HP Systems Insight Manager,
instead of running the "Get Bulletin Catalog" tool, you can also down‐
load the catalog manually from one of the above URLs and save the cata‐
log to To allow HP Systems Insight Manager to use your proxy to get the
catalog, you must set the or (and all other configuration environment
variables not set in the clients' configuration file,
For example, insert
into to enable FTP download through the specified proxy. The "Get
Patch Catalog" tool in HP Systems Insight Manager will read in before
executing
HTTPS Specific Configuration
SUPPORTED UNTIL NOVEMBER 1, 2008.
Each of the following variables can be configured in the configuration
file, or as environment variables in the user shell. For each of these
variables, reasonable defaults are set in the configuration file, and
can be used as examples. By default, requires server certificate vali‐
dation for all HTTPS requests. Therefore, you must specify the trusted
CA certificate used to issue the remote server's certificate by cor‐
rectly setting either the or the variables below.
When this variable is set to 1,
will require the certificate revocation list to be updated and
checked for the trusted CA certificate being used to validate
the remote server. This means the variable must also be set and
only the certificate used to sign the downloaded revocation list
can be used to validate the server connection. When enabled,
this configuration provides the remote server a mechanism to
revoke its certificate through the certificate authority, but
also requires regular downloads from the certificate authority,
which can lengthen the run time. If you do not wish to validate
a revocation list, set this variable to 0.
Contains the URL where the certificate revocation list (CRL),
for the trusted certificate being used to download the security
catalog, can be downloaded. If you are behind a proxy then you
will need to configure the proxy information for the protocol
being used to download the CRL.
A directory containing files,
each of which consists of one PEM-encoded trusted CA certifi‐
cate. If using certificates other than the defaults shipped by
HP, note that these files should be indexed using the certifi‐
cate's subject name hash value, in the form "hash.0". Use the
OpenSSL utility, to index the certificates in the directory,
creating the hash.0 format files for each certificate file in
the directory which ends with the extension.
The fully qualified path to a file containing PEM-encoded CA certifi‐
cates
which will be trusted by
The directory path containing the
and binaries.
The security bulletin catalog can also be downloaded manually from any
of the following URLs:
EXAMPLES
This section is valid until November 1, 2008.
Get the latest security patch catalog, and then analyze the local sys‐
tem; print (the default) human-readable report.
Get the latest security bulletin catalog, and then analyze localhost;
write all output including warnings and errors to file (using This is
useful for using in a job to execute nightly.
If you would prefer to have a report mailed to you, then you can use
the following (using This will put the standard output and standard
error streams together and mail them to the given e-mail address.
Analyze localhost by downloading the latest security bulletin catalog,
and take output from file
Analyze localhost, print in which security bulletins the recommended
patches' or actions' chains were mentioned, whether the recommended
patches or actions require reboot, and their descriptions.
Analyze remote host named give output in machine-parsable format.
Analyze depot on along with depot on Assume that the depots are for
HP-UX 11.00. takes output from standard input.
Analyze remote system after downloading the security bulletin catalog.
This example may be considered a typical usage of as a job.
Analyze print a table in machine-readable format only if missing
patches are found.
RETURN VALUES
sets its exit status to one of the following values.
Indicates successful exit, whether or not missing actions were found.
Indicates an error in the command-line arguments.
Indicates
received or
Indicates other function-level run-time errors.
In the case of an error, prints an error message.
ENVIRONMENT
This section is valid until November 1, 2008. After that time, the
proxy environment variables ftp_proxy, http_proxy, and https_proxy will
continue to work with the option. Refer to swa(1M) for information
regarding all other environment variables after November 1, 2008.
Security Patch Check uses the environment variable to set default loca‐
tions for the ignore file and the default trust store. If the tool is
run by root without set, Security Patch Check will default to using
Otherwise, the lack of a valid will cause Security Patch Check to ter‐
minate with an error.
When is run with the option, proxy and trust store configuration vari‐
ables should be set and exported in your shell environment.
The or variable must indicate a proxy that the script can use, if your
network requires the use of a proxy. will honor these proxy environ‐
ment variables as well. Use the appropriate proxy variable based on
the protocol you are using to download the security catalog.
If you are using the HTTPS protocol, then all the required trust store
variables must be configured. Review the subsection above for details
concerning the and trust store environment variables.
The file must be altered to allow HP Systems Insight Manager to find
the variables. Refer to the section above for more information.
SOFTWARE ASSISTANT TRANSITION
The following table lists Security Patch Check (SPC) options and some
corresponding options for Software Assistant (SWA). This is not an
equivalency mapping. SWA has a much richer interface and much more
flexibility. As such, some of the options have changed in meaning and
not just in name.
┌────────────────────────────────────────┐
│SPC SWA SWA Extended Option │
│Option Sin‐ │
│ gle │
│ Let‐ │
│ ter │
│ Option │
├────────────────────────────────────────┤
│-c n/a catalog │
│-h -s inventory_source │
│-i n/a ignore_file │
│-o -r stdout_report_type │
│-q n/a report_when_no_issues │
│-q -q verbosity │
│-r n/a catalog_source │
│-u -? n/a │
└────────────────────────────────────────┘
The primary way to access the reporting functionality of Software
Assistant is through the major mode. See swa-report(1M) for detailed
explanations for these options. For additional information about Soft‐
ware Assistant functionality, see swa(1M) and other associated man
pages.
The proxy environment variables ftp_proxy, http_proxy, https_proxy also
work for SWA. They can also be set as extended options using the com‐
mand-line option or in an SWA configuration file. While Security Patch
Check uses these options to determine which catalog source URL to try
first, SWA will use the URL explicitly set using the extended option,
independent of the proxy settings. SWA also uses Java(TM) libraries to
implement the download functionality. In some cases where Security
Patch Check required explicit setting of proxies, SWA is able to auto‐
matically detect network proxy settings and use them without an
explicit setting. For more complex network topology (e.g. proxies that
require more than http basic authentication), the extended option
offers extremely flexible download capabilities, which are much more
powerful than what Security Patch Check provides.
AUTHOR
was developed by the Hewlett-Packard Company.
FILES
This section is valid until November 1, 2008.
SWA REFERENCES
SEE ALSOswa(1M), swa-report(1M), swa-get(1M), openssl(1),
swacl(1M), swagentd(1M), swinstall(1M), swlist(1M), swre‐
move(1M).
on
TO BE OBSOLETED security_patch_check(1M)