HP UX Patch Management manual How to handle patch warnings, Questions to ask

Page 40

How to handle patch warnings

Your initial response to a warning for a patch on a system should be to carefully read the associated warning text and research the issue to gain a complete understanding of how or if the warning will impact the system.

Because of the number and complexity of the factors involved, there is no single correct way of dealing with a patch with a warning. The following items show some possible courses of action:

In some cases, such as if you encounter a critical problem on the system, immediate removal of the patch might be necessary.

In many cases, removal and replacement can wait until the next scheduled maintenance window.

In other cases, such as when the problem does not affect the hardware or software configuration, there is no need for you to take any action. In fact, HP discourages unnecessary change because it can cause down time and because there is always some risk when making a change to the system.

Questions to ask

If you must deal with a patch that has a warning, consider the following questions in deciding whether or not to use, or continue to use, the patch:

Is the system environment susceptible to the problem?

A patch with a warning might not cause problems for every customer. Exposure depends on the system-use models, and whether you have any of the affected configurations. The previous screen is a good example of this situation. Unless the system is configured with greater than 32 GB of device swap and meets all the other conditions listed, the patch warning given for patch PHKL_30065 will have no impact on the system.

Is a replacement patch available, and, if so, is its HP rating acceptable for the system?

A replacement patch might be available. You can use the ITRC Patch Database to attempt to locate such a patch. Simply search using the explicit patch ID of the patch that has a warning. If there is a replacement patch, it will be displayed in the search results page. If a replacement patch exists, you must take into account its advantages and disadvantages. This includes consideration of the patch's HP rating. See “HP-UX patch ratings” (page 34).

After answering the previous two questions, you must consider the following questions in order to develop an appropriate course of action for your situation:

What is the severity of the problem associated with the patch?

If the patch is already on the system, has it caused any problems?

What is your tolerance for down time if a reboot is necessary?

What is the timing of the next maintenance window?

What are your company's system administration policies?

As a final point, if you choose to remove a patch with a warning from a system, make sure that the patch is not contained in any of the depots used for patch installations. For more information about patch depots, see Chapter 7: “Using software depots for patch management” (page 64).

Advanced topic: finding patches with warnings

HP provides the HP-UX Software Assistant (SWA) tool at no charge. SWA can perform a number of checks including published security issues, installed patches with warnings, and missing patches with critical fixes. Once an analysis has been performed, you can use SWA to download any recommended patches or patch bundles and create a depot ready for installation. For more information, see Chapter 8: “Using HP-UX Software Assistant for patch management” (page 85).

40 HP-UX patch overview

Page 39 Page 41
Image 40
Page 39 Page 41
Contents Patch Management User Guide for HP-UX 11.x Systems Revision history Table of Contents What are standard HP-UX patch bundles? Using Dynamic Root Disk for patch management 104 107HP-UX patches and patch management Patch management strategiesHow to get patches Where to startQuick start guide for patching HP-UX systems OverviewBefore you begin Should you use standard HP-UX patch bundles?Standard HP-UX patch bundles Acquiring and installing standard HP-UX patch bundlesAcquiring the bundles Installing the bundles As root, run the createdepothp-ux11scriptAdvanced topic using Dynamic Root Disk DRD SwlistAcquiring and installing individual patches Acquiring the patchesQuick start guide for patching HP-UX systems Installing the patches Swverify -d \* @ /tmp/somepatchdirectory/depotAdvanced topic using Dynamic Root Disk DRD HP-UX patch overview Patch-related conceptsPatch identification HP-UX software structurePatch bundles Software depots and patch depotsPatch status Patch stateCategory tags StateSwlist -l fileset -a state grep patchid Which patches are on a system? Swlist -l product -a categorytag patchidExamples of the swlist command For example$ swlist -l product *,c=patch $ swlist -l product *,c=manualdependencies $ swlist -l bundle @ somesystemAncestors Ancestors and supersession$ swlist -l fileset -a ancestor PHSS29183 Swlist -a appliedpatches filesetname Supersession$ swlist -a appliedpatches Xserver.AGRM Swlist -l patch -x showsupersededpatches=true Showpatches -s$ swlist -l fileset -a supersedes PHSS28681 Swlist -a patchstate -x showsupersededpatches=true patchidPatch-related attributes HP-UX Patch Supersession ChainSee Category tags Types of dependencies Patch dependenciesCorequisites and prerequisites Impact of dependencies on acquiring patches Enforced and unenforced manual dependenciesSwlist -vl fileset -a dependencytype fileset Patch rollback Patch rollback and commitmentPatch commitment Cleanup -p -c number Advanced topic patch cleanup utilityHP-UX patch ratings HP patch rating Rating detailsCritical and noncritical patches Finding information for a specific patchPatch documentation $ swlist -l product -a categorytag PHSS30011 Subset of fields in patch text file and patch details Obtaining information using the Itrc Patch warningsAdvanced topic the readme attribute Swlist -l product -a readme patchid moreCritical and noncritical warnings Questions to ask How to handle patch warningsAdvanced topic finding patches with warnings Backup and recovery ConsiderationsPatch management overview Patch management life cyclePatch management life cycle Patch management overview Establishing a software change management strategy Restrictive Conservative InnovativeRecommendations for software change management Operational factor and patch management strategy matrixConsideration of HP patch rating Patch management and software depotsProactive patching strategy Acquiring patches for proactive patchingReactive patching strategy Advanced topic HP-UX Software AssistantAdvanced topic security patching strategy Acquiring patches for reactive patchingTesting the patches to be installed Advanced topic scanning for security patchesWhat are standard HP-UX patch bundles? Key featuresStandard HP-UX patch bundles Obtaining standard HP-UX patch bundles Standard HP-UX patch bundle use and release datesQuick start guide for patching HP-UX systems Using the IT Resource Center Obtaining an Itrc user accountUseful pages on the Itrc Find individual patchesKey features Accessing the patch database and finding an individual patchClick the add to selected patch list button Using the IT Resource Center Advanced topic checking for all patch dependencies Check for patches with dependenciesUsing the IT Resource Center Click the add to selected patch list button Standard patch bundles Custom patch bundles run a patch assessmentSupport information digests Ask your peers in the forumsSearch knowledge base Using software depots for patch management Common software distributor commands for patchingDepot types Directory depotsUsing depots Tape depotsChoosing depot type and depot location Viewing depotsSwlist -l depot Swlist -l depot @ remotesystem $ swlist -l depot$ swlist -l depot @ swdepot.xyz.com Creating and adding to a directory depot Copying patches to depots Depot/patches/11.11Advanced topic HP-UX Software Assistant Registering and unregistering directory depotsCopying products with patch dependencies to depots Advanced topic access control lists Examples of registering and unregistering depots$ swreg -l depot /depot/patches/2003-07periodicdepot $ swreg -u -l depot /depot/patches/2003-07periodicdepotExamples of verifying directory depots Verifying directory depots$ swverify -d \* @ /mydepots/newdirectorydepot Verification had errors Removing software from a directory depotVerification succeeded $ swverify -d \* @ /mydepots/PHSS30278depotExecution succeeded Advanced topic removing superseded patches from a depot $ /usr/sbin/cleanup -d /mydepots/patchdepot$ swlist -l product -d @ /mydepots/patchdepot Installing patches from a depot Removing a directory depot$ swlist -l product @ /mydepots/patchdepot $ swreg -u -l depot /mydepots/PHCO27780depotReboots the system when required Examples of installing patches from a depot Analysis succeededCustom patch bundles Installing products with patch dependencies from a depotAnalysis and Execution succeeded Rev Patch description Examples of listing patches and bundlesRev Bundle Description Creating a custom bundle $ swlist -d @ /mydepots/temporarydepotAnalysis succeeded Finally, remove the temporary depot Using HP-UX Software Assistant for patch management For more informationUsing Dynamic Root Disk for patch management Drd1m Patch Assessment Tool Using the Patch Assessment ToolBenefits of the Patch Assessment Tool Example of running the Patch Assessment Tool Select upload new system information Contacting HP Support and other resourcesRelated information HP websites Typographic conventionsNon-HP websites Times Patch usage models Patch usage model 1 hardware/application software change Components in test Image Then productionDRD Begi n Product needs to be certified on HP-UX 11i v2/v3 Patch usage model 3 operating environment cold install Patch usage model 3 operating environment cold install Patch usage model 4 operating environment update Patch usage model 4 operating environment update Patch usage model 5 proactive patch Create clonePatch usage model 6 reactive patch Passed? SystemGlossary AncestorIPD SWA Index Index See also HWE Index
Top Page Image Contents