HP UX Patch Management manual Advanced topic security patching strategy

Page 50

Reactive patching has some important disadvantages as compared with proactive patching. The process of identifying a problem fix can be made more difficult as your system falls further behind the most recent patch levels available. In addition, the required patch will likely contain much more new content than if you had performed frequent proactive updates. You might also find it difficult to perform adequate testing in reactive patching situations, and this could lead to the introduction of additional problems.

Acquiring patches for reactive patching

The easiest way to identify your required patch is to call the HP Response Center. This works only if you have the appropriate support contract. Alternatively, you can carefully research the problem using resources such as the ITRC. The ITRC's self-solve tools, such as the search knowledge base link, can help with that query. For more information, see Chapter 6: “Using the IT Resource Center” (page 55).

Next, using the ITRC Patch Database, you must identify the patches needed to resolve the problem. For reactive patch management, patch acquisition and installation should be strictly limited to the smallest set of patches believed to provide a solution to a current system problem. Do not use the unplanned down time as an opportunity to make unrelated changes. This is especially true for mission-critical systems.

Once you know what patches are needed to solve the problem, you must determine when to patch your system. In making this decision, you should consider the following factors:

Severity of the problem

Frequency of occurrence

Availability of system down time for patching

Follow these steps to patch your system reactively:

1.Isolate the problem and identify the patches with the highest HP rating that represent a potential fix.

2.Acquire the needed patches and any patches needed to satisfy dependencies.

3.If you have a patch depot, add these patches to it and use this as a test base.

4.Test the patch. In some cases the problem is so serious (such as a when a critical system is down) that you might need to omit the test step. This is especially true if it takes a long time to replicate the problem, or if the configuration is difficult to replicate. If you choose to omit testing, do so only with the knowledge of the risks you might incur.

5.Determine a suitable time to install the patches.

6.Install the patches.

If you have multiple, similarly configured systems and you need to patch one of them reactively, consider patching the remaining systems as soon as it is reasonably possible. This is because it is likely that your other systems will suffer the same problems at some future point. Additionally, there are benefits to maintain the same patch level on similar systems.

Advanced topic: security patching strategy

Security patching requires both urgency and a need to be proactive. It does not fit neatly into the proactive or reactive patching strategies. At times, you might need to apply security patches proactively prior to the next scheduled patch installation maintenance window.

When you use the ITRC to acquire patches, it is safe practice to obtain patches listed as recommended. Because of the urgency associated with security fixes, there are many instances when a security patch is too new to have this rating. However, many customers give a new security fix priority over an older patch recommended by the ITRC. Because most patches that fix a security problem fix only a single problem, this practice is not as risky as it might seem.

50 Patch management overview

Image 50
Contents Patch Management User Guide for HP-UX 11.x Systems Revision history Table of Contents What are standard HP-UX patch bundles? Using Dynamic Root Disk for patch management 104 107HP-UX patches and patch management Patch management strategiesHow to get patches Where to startBefore you begin Quick start guide for patching HP-UX systemsOverview Should you use standard HP-UX patch bundles?Acquiring the bundles Acquiring and installing standard HP-UX patch bundlesStandard HP-UX patch bundles Installing the bundles As root, run the createdepothp-ux11scriptAdvanced topic using Dynamic Root Disk DRD SwlistAcquiring and installing individual patches Acquiring the patchesQuick start guide for patching HP-UX systems Installing the patches Swverify -d \* @ /tmp/somepatchdirectory/depotAdvanced topic using Dynamic Root Disk DRD Patch identification HP-UX patch overviewPatch-related concepts HP-UX software structurePatch bundles Software depots and patch depotsPatch status Patch stateSwlist -l fileset -a state grep patchid StateCategory tags Which patches are on a system? Swlist -l product -a categorytag patchidExamples of the swlist command For example$ swlist -l product *,c=patch $ swlist -l product *,c=manualdependencies $ swlist -l bundle @ somesystem$ swlist -l fileset -a ancestor PHSS29183 Ancestors and supersessionAncestors $ swlist -a appliedpatches Xserver.AGRM SupersessionSwlist -a appliedpatches filesetname Swlist -l patch -x showsupersededpatches=true Showpatches -s$ swlist -l fileset -a supersedes PHSS28681 Swlist -a patchstate -x showsupersededpatches=true patchidPatch-related attributes HP-UX Patch Supersession ChainSee Category tags Corequisites and prerequisites Patch dependenciesTypes of dependencies Swlist -vl fileset -a dependencytype fileset Enforced and unenforced manual dependenciesImpact of dependencies on acquiring patches Patch commitment Patch rollback and commitmentPatch rollback HP-UX patch ratings Advanced topic patch cleanup utilityCleanup -p -c number HP patch rating Rating detailsPatch documentation Critical and noncritical patchesFinding information for a specific patch $ swlist -l product -a categorytag PHSS30011Subset of fields in patch text file and patch details Advanced topic the readme attribute Obtaining information using the ItrcPatch warnings Swlist -l product -a readme patchid moreCritical and noncritical warnings Advanced topic finding patches with warnings How to handle patch warningsQuestions to ask Backup and recovery ConsiderationsPatch management overview Patch management life cyclePatch management life cycle Patch management overview Establishing a software change management strategy Restrictive Conservative InnovativeRecommendations for software change management Operational factor and patch management strategy matrixConsideration of HP patch rating Patch management and software depotsProactive patching strategy Acquiring patches for proactive patchingReactive patching strategy Advanced topic HP-UX Software AssistantAdvanced topic security patching strategy Acquiring patches for reactive patchingTesting the patches to be installed Advanced topic scanning for security patchesStandard HP-UX patch bundles Key featuresWhat are standard HP-UX patch bundles? Obtaining standard HP-UX patch bundles Standard HP-UX patch bundle use and release datesQuick start guide for patching HP-UX systems Useful pages on the Itrc Using the IT Resource CenterObtaining an Itrc user account Find individual patchesKey features Accessing the patch database and finding an individual patchClick the add to selected patch list button Using the IT Resource Center Advanced topic checking for all patch dependencies Check for patches with dependenciesUsing the IT Resource Center Click the add to selected patch list button Support information digests Standard patch bundlesCustom patch bundles run a patch assessment Ask your peers in the forumsSearch knowledge base Using software depots for patch management Common software distributor commands for patchingDepot types Directory depotsUsing depots Tape depotsSwlist -l depot Viewing depotsChoosing depot type and depot location $ swlist -l depot @ swdepot.xyz.com $ swlist -l depotSwlist -l depot @ remotesystem Creating and adding to a directory depot Copying patches to depots Depot/patches/11.11Copying products with patch dependencies to depots Registering and unregistering directory depotsAdvanced topic HP-UX Software Assistant $ swreg -l depot /depot/patches/2003-07periodicdepot Advanced topic access control listsExamples of registering and unregistering depots $ swreg -u -l depot /depot/patches/2003-07periodicdepot$ swverify -d \* @ /mydepots/newdirectorydepot Verifying directory depotsExamples of verifying directory depots Verification succeeded Verification had errorsRemoving software from a directory depot $ swverify -d \* @ /mydepots/PHSS30278depotExecution succeeded $ swlist -l product -d @ /mydepots/patchdepot $ /usr/sbin/cleanup -d /mydepots/patchdepotAdvanced topic removing superseded patches from a depot $ swlist -l product @ /mydepots/patchdepot Installing patches from a depotRemoving a directory depot $ swreg -u -l depot /mydepots/PHCO27780depotReboots the system when required Examples of installing patches from a depot Analysis succeededAnalysis and Execution succeeded Installing products with patch dependencies from a depotCustom patch bundles Rev Bundle Description Examples of listing patches and bundlesRev Patch description Creating a custom bundle $ swlist -d @ /mydepots/temporarydepotAnalysis succeeded Finally, remove the temporary depot Using HP-UX Software Assistant for patch management For more informationUsing Dynamic Root Disk for patch management Drd1m Benefits of the Patch Assessment Tool Using the Patch Assessment ToolPatch Assessment Tool Example of running the Patch Assessment Tool Select upload new system information Related information Support and other resourcesContacting HP Non-HP websites Typographic conventionsHP websites Times Patch usage models Patch usage model 1 hardware/application software change Components in test Image Then productionDRD Begi n Product needs to be certified on HP-UX 11i v2/v3 Patch usage model 3 operating environment cold install Patch usage model 3 operating environment cold install Patch usage model 4 operating environment update Patch usage model 4 operating environment update Patch usage model 5 proactive patch Create clonePatch usage model 6 reactive patch Passed? SystemGlossary AncestorIPD SWA Index Index See also HWE Index