HP UX Patch Management manual Testing the patches to be installed

Page 51

Advanced topic: scanning for security patches

You can use the SWA Tool to identify security patches for installation. This tool also identifies patches that have associated warnings. For more information about SWA, see Chapter 8: “Using HP-UX Software Assistant for patch management” (page 85).

Testing the patches to be installed

The single most important action that can ensure the success of a software patch is to first test the changes in a nonproduction environment. Every environment is unique, and patch testing can uncover potential problems unique to the environment in which the patches will be installed. If you test thoroughly, you can reduce the chance of encountering problems with new patches.

The level of testing you perform depends in part on the patch management strategy you choose. For example, because proactive patching involves installing patches before a problem occurs, it allows more time than reactive patching to complete a sufficient level of patch testing.

HP subjects all General Release (GR) and Special Release (SR) patches to extensive testing. See Chapter 3: “HP-UX patch overview” (page 17) for more information about GR and SR patches. However, it is impossible to test all permutations of all patches on all hardware configurations. Therefore, prior to deploying the patches on production systems, you should test the set of patches you intend to install in a test environment that closely simulates the production configuration. Even if you are deploying a standard HP-UX patch bundle, you should still perform testing. Deploying any patch without first testing it in an environment increases a system's exposure to risk.

The following is an outline of a basic patch test scenario:

1.The patches to be installed are identified and acquired.

2.The acquired patches are installed on a test system and tested to a standard that your organization considers acceptable. Many organizations break this step into multiple levels of testing to accomplish distinct goals. If testing results in unsatisfactory results, you must perform an investigation to identify the root cause of the problem before proceeding.

3.The tested patches are installed on production systems.

The success of your testing approach relies heavily on how closely the configuration of the test environment matches the configuration of the production systems on which the tested patches will be installed. Within hardware limits, it is a best practice to duplicate the production environment as closely as possible.

Ideally, you have a test system that is identical to the production system on which patches are to be installed, and you have sufficient time available to test all patches prior to deploying them. This situation allows you to perform very effective testing to verify that the patches to be installed will not result in unexpected or undesirable system behavior.

Many customers have a two- or three-tiered approach to testing. Patches are initially installed on a system that is often referred to as the development system. These types of systems are used for local development. In a three-tiered system, after certain organization-specific rules have been met, the patches are installed on another system that is often referred to as the test system. The patches must then meet another set of organization-specific rules. For example, many customers require that the patches be installed on the test system for some specified period of time with no problems. The amount of time varies widely and can be as short as a week. However, for many customers, one to three months is considered a reasonable time frame for testing. Once these rules have been satisfied, the patches are installed on one or more production systems. Customers who initially install the patches on only a subset of their production systems typically monitor these systems for several weeks prior to installing the patches on the remaining production systems. For reactive patching, the longer testing time frames are usually not reasonable and a stripped-down approach to testing is usually required.

Testing the patches to be installed

51

Image 51
Contents Patch Management User Guide for HP-UX 11.x Systems Revision history Table of Contents What are standard HP-UX patch bundles? Using Dynamic Root Disk for patch management 107 104Patch management strategies HP-UX patches and patch managementWhere to start How to get patchesShould you use standard HP-UX patch bundles? Quick start guide for patching HP-UX systemsOverview Before you beginAcquiring and installing standard HP-UX patch bundles Standard HP-UX patch bundlesAcquiring the bundles As root, run the createdepothp-ux11script Installing the bundlesSwlist Advanced topic using Dynamic Root Disk DRDAcquiring the patches Acquiring and installing individual patchesQuick start guide for patching HP-UX systems Swverify -d \* @ /tmp/somepatchdirectory/depot Installing the patchesAdvanced topic using Dynamic Root Disk DRD HP-UX software structure HP-UX patch overviewPatch-related concepts Patch identificationSoftware depots and patch depots Patch bundlesPatch state Patch statusState Category tagsSwlist -l fileset -a state grep patchid Swlist -l product -a categorytag patchid Which patches are on a system?For example Examples of the swlist command$ swlist -l product *,c=patch $ swlist -l bundle @ somesystem $ swlist -l product *,c=manualdependenciesAncestors and supersession Ancestors$ swlist -l fileset -a ancestor PHSS29183 Supersession Swlist -a appliedpatches filesetname$ swlist -a appliedpatches Xserver.AGRM Showpatches -s Swlist -l patch -x showsupersededpatches=trueSwlist -a patchstate -x showsupersededpatches=true patchid $ swlist -l fileset -a supersedes PHSS28681HP-UX Patch Supersession Chain Patch-related attributesSee Category tags Patch dependencies Types of dependenciesCorequisites and prerequisites Enforced and unenforced manual dependencies Impact of dependencies on acquiring patchesSwlist -vl fileset -a dependencytype fileset Patch rollback and commitment Patch rollbackPatch commitment Advanced topic patch cleanup utility Cleanup -p -c numberHP-UX patch ratings Rating details HP patch rating$ swlist -l product -a categorytag PHSS30011 Critical and noncritical patchesFinding information for a specific patch Patch documentationSubset of fields in patch text file and patch details Swlist -l product -a readme patchid more Obtaining information using the ItrcPatch warnings Advanced topic the readme attributeCritical and noncritical warnings How to handle patch warnings Questions to askAdvanced topic finding patches with warnings Considerations Backup and recoveryPatch management life cycle Patch management overviewPatch management life cycle Patch management overview Restrictive Conservative Innovative Establishing a software change management strategyOperational factor and patch management strategy matrix Recommendations for software change managementPatch management and software depots Consideration of HP patch ratingAcquiring patches for proactive patching Proactive patching strategyAdvanced topic HP-UX Software Assistant Reactive patching strategyAcquiring patches for reactive patching Advanced topic security patching strategyAdvanced topic scanning for security patches Testing the patches to be installedKey features What are standard HP-UX patch bundles?Standard HP-UX patch bundles Standard HP-UX patch bundle use and release dates Obtaining standard HP-UX patch bundlesQuick start guide for patching HP-UX systems Find individual patches Using the IT Resource CenterObtaining an Itrc user account Useful pages on the ItrcAccessing the patch database and finding an individual patch Key featuresClick the add to selected patch list button Using the IT Resource Center Check for patches with dependencies Advanced topic checking for all patch dependenciesUsing the IT Resource Center Click the add to selected patch list button Ask your peers in the forums Standard patch bundlesCustom patch bundles run a patch assessment Support information digestsSearch knowledge base Common software distributor commands for patching Using software depots for patch managementDirectory depots Depot typesTape depots Using depotsViewing depots Choosing depot type and depot locationSwlist -l depot $ swlist -l depot Swlist -l depot @ remotesystem$ swlist -l depot @ swdepot.xyz.com Creating and adding to a directory depot Depot/patches/11.11 Copying patches to depotsRegistering and unregistering directory depots Advanced topic HP-UX Software AssistantCopying products with patch dependencies to depots $ swreg -u -l depot /depot/patches/2003-07periodicdepot Advanced topic access control listsExamples of registering and unregistering depots $ swreg -l depot /depot/patches/2003-07periodicdepotVerifying directory depots Examples of verifying directory depots$ swverify -d \* @ /mydepots/newdirectorydepot $ swverify -d \* @ /mydepots/PHSS30278depot Verification had errorsRemoving software from a directory depot Verification succeededExecution succeeded $ /usr/sbin/cleanup -d /mydepots/patchdepot Advanced topic removing superseded patches from a depot$ swlist -l product -d @ /mydepots/patchdepot $ swreg -u -l depot /mydepots/PHCO27780depot Installing patches from a depotRemoving a directory depot $ swlist -l product @ /mydepots/patchdepotReboots the system when required Analysis succeeded Examples of installing patches from a depotInstalling products with patch dependencies from a depot Custom patch bundlesAnalysis and Execution succeeded Examples of listing patches and bundles Rev Patch descriptionRev Bundle Description $ swlist -d @ /mydepots/temporarydepot Creating a custom bundleAnalysis succeeded Finally, remove the temporary depot For more information Using HP-UX Software Assistant for patch managementUsing Dynamic Root Disk for patch management Drd1m Using the Patch Assessment Tool Patch Assessment ToolBenefits of the Patch Assessment Tool Example of running the Patch Assessment Tool Select upload new system information Support and other resources Contacting HPRelated information Typographic conventions HP websitesNon-HP websites Times Patch usage models Components in test Image Then production Patch usage model 1 hardware/application software changeDRD Begi n Product needs to be certified on HP-UX 11i v2/v3 Patch usage model 3 operating environment cold install Patch usage model 3 operating environment cold install Patch usage model 4 operating environment update Patch usage model 4 operating environment update Create clone Patch usage model 5 proactive patchPassed? System Patch usage model 6 reactive patchAncestor GlossaryIPD SWA Index Index See also HWE Index