Looking for some information on Patching a Unix system and some best practices
I'm trying to do some research for a project at work and would appreciate any help that someone can provide.
I'm trying to get some help on AIX and HP-UX specifically but a lot of the info can also be generic.
I'm most familiar with Windows (go figure) so if some of my examples resemble windows info then please correct me.
I'm trying to get the following info as it relates to Unix and more specifically AIX and HP-UX Patch management:
Automated Tools for Patching (Two that I've heard of are Nim and Jumpstart -- I believe).
-Vendor Name
-What format do the patches come in
-How is severity defined
for instance, in Windows, automated updates can come from Windows Update, SUS in the form of Hotfixes, Services Packs and are defined as low, critical, important, etc.
Make sense?
I'm also trying to find out how are notifications sent out that there is a patch needed for Unix. For instance there are sites such as Cert.org, Microsoft's website for windows, and various other sites. How is this done in Unix? Are there some key sites that all Unix administrators would visit?
What frequency are Unix patch notifications sent out? Windows patches are usually sent out once a month but how are Unix patches done? (this question sounds strange in my head, but I had to ask it).
Is there any kind of program that is used to audit the machine against a known list of patches? For instance, in windows there is the mssecure.xml that is put out by Shavlik (HFNetChk) and by Microsoft as well. For Solaris there is the patchdiag.xref file.
Have I forgotten anything? Please point it out if I did.
I'm sure I'll have more questions but I appreciate any help I can get. Points will be awarded to all that help and I have no problem adding more points for any great information.
Thanks for all the help
Josh
I'm trying to get some help on AIX and HP-UX specifically but a lot of the info can also be generic.
I'm most familiar with Windows (go figure) so if some of my examples resemble windows info then please correct me.
I'm trying to get the following info as it relates to Unix and more specifically AIX and HP-UX Patch management:
Automated Tools for Patching (Two that I've heard of are Nim and Jumpstart -- I believe).
-Vendor Name
-What format do the patches come in
-How is severity defined
for instance, in Windows, automated updates can come from Windows Update, SUS in the form of Hotfixes, Services Packs and are defined as low, critical, important, etc.
Make sense?
I'm also trying to find out how are notifications sent out that there is a patch needed for Unix. For instance there are sites such as Cert.org, Microsoft's website for windows, and various other sites. How is this done in Unix? Are there some key sites that all Unix administrators would visit?
What frequency are Unix patch notifications sent out? Windows patches are usually sent out once a month but how are Unix patches done? (this question sounds strange in my head, but I had to ask it).
Is there any kind of program that is used to audit the machine against a known list of patches? For instance, in windows there is the mssecure.xml that is put out by Shavlik (HFNetChk) and by Microsoft as well. For Solaris there is the patchdiag.xref file.
Have I forgotten anything? Please point it out if I did.
I'm sure I'll have more questions but I appreciate any help I can get. Points will be awarded to all that help and I have no problem adding more points for any great information.
Thanks for all the help
Josh
gheist
Makes no sense. UNIX is no Windowes-wannabe.
ASKER
Thanks for the HUGE help. If you would have read the question you would have known that I was just stating windows generalizations to get my point across. If you have no help then stay out of the question.
Thank You
Thank You
Patch severity rating is designed to hide away real gory details of buggy software.
Patches come in format suitable for tapes.
There is no automatic behind-the-scenes virii and spyware installing facility in any UNIX system.
Patches come in format suitable for tapes.
There is no automatic behind-the-scenes virii and spyware installing facility in any UNIX system.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As tfewster already pointed out, most of *nix adms do NOT use auto update, due to some
reasons:
* Server can't afford the down time.
* Some application might not like the patch(s).
* New patch might change the system configuration file, eg the sendmail settings.
* Most of the server inside the firwall or has firewall built in, or only limit number
of ports are open to the world.
You can go to the vendor support side to regularly check the security infor, or subscribing to
the vendor support side to get automatic email alarm for security and OS patch notices.
( I get email alarm from HP and Sun).
You can scheduled your server OS patch in regular base and apply Jumbo patchs.
(for important server, make sure you perform a FULL backup before and after the patchs).
reasons:
* Server can't afford the down time.
* Some application might not like the patch(s).
* New patch might change the system configuration file, eg the sendmail settings.
* Most of the server inside the firwall or has firewall built in, or only limit number
of ports are open to the world.
You can go to the vendor support side to regularly check the security infor, or subscribing to
the vendor support side to get automatic email alarm for security and OS patch notices.
( I get email alarm from HP and Sun).
You can scheduled your server OS patch in regular base and apply Jumbo patchs.
(for important server, make sure you perform a FULL backup before and after the patchs).
automatic patching is not common for UNIX, 'cause the administrators there know what they do and they know which patches are required
that leeds us to your question: where to get the information
i.g. each vendor has a security site which you may visit, and they inform you by newsletters, at least about criticial patches
History showed that "patching as soon as possible" is not that urgent as it is for M$ platforms.
that leeds us to your question: where to get the information
i.g. each vendor has a security site which you may visit, and they inform you by newsletters, at least about criticial patches
History showed that "patching as soon as possible" is not that urgent as it is for M$ platforms.
Patch is not always required, when you can work around.
Basically you go to www.securityfocus.com and subscribe focus-unix, that is probably most universal way
Basically you go to www.securityfocus.com and subscribe focus-unix, that is probably most universal way
> Automated Tools for Patching (Two that I've heard of are Nim and Jumpstart -- I believe).
Aside from the tools tfewster, some other tools are:
o PatchLink - this familiar tool from the Windows world also support Unix
o HP OpenView (don't know if it does AIX)
> I'm also trying to find out how are notifications sent out that there is a patch needed for Unix.
Both HP and IBM will send you patch alerts via email. You can sign up on the itrc.hp.com and http://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
> What frequency are Unix patch notifications sent out?
HP-UX and AIX have a lot less patches/year than Windows. Notifications are sent out when the patches become available on an ad-hoc basis.
> Is there any kind of program that is used to audit the machine against a known list of patches?
Patchlink and Openview (mentioned above) both can do this for you.
HP also has the (free) HP Security Patch Check Tool (http://software.hp.com)
I recall that IBM has a similar tool, but my memory is hazy here.
Aside from the tools tfewster, some other tools are:
o PatchLink - this familiar tool from the Windows world also support Unix
o HP OpenView (don't know if it does AIX)
> I'm also trying to find out how are notifications sent out that there is a patch needed for Unix.
Both HP and IBM will send you patch alerts via email. You can sign up on the itrc.hp.com and http://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
> What frequency are Unix patch notifications sent out?
HP-UX and AIX have a lot less patches/year than Windows. Notifications are sent out when the patches become available on an ad-hoc basis.
> Is there any kind of program that is used to audit the machine against a known list of patches?
Patchlink and Openview (mentioned above) both can do this for you.
HP also has the (free) HP Security Patch Check Tool (http://software.hp.com)
I recall that IBM has a similar tool, but my memory is hazy here.
ASKER
Thanks so much for all the answers. They are all very helpful. Now I've got to research all this and digest it.
Josh
Josh
For AIX those tools are renamed on version basis.
You can fetch latest ML cluster, and some hotfixes from ftp.software.ibm.com IF they solve a problem
You can fetch latest ML cluster, and some hotfixes from ftp.software.ibm.com IF they solve a problem