Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 524
  • Last Modified:

Looking for some information on Patching a Unix system and some best practices

I'm trying to do some research for a project at work and would appreciate any help that someone can provide.

I'm trying to get some help on AIX and HP-UX specifically but a lot of the info can also be generic.

I'm most familiar with Windows (go figure) so if some of my examples resemble windows info then please correct me.

I'm trying to get the following info as it relates to Unix and more specifically AIX and HP-UX Patch management:

Automated Tools for Patching (Two that I've heard of are Nim and Jumpstart -- I believe).
-Vendor Name
-What format do the patches come in
-How is severity defined

for instance, in Windows, automated updates can come from Windows Update, SUS in the form of Hotfixes, Services Packs and are defined as low, critical, important, etc.

Make sense?

I'm also trying to find out how are notifications sent out that there is a patch needed for Unix. For instance there are sites such as Cert.org, Microsoft's website for windows, and various other sites. How is this done in Unix? Are there some key sites that all Unix administrators would visit?

What frequency are Unix patch notifications sent out? Windows patches are usually sent out once a month but how are Unix patches done? (this question sounds strange in my head, but I had to ask it).

Is there any kind of program that is used to audit the machine against a known list of patches? For instance, in windows there is the mssecure.xml that is put out by Shavlik (HFNetChk) and by Microsoft as well. For Solaris there is the patchdiag.xref file.

Have I forgotten anything? Please point it out if I did.

I'm sure I'll have more questions but I appreciate any help I can get. Points will be awarded to all that help and I have no problem adding more points for any great information.
 
Thanks for all the help

Josh
0
JoshFink
Asked:
JoshFink
1 Solution
 
gheistCommented:
Makes no sense. UNIX is no Windowes-wannabe.
0
 
JoshFinkAuthor Commented:
Thanks for the HUGE help. If you would have read the question you would have known that I was just stating windows generalizations to get my point across. If you have no help then stay out of the question.

Thank You
0
 
gheistCommented:
Patch severity rating is designed to hide away real gory details of buggy software.
Patches come in format suitable for tapes.
There is no automatic behind-the-scenes virii and spyware installing facility in any UNIX system.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
tfewsterCommented:
As far as I know there are no _completely_ automated tools to select, download and install patches on Unix servers. Probably because a patch could break a badly behaved application (e.g. one using deprecated C library functions), which would be unacceptable in a production environment. So simpicity is sacrificed for control.

Unfortunately my company works on a "fix on fail" policy, so we don't do regular patching - And so I don't know as much about automating it as I should!

All the major suppliers have their own patch management tools & formats for patches.

IBM - NIM (Can, I think, be used to distribute patches ["Hotfixes"]), but installp is the main tool; Updated packages are distributed as lpps.
http://www-1.ibm.com/servers/eserver/support/pseries/ 

Sun - Jumpstart (I think can be used to distribute patches, but patchadd is the main tool.
http://sunsolve.sun.com/pub-cgi/show.pl?target=home

HP - Ignite is only intended for fresh builds; swinstall is used to install both products & patches
http://itrc.hp.com

For all 3 websites, you need to subscribe, but you can then get patch notifications, analysis tools, download individual patches or "bundles" etc. A valid support contract may be needed for access to some content.  I'd suggest subscribing to CERT as well, so you don't miss anything.
0
 
yuzhCommented:
As  tfewster already pointed out, most of *nix adms do NOT use auto update, due to some
reasons:

    * Server can't afford the down time.
    * Some application might not like the patch(s).
    * New patch might change the system configuration file, eg the sendmail settings.
    * Most of the server inside the firwall or has firewall built in, or only limit number
       of ports are open to the world.

You can go to the vendor support side to regularly check the security infor, or subscribing to
the vendor support side to get automatic email alarm for security and OS patch notices.
( I get email alarm from HP and Sun).

You can scheduled your server OS patch in regular base and apply Jumbo patchs.
(for important server, make sure you  perform a FULL backup before and after the patchs).

0
 
ahoffmannCommented:
automatic patching is not common for UNIX, 'cause the administrators there know what they do and they know which patches are required
that leeds us to your question: where to get the information
i.g. each vendor has a security site which you may visit, and they inform you by newsletters, at least about criticial patches
History showed that "patching as soon as possible" is not that urgent as it is for M$ platforms.
0
 
gheistCommented:
Patch is not always required, when you can work around.
Basically you go to www.securityfocus.com and subscribe focus-unix, that is probably most universal way
0
 
chris_calabreseCommented:
> Automated Tools for Patching (Two that I've heard of are Nim and Jumpstart -- I believe).

Aside from the tools tfewster, some other tools are:
o PatchLink - this familiar tool from the Windows world also support Unix
o HP OpenView (don't know if it does AIX)

> I'm also trying to find out how are notifications sent out that there is a patch needed for Unix.

Both HP and IBM will send you patch alerts via email. You can sign up on the itrc.hp.com and http://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

> What frequency are Unix patch notifications sent out?

HP-UX and AIX have a lot less patches/year than Windows. Notifications are sent out when the patches become available on an ad-hoc basis.

> Is there any kind of program that is used to audit the machine against a known list of patches?

Patchlink and Openview (mentioned above) both can do this for you.
HP also has the (free) HP Security Patch Check Tool (http://software.hp.com)
I recall that IBM has a similar tool, but my memory is hazy here.
0
 
JoshFinkAuthor Commented:
Thanks so much for all the answers. They are all very helpful.  Now I've got to research all this and digest it.

Josh
0
 
gheistCommented:
For AIX those tools are renamed on version basis.
You can fetch latest ML cluster, and some hotfixes from ftp.software.ibm.com IF they solve a problem
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now