Looking for some information on Patching a Unix system and some best practices

I'm trying to do some research for a project at work and would appreciate any help that someone can provide.

I'm trying to get some help on AIX and HP-UX specifically but a lot of the info can also be generic.

I'm most familiar with Windows (go figure) so if some of my examples resemble windows info then please correct me.

I'm trying to get the following info as it relates to Unix and more specifically AIX and HP-UX Patch management:

Automated Tools for Patching (Two that I've heard of are Nim and Jumpstart -- I believe).
-Vendor Name
-What format do the patches come in
-How is severity defined

for instance, in Windows, automated updates can come from Windows Update, SUS in the form of Hotfixes, Services Packs and are defined as low, critical, important, etc.

Make sense?

I'm also trying to find out how are notifications sent out that there is a patch needed for Unix. For instance there are sites such as Cert.org, Microsoft's website for windows, and various other sites. How is this done in Unix? Are there some key sites that all Unix administrators would visit?

What frequency are Unix patch notifications sent out? Windows patches are usually sent out once a month but how are Unix patches done? (this question sounds strange in my head, but I had to ask it).

Is there any kind of program that is used to audit the machine against a known list of patches? For instance, in windows there is the mssecure.xml that is put out by Shavlik (HFNetChk) and by Microsoft as well. For Solaris there is the patchdiag.xref file.

Have I forgotten anything? Please point it out if I did.

I'm sure I'll have more questions but I appreciate any help I can get. Points will be awarded to all that help and I have no problem adding more points for any great information.
Thanks for all the help

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Makes no sense. UNIX is no Windowes-wannabe.
JoshFinkAuthor Commented:
Thanks for the HUGE help. If you would have read the question you would have known that I was just stating windows generalizations to get my point across. If you have no help then stay out of the question.

Thank You
Patch severity rating is designed to hide away real gory details of buggy software.
Patches come in format suitable for tapes.
There is no automatic behind-the-scenes virii and spyware installing facility in any UNIX system.
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

As far as I know there are no _completely_ automated tools to select, download and install patches on Unix servers. Probably because a patch could break a badly behaved application (e.g. one using deprecated C library functions), which would be unacceptable in a production environment. So simpicity is sacrificed for control.

Unfortunately my company works on a "fix on fail" policy, so we don't do regular patching - And so I don't know as much about automating it as I should!

All the major suppliers have their own patch management tools & formats for patches.

IBM - NIM (Can, I think, be used to distribute patches ["Hotfixes"]), but installp is the main tool; Updated packages are distributed as lpps.

Sun - Jumpstart (I think can be used to distribute patches, but patchadd is the main tool.

HP - Ignite is only intended for fresh builds; swinstall is used to install both products & patches

For all 3 websites, you need to subscribe, but you can then get patch notifications, analysis tools, download individual patches or "bundles" etc. A valid support contract may be needed for access to some content.  I'd suggest subscribing to CERT as well, so you don't miss anything.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
As  tfewster already pointed out, most of *nix adms do NOT use auto update, due to some

    * Server can't afford the down time.
    * Some application might not like the patch(s).
    * New patch might change the system configuration file, eg the sendmail settings.
    * Most of the server inside the firwall or has firewall built in, or only limit number
       of ports are open to the world.

You can go to the vendor support side to regularly check the security infor, or subscribing to
the vendor support side to get automatic email alarm for security and OS patch notices.
( I get email alarm from HP and Sun).

You can scheduled your server OS patch in regular base and apply Jumbo patchs.
(for important server, make sure you  perform a FULL backup before and after the patchs).

automatic patching is not common for UNIX, 'cause the administrators there know what they do and they know which patches are required
that leeds us to your question: where to get the information
i.g. each vendor has a security site which you may visit, and they inform you by newsletters, at least about criticial patches
History showed that "patching as soon as possible" is not that urgent as it is for M$ platforms.
Patch is not always required, when you can work around.
Basically you go to www.securityfocus.com and subscribe focus-unix, that is probably most universal way
> Automated Tools for Patching (Two that I've heard of are Nim and Jumpstart -- I believe).

Aside from the tools tfewster, some other tools are:
o PatchLink - this familiar tool from the Windows world also support Unix
o HP OpenView (don't know if it does AIX)

> I'm also trying to find out how are notifications sent out that there is a patch needed for Unix.

Both HP and IBM will send you patch alerts via email. You can sign up on the itrc.hp.com and http://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

> What frequency are Unix patch notifications sent out?

HP-UX and AIX have a lot less patches/year than Windows. Notifications are sent out when the patches become available on an ad-hoc basis.

> Is there any kind of program that is used to audit the machine against a known list of patches?

Patchlink and Openview (mentioned above) both can do this for you.
HP also has the (free) HP Security Patch Check Tool (http://software.hp.com)
I recall that IBM has a similar tool, but my memory is hazy here.
JoshFinkAuthor Commented:
Thanks so much for all the answers. They are all very helpful.  Now I've got to research all this and digest it.

For AIX those tools are renamed on version basis.
You can fetch latest ML cluster, and some hotfixes from ftp.software.ibm.com IF they solve a problem
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.