Looking for some information on Patching a Unix system and some best practices

Posted on 2005-03-05
Medium Priority
Last Modified: 2013-12-06
I'm trying to do some research for a project at work and would appreciate any help that someone can provide.

I'm trying to get some help on AIX and HP-UX specifically but a lot of the info can also be generic.

I'm most familiar with Windows (go figure) so if some of my examples resemble windows info then please correct me.

I'm trying to get the following info as it relates to Unix and more specifically AIX and HP-UX Patch management:

Automated Tools for Patching (Two that I've heard of are Nim and Jumpstart -- I believe).
-Vendor Name
-What format do the patches come in
-How is severity defined

for instance, in Windows, automated updates can come from Windows Update, SUS in the form of Hotfixes, Services Packs and are defined as low, critical, important, etc.

Make sense?

I'm also trying to find out how are notifications sent out that there is a patch needed for Unix. For instance there are sites such as Cert.org, Microsoft's website for windows, and various other sites. How is this done in Unix? Are there some key sites that all Unix administrators would visit?

What frequency are Unix patch notifications sent out? Windows patches are usually sent out once a month but how are Unix patches done? (this question sounds strange in my head, but I had to ask it).

Is there any kind of program that is used to audit the machine against a known list of patches? For instance, in windows there is the mssecure.xml that is put out by Shavlik (HFNetChk) and by Microsoft as well. For Solaris there is the patchdiag.xref file.

Have I forgotten anything? Please point it out if I did.

I'm sure I'll have more questions but I appreciate any help I can get. Points will be awarded to all that help and I have no problem adding more points for any great information.
Thanks for all the help

Question by:JoshFink
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 62

Expert Comment

ID: 13470119
Makes no sense. UNIX is no Windowes-wannabe.

Author Comment

ID: 13470473
Thanks for the HUGE help. If you would have read the question you would have known that I was just stating windows generalizations to get my point across. If you have no help then stay out of the question.

Thank You
LVL 62

Expert Comment

ID: 13471231
Patch severity rating is designed to hide away real gory details of buggy software.
Patches come in format suitable for tapes.
There is no automatic behind-the-scenes virii and spyware installing facility in any UNIX system.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 21

Accepted Solution

tfewster earned 2000 total points
ID: 13471469
As far as I know there are no _completely_ automated tools to select, download and install patches on Unix servers. Probably because a patch could break a badly behaved application (e.g. one using deprecated C library functions), which would be unacceptable in a production environment. So simpicity is sacrificed for control.

Unfortunately my company works on a "fix on fail" policy, so we don't do regular patching - And so I don't know as much about automating it as I should!

All the major suppliers have their own patch management tools & formats for patches.

IBM - NIM (Can, I think, be used to distribute patches ["Hotfixes"]), but installp is the main tool; Updated packages are distributed as lpps.

Sun - Jumpstart (I think can be used to distribute patches, but patchadd is the main tool.

HP - Ignite is only intended for fresh builds; swinstall is used to install both products & patches

For all 3 websites, you need to subscribe, but you can then get patch notifications, analysis tools, download individual patches or "bundles" etc. A valid support contract may be needed for access to some content.  I'd suggest subscribing to CERT as well, so you don't miss anything.
LVL 38

Expert Comment

ID: 13472900
As  tfewster already pointed out, most of *nix adms do NOT use auto update, due to some

    * Server can't afford the down time.
    * Some application might not like the patch(s).
    * New patch might change the system configuration file, eg the sendmail settings.
    * Most of the server inside the firwall or has firewall built in, or only limit number
       of ports are open to the world.

You can go to the vendor support side to regularly check the security infor, or subscribing to
the vendor support side to get automatic email alarm for security and OS patch notices.
( I get email alarm from HP and Sun).

You can scheduled your server OS patch in regular base and apply Jumbo patchs.
(for important server, make sure you  perform a FULL backup before and after the patchs).

LVL 51

Expert Comment

ID: 13474350
automatic patching is not common for UNIX, 'cause the administrators there know what they do and they know which patches are required
that leeds us to your question: where to get the information
i.g. each vendor has a security site which you may visit, and they inform you by newsletters, at least about criticial patches
History showed that "patching as soon as possible" is not that urgent as it is for M$ platforms.
LVL 62

Expert Comment

ID: 13475872
Patch is not always required, when you can work around.
Basically you go to www.securityfocus.com and subscribe focus-unix, that is probably most universal way
LVL 14

Expert Comment

ID: 13476805
> Automated Tools for Patching (Two that I've heard of are Nim and Jumpstart -- I believe).

Aside from the tools tfewster, some other tools are:
o PatchLink - this familiar tool from the Windows world also support Unix
o HP OpenView (don't know if it does AIX)

> I'm also trying to find out how are notifications sent out that there is a patch needed for Unix.

Both HP and IBM will send you patch alerts via email. You can sign up on the itrc.hp.com and http://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

> What frequency are Unix patch notifications sent out?

HP-UX and AIX have a lot less patches/year than Windows. Notifications are sent out when the patches become available on an ad-hoc basis.

> Is there any kind of program that is used to audit the machine against a known list of patches?

Patchlink and Openview (mentioned above) both can do this for you.
HP also has the (free) HP Security Patch Check Tool (http://software.hp.com)
I recall that IBM has a similar tool, but my memory is hazy here.

Author Comment

ID: 13481362
Thanks so much for all the answers. They are all very helpful.  Now I've got to research all this and digest it.

LVL 62

Expert Comment

ID: 13484873
For AIX those tools are renamed on version basis.
You can fetch latest ML cluster, and some hotfixes from ftp.software.ibm.com IF they solve a problem

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Suggested Courses
Course of the Month15 days, 2 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question