NAME
CheckPatches - check patches against vendor recommendations
SYNOPSIS
CheckPatches [ -fvh ][ -s site ][ -u user ][ -d directory ]
DESCRIPTION
Sun Microsystems regularly publishes a patch report for sup-
ported Solaris releases - at this writing the report is
updated twice a month. The patch report is available by
anonymous ftp and is organized into Security, Recommended
and Y2K Patches. It is a fundamental security principle that
systems which have all the patches installed will be more
secure than those that do not.
CheckPatches is a simple tool to assist in patch management
on Solaris systems. It will retrieve the appropriate Solaris
patch report (if required or requested) and analyses the
output of the showrev(1m) command to determine the patches
that you ought to apply. Patches can then be retrieved and
installed with a tool like GetApplyPatch(8).
Since patch reports will often list patches that cannot
apply to your system (eg. a patch for hardware drivers or
packages that you do not have) an Exception file can be used
to list patches that should be ignored. See the examples
below and the section on Files.
You might prefer the vendor supported patchdiag(1m) tool but
you'll need a support contract.
OPTIONS
Usually no special arguments beyond the fetch option are
required. Sites with a local mirror, or sites that must use
an ftp proxy will require these options:
-h help -- displays usage guide.
-v verbose mode -- be noisy.
-f fetch the Solaris patch report from sunsolve
(or the site specified). CheckPatches will
fetch a patch report if none is found in the
current working directory. Beware: the patch
report normally is not fetched unless you
explicitly ask for it.
-s site specifies an alternative ftp site -- the
default is "sunsolve.sun.com". This is use-
ful if you have a local mirror of sunsolve or
if you need to connect through an ftp proxy.
-u user specifies an alternative login id for the
anonymous ftp site -- the default is "ftp".
This is useful if you have an ftp proxy you
connect through -- eg. "anonymous@proxy"
might be required to get through a proxy.
-d directory specifies the directory at the ftp site
where you expect to find vendor patches --
the default is "/pub/patches". This is useful
if you have a local mirror but a different
directory structure.
EXAMPLES
On a system with several missing patches CheckPatches might
report something like this when the patch report is fetched:
[12:00pm wally] CheckPatches -f
Missing Security Patches for Solaris2.6
105403-03 SunOS 5.6: ypbind/ypserv patch
Missing Recommended Patches for Solaris2.6
105357-04 SunOS 5.6: /kernel/drv/ses patch
105403-03 SunOS 5.6: ypbind/ypserv patch
105529-10 SunOS 5.6: /kernel/drv/tcp patch
105580-16 SunOS 5.6: /kernel/drv/glm patch
105703-24 CDE 1.2: dtlogin patch
106646-03 SNC 3.2: rpc.pcnfsd has security problem ...
Missing Y2000 Patches for Solaris2.6
107492-01 SunOS 5.6: Y2000, runacct cannot update ...
108667-03 CDE 1.2: perfmeter is not Y2K compliant ...
For more information see 'Solaris2.6.PatchReport'
Note that the patch report, in the example
'Solaris2.6.PatchReport', will contain lots more informa-
tion. CheckPatches has fetched the report and summarized
things for you.
If you have determined that none of the patches reported
apply to your system then you should update your Exceptions
file:
[1:00pm wally] CheckPatches >> Solaris2.6.PatchReport.Except
CheckPatches will not report that a patch is missing if that
patch number (the minor version number does not matter) is
listed in the Exceptions file. It's safe to assume, for
example, that if patch 105403-01 isn't applicable then
105403-02 and on aren't applicable either. You should exer-
cise caution when constructing an Exceptions file.
On a system with no missing patches the report will be some-
thing like this:
[1:01pm wally] CheckPatches
OK: patch level
BUGS/BEWARE
CheckPatches uses the patch report found in the current
working directory. It will not contact sunsolve a fetch an
update unless you explicitly ask for it.
CheckPatches is very simple minded when it compares patches
installed against patches recommended. If the vendor recom-
mended patch is 106040-10 and you have 106040-11 installed
the check is not smart enough to recognize that your version
is more recent than the recommended version.
CheckPatches cannot determine if a recommended patch actu-
ally install on you system. For example, a patch might only
apply to systems that have certain hardare or packages
installed. Eg. if ypbind/ypserv have been stripped from the
system (by removing the SUNWnisu package) then patch
105403-03 in the example above will not apply. See the exam-
ple above for maintaining your exception list.
CheckPatches, in it's use of an Exceptions file, assumes
that if you've determined that a patch doesn't apply to your
system then all subsequent versions of that patch won't
apply. You ought to periodically confirm the assumption.
CheckPatches parses a patch report. When the format of that
document changes this tool will need an update.
FILES
CheckPatches uses two important files in the current working
directory:
SolarisV.n.PatchReport
- the vendor's patch report as retrieved by anonymous
ftp from the sunsolve site. The V.n part will match
your Solaris version number. On the Intel platform
patch reports look like: SolarisV.n_x86.PatchReport.
SolarisV.n.PatchReport.Except
- your exception list. Patches listed here are ones you
have determined are not required. Cf. the ypbind/ypserv
example where patch 105403-03 is not required.
SEE ALSO
GetApplyPatch(8), showrev(1), ftp(1), and Sun Microsystems
support site at http://sunsolve.Sun.COM.
AUTHOR
Reg Quinton, University of Waterloo, Information Systems and
Technology. From a perl script copyright 1998 by Bruce Bar-
nett. Many thanks to Sean Boran as well.