NAME

     CheckPatches - check patches against vendor recommendations


SYNOPSIS

     CheckPatches [ -fvh ][ -s site ][ -u user ][ -d directory ]


DESCRIPTION

     Sun Microsystems regularly publishes a patch report for sup-
     ported  Solaris  releases  -  at  this writing the report is
     updated twice a month. The  patch  report  is  available  by
     anonymous  ftp  and  is organized into Security, Recommended
     and Y2K Patches. It is a fundamental security principle that
     systems  which  have  all the patches installed will be more
     secure than those that do not.

     CheckPatches is a simple tool to assist in patch  management
     on Solaris systems. It will retrieve the appropriate Solaris
     patch report (if required or  requested)  and  analyses  the
     output  of  the showrev(1m) command to determine the patches
     that you ought to apply. Patches can then be  retrieved  and
     installed with a tool like GetApplyPatch(8).

     Since patch reports will  often  list  patches  that  cannot
     apply  to  your  system (eg. a patch for hardware drivers or
     packages that you do not have) an Exception file can be used
     to  list  patches  that  should be ignored. See the examples
     below and the section on Files.

     You might prefer the vendor supported patchdiag(1m) tool but
     you'll need a support contract.


OPTIONS

     Usually no special arguments beyond  the  fetch  option  are
     required.  Sites with a local mirror, or sites that must use
     an ftp proxy will require these options:

     -h              help -- displays usage guide.

     -v              verbose mode -- be noisy.

     -f              fetch the Solaris patch report from sunsolve
                    (or  the  site specified).  CheckPatches will
                    fetch a patch report if none is found in  the
                    current working directory.  Beware: the patch
                    report normally is  not  fetched  unless  you
                    explicitly ask for it.

     -s site         specifies an alternative  ftp  site  --  the
                    default  is "sunsolve.sun.com".  This is use-
                    ful if you have a local mirror of sunsolve or
                    if you need to connect through an ftp proxy.

     -u user         specifies an alternative login  id  for  the
                    anonymous  ftp  site -- the default is "ftp".
                    This is useful if you have an ftp  proxy  you
                    connect   through  --  eg.  "anonymous@proxy"
                    might be required to get through a proxy.

     -d directory    specifies the  directory  at  the  ftp  site
                    where  you  expect  to find vendor patches --
                    the default is "/pub/patches". This is useful
                    if  you  have  a local mirror but a different
                    directory structure.


EXAMPLES

     On a system with several missing patches CheckPatches  might
     report something like this when the patch report is fetched:

       [12:00pm wally] CheckPatches -f
       Missing Security Patches for Solaris2.6

       105403-03   SunOS 5.6: ypbind/ypserv patch

       Missing Recommended Patches for Solaris2.6

       105357-04   SunOS 5.6: /kernel/drv/ses patch
       105403-03   SunOS 5.6: ypbind/ypserv patch
       105529-10   SunOS 5.6: /kernel/drv/tcp patch
       105580-16   SunOS 5.6: /kernel/drv/glm patch
       105703-24   CDE 1.2: dtlogin patch
       106646-03   SNC 3.2: rpc.pcnfsd has security problem ...

       Missing Y2000 Patches for Solaris2.6

       107492-01   SunOS 5.6: Y2000, runacct cannot update ...
       108667-03   CDE 1.2: perfmeter is not Y2K compliant ...

       For more information see 'Solaris2.6.PatchReport'

     Note   that   the   patch    report,    in    the    example
     'Solaris2.6.PatchReport',  will  contain  lots more informa-
     tion. CheckPatches has fetched  the  report  and  summarized
     things for you.

     If you have determined that none  of  the  patches  reported
     apply  to your system then you should update your Exceptions
     file:

       [1:00pm wally] CheckPatches >> Solaris2.6.PatchReport.Except

     CheckPatches will not report that a patch is missing if that
     patch  number  (the minor version number does not matter) is
     listed in the Exceptions file.  It's  safe  to  assume,  for
     example,  that  if  patch  105403-01  isn't  applicable then
     105403-02 and on aren't applicable either. You should  exer-
     cise caution when constructing an Exceptions file.

     On a system with no missing patches the report will be some-
     thing like this:

       [1:01pm wally] CheckPatches
       OK: patch level


BUGS/BEWARE

     CheckPatches uses the patch  report  found  in  the  current
     working  directory.  It will not contact sunsolve a fetch an
     update unless you explicitly ask for it.

     CheckPatches is very simple minded when it compares  patches
     installed  against patches recommended. If the vendor recom-
     mended patch is 106040-10 and you have  106040-11  installed
     the check is not smart enough to recognize that your version
     is more recent than the recommended version.

     CheckPatches cannot determine if a recommended  patch  actu-
     ally install on you system.  For example, a patch might only
     apply to systems  that  have  certain  hardare  or  packages
     installed.  Eg. if ypbind/ypserv have been stripped from the
     system  (by  removing  the  SUNWnisu  package)  then   patch
     105403-03 in the example above will not apply. See the exam-
     ple above for maintaining your exception list.

     CheckPatches, in it's use of  an  Exceptions  file,  assumes
     that if you've determined that a patch doesn't apply to your
     system then all subsequent  versions  of  that  patch  won't
     apply. You ought to periodically confirm the assumption.

     CheckPatches parses a patch report. When the format of  that
     document changes this tool will need an update.


FILES

     CheckPatches uses two important files in the current working
     directory:

     SolarisV.n.PatchReport
          - the vendor's patch report as retrieved  by  anonymous
          ftp  from  the  sunsolve  site. The V.n part will match
          your Solaris version  number.  On  the  Intel  platform
          patch reports look like:  SolarisV.n_x86.PatchReport.

     SolarisV.n.PatchReport.Except
          - your exception list. Patches listed here are ones you
          have determined are not required. Cf. the ypbind/ypserv
          example where patch 105403-03 is not required.



SEE ALSO

     GetApplyPatch(8), showrev(1), ftp(1), and  Sun  Microsystems
     support site at http://sunsolve.Sun.COM.


AUTHOR

     Reg Quinton, University of Waterloo, Information Systems and
     Technology.  From a perl script copyright 1998 by Bruce Bar-
     nett. Many thanks to Sean Boran as well.