HP keeps rolling Unix security patches
August 4, 2009
The 3000 community doesn't patch its systems often, but moving your operations to the HP-UX platform will trigger more updates. HP-UX is based on Unix System V, one of the most widely installed environments in the world after Windows and Linux. No environment is breach-proof, but a shift to HP-UX requires a closer watch on patches than in MPE/iX.
While many of these HP-UX patches are only recommended, some critical security holes have to be closed by a patch. HP's rolled out two of these over the last three weeks. One patch only applies to HP ServiceGuard, a product not included on every HP-UX system, but in wide use on mission-critical servers.
But a patch from July 21 identified an "arbitrary code execution" hole for XNTP, the standard time service for Unix systems. Secunia.com called the exploit and the patch highly critical in its advisory. Kerberos also got a critical security patch, HPSBUX02421, last week.
HP has a free program that administrators install on HP-UX servers that "simplifies patch and security bulletin management." Did the HP 3000 ever need such a utility? 3000s eventually received PatchMan to monitor patches of all kinds, though few of the patches were created to respond to security holes. But the server's environment isn't built from an industry standard such as Unix.
HP Software Assistant (SWA) "analyzes a system (and some types of depots) for patch warnings, critical
defects, security bulletins, missing Quality Pack patch bundles, and
user-specified patches and patch chains" for HP-UX. Many Unix systems include this kind of auto-scan for patches; the Mac OS looks for patches as often as daily, and downloads them (without installing).
Automated HP 3000 environment checking was at its zenith with HP Predictive Support. Like SWA, users needed to enable Predictive manually. It was created in an era when 3000s were only networked on private nets, so HP had to install Predictive modems to enable the checks. But Predictive didn't check for security breaches. A HP Support customer could have the high-failure parts of 3000s -- disks, tapes and memory -- scanned regularly for potential faults. It could also monitor available disk space.
As with HP's 3000 support, Predictive became a casualty of the vendor's exit from the 3000 market. The community got an October, 2006 notice that HP's labs were dropping sustaining engineering and connectivity support for Predictive. HP 9000s, OpenVMS, Linux and Windows systems replaced the functionality of Predictive with the Instant Support Enterprise Edition, starting in 2003. ISEE lasted until this June, when HP replaced it with HP Remote Support Pack and HP Insight Remote Support.
Security patches are free from HP, a vendor that's always watching for liability issues with its customers. HP Insight and Remote Support Pack are employed along with an HP support contract.