What are the security implications of security_patch_check itself?
(Section VI) * What changes does this release incorporate? (Section VII) Note that security_patch_check is a Perl script. Thus Perl should be installed on the system before installing this product, so the installation of this product can verify proper installation. II. What is security_patch_check? Security Patch Check performs an analysis of the installed filesets on an HP-UX 11.x machine, and generates a report of actions recommended in security bulletins. Since new security bulletins can be released or revised at any time, security_patch_check uses a catalog of security bulletin actions stored on an HP server. This catalog is updated frequently with the latest actions for Security Patch Check to recommend. To help automate the process of checking for security actions applicable to a system, security_patch_check is able to download the most recently-generated catalog (optionally through a firewall) from a secure HP HTTPS site or an FTP site. Refer to security_patch_check(1M) for more
security_patch_check summarizes possible weaknesses in a system. However, it does not explicitly add a vulnerability to the system. The report it creates can be generated by anyone with permission to run swlist on the system in question. (See answer 4 in this section for details.) You may, however, want to restrict access to swlist. To view the permissions for the SD database (and thus swlist), run # swacl -l host OR # swacl -l root Look for an entry beginning with “any_other”. To prevent “any_other” from accessing the SD database, run, for example: # swacl -l root -D any_other This will take away read privileges on the database to “others” (not listed in the swacl output). Refer to swacl (1M) for more details. Refer to security_patch_check (1M) for other security issues.
