Bewley.net /

HOWTO Automate Solaris patching with PatchPro

Abstract

Managing Solaris patches can be an ordeal, but patch management is the cornerstone of security. I dabbled in PatchPro a while ago, and today I'm at it again. This time I plan to finish it and document the procedure here. We'll see if that really happens...

Introduction

This HOWTO documents the steps I took to install and configure PatchPro 2.2 on Solaris 8.

Goals

By using PatchPro I hope to achieve the following.

• Automatic patching of basic multiuser safe patches.
• Full reporting of patches installed and patches needed.
• More peaceful sleep.

Get the PatchPro Software

Download PatchPro from the PatchPro Hub at http://patchpro.sun.com.

Install PatchPro

Follow the directions in the README for installation. One snag I ran into was I had altered my package defaults to ask me when installing a newer version of a package if I wanted to upgrade rather than have it just cry that another copy of the package already existed. I did this by modifying /var/sadm/install/admin/default and changing instance=unique to instance=ask. This causes the PatchPro install to hang while installing the first package SUNWsdb.

Note: Be sure that your default pkgadd administration file, /var/sadm/install/admin/default does not contain instance=ask

Test it Out

Try it out. Run the following command to see how far out of date your system is.

# smpatch analyze

PatchPro should contact Sun's patch server and display a whole list of patches that you need to install.

Configure PatchPro

You may run PatchPro a number of different ways. The most basic way is to run it by hand on the command line using the smpatch command.

# smpatch analyze
...
# smpatch download -i <patch-id>
# smpatch add -i <patch-id>


PatchPro may also be automated, but I haven't yet implemented this. Until then, see the man pages for the following commands.

Note: Don't forget to add /opt/SUNWppro/man/man1m to your MANPATH.

pprosetup

Used to set the rules for downloading and applying patches.

pprosvc

The automation service program for Patch Manager.

smpatch

Used to actually download, apply, and remove the patches specified on the command line.

Also, check out the following Sun docs.

• Signed Patches Administration Guide for PatchPro 2.2
• Signed Patches Release Notes for PatchPro 2.2

Contract Patches

Contract-only patches may be accessed by PatchPro if you configure patchpro with your username # pprosetup -u <sunsolve-user-name> and place your Sunsolve password in /opt/SUNWppro/lib/.sunsolvepw. You may also want to take a look at /etc/opt/SUNWppro/etc/patchpro.conf.

Manual Patch Updates

One patch at a time

# smpatch analyze
...
# smpatch download -i <patch-id>
# smpatch add -i <patch-id>


All patches allowed by pprosetup config at once

# smpatch update