swa(1M)swa(1M)NAMEswa - HP-UX Software Assistant
SYNOPSIS
analyzer] stdout_report_type] inventory_source]
[step_options]
DESCRIPTION
HP-UX Software Assistant (SWA) is a tool that consolidates and simpli‐
fies patch management and security bulletin management on HP-UX sys‐
tems. SWA is the HP-recommended utility to use to maintain currency
with HP-published security bulletins for HP-UX software.
SWA can perform a number of checks including applicable security bul‐
letins and installed patches with critical warnings. Once an analysis
has been performed, you can use SWA to download any recommended patches
or patch bundles and create a depot ready for installation.
The SWA tool is contained in one bundle, SwAssistant, which includes
Security Patch Check. You must install the SwAssistant bundle to get
full functionality. The contents of the SwAssistant bundle have depen‐
dencies on Java (TM), Perl (for SPC), and Judy Libraries.
Advanced users can control the individual steps performed by and with
the command.
As you use SWA to report on systems and download software, objects will
be cached on your disk for later use. To recapture disk space, use
SWA's major functions are briefly outlined below.
SWA runs as a client-side patch and security analysis tool. An HP-sup‐
plied catalog file with known problems and fixes is downloaded from the
ITRC and compared to the software installed on the system. Depots used
for full-system installation, such as the installation depot on an OE
DVD, may also be analyzed.
Systems are analyzed for patch warnings, critical defects, security
bulletins, missing Quality Pack (QPK) patch bundles, and user-specified
patches and supersession chains.
SWA optimizes the automatic selection of patch dependencies by assess‐
ing the quality of the dependency, providing the best case scenario for
the dependency, minimizing changes to the system, and assessing future
patch dependency changes.
SWA is able to generate a variety of reports based on its analysis.
Action, Issue, and Detail reports are available. A consolidated HTML
report with links to the technical knowledge base is always created.
The SWA reports provide information for downloading software from HP
and for actions that need to be taken manually.
Based on the analysis, SWA obtains patches from HP and creates a Soft‐
ware Distributor (SD) depot of software for installation.
SWA automatically uses MD5 cryptographic hash to verify patch integrity
before unpacking downloaded patches.
To recapture disk space used by objects that SWA cached, see
SWA has the following major modes: report, get, step, and clean.
The major modes report and get are comprised of steps, outlined below.
The step mode allows you to execute one of these steps. The clean mode
frees up disk space by removing caches of files from previous SWA ses‐
sions.
The swa report command is comprised of the following steps, and
executes them in the order listed.
Inventory �
The swa report command first does an inventory of the
installed software. The inventory is written to
$HOME/.swa/cache/swa_inventory_n.xml.
Catalog �
Then, swa report downloads an HP-supplied catalog file
from the ITRC website that contains known security issues
and other defects along with their solutions. The catalog
file is saved to $HOME/.swa/cache/swa_catalog.xml.
Analyze �
The inventory file is then compared with the catalog file
to see what issues need to be resolved on the system, and
the resulting analysis file is written to
$HOME/.swa/cache/swa_analysis.xml.
Report �
A summary of recommended actions are written to standard
output and comprehensive results are written to
$HOME/.swa/report/swa_report.html.
See swa-report(1M) for more information.
The swa get command is comprised of the steps download and
depot, and executes them in the order listed. Prerequisites to
the swa get command are the steps inventory, catalog, and ana‐
lyze.
Download �
The swa get command uses the results file generated by
the analysis step of swa report to download the necessary
software from HP. Write access to the swcache directory
is required for this step. Depot
The downloaded software is then packaged in a depot.
Superuser privileges are required for this step.
See swa-get(1M) for more information.
The swa report and swa get commands are made up of steps. The
swa report command is comprised of the steps inventory, catalog,
analyze, and report. The swa get command is comprised of the
steps download and depot.
With the swa step command, you can execute one discrete
step of the swa report or swa get command, such as: swa
step inventory.
See swa-step(1M) for more information.
When the swa command runs, it produces cache files for its use.
Run swa clean to free up disk space after your swa session is
complete.
The swa clean command has modifiers that specify the
caches to clean. The modifiers are: usercache, swcache,
and all. The usercache holds the files created by swa
report, and the swcache holds the patches and patch bun‐
dles downloaded by swa get or swa step download.
The swcache directory can be set with the extended option
swcache.
See swa-clean(1M) for more information.
The analysis that performs relies on the integrity of the inventory to
determine the appropriate patches to install on the system. It is
important that all protocols used to transmit the inventory data are
integrity protected and that the host used to generate the inventory
data is accurately represented. For example, use of for gathering an
inventory of a remote system uses a clear-text, unauthenticated proto‐
col that does not protect the integrity of the data. Using Secure
Shell to gather an inventory of a remote system uses an integrity pro‐
tected (and encrypted) protocol. Even when using Secure Shell, the
analysis still relies on the source of the data (the remote host) to
accurately represent the software contents installed on that system.
Software download relies on the integrity of the analysis file to
ensure the integrity of patches before unpacking them. The analysis
file gets MD5 checksum information directly from the catalog. There‐
fore it is important that all transmissions of the catalog and/or anal‐
ysis file are integrity protected and that file permissions do not
allow unnecessary modification.
Depot creation relies on the integrity of the patches within the direc‐
tory. Therefore, after unpacking the patches, it is important that
all subsequent transmissions of the patches are integrity protected and
that file permissions do not allow unauthorized modification. Deploy‐
ing software using Software Distributor (e.g., using the command) has
security properties that are documented in the "Software Distributor
Administration Guide".
Return Values
returns the following values:
Success
Error
Warning
Examples
These example commands assume your default configuration file contains
your ITRC login information. The syntax will be:
To display usage information:
To display usage and list all extended options:
To inventory the local system, analyze it against an HP-supplied cata‐
log (of known software and issues) for newer Quality Pack patch bun‐
dles, security issues, and critical patch warnings, and then generate a
default stdout "action" report:
To create a report for security issues (SEC) for a remote system inven‐
tory gathered with Secure Shell, and running in to avoid being prompted
for user input:
To create a detailed report for remotesystem, limited in scope to Qual‐
ity Pack patch bundle analysis (QPK) and patches with critical warnings
(PCW). This example uses the networking protocol, which is not
integrity protected:
To do the same task as the previous example, using the extended option
equivalents (which can be specified on the command line, in a user or
system configuration file, or in an extended options file):
To generate a report and place the analysis results in the ~/firstanal‐
ysis.xml file (for later use by
To generate a report, updating the catalog of HP software if it is more
than 48 hours old:
To generate a report using a specified catalog of HP software without
updating that catalog:
To generate a report always updating the catalog of HP software:
To get patches from HP that are recommended in the default analysis
file (i.e., from the previous command) and place the results into the
new depot mydepot:
To add newly recommended patches into the existing depot mydepot, only
downloading patches from HP that are neither in mydepot nor previously
downloaded:
To preview which patches need to be downloaded from HP and added to an
existing depot without actually doing the work, and with increased ver‐
bosity:
To remove all cached inventory, catalog, and analysis information in
the default location:
To remove all cached downloaded software in the default location:
To preview the removal of all cached downloaded software in the default
location:
To remove all cached inventory, catalog, analysis, and downloaded soft‐
ware in specified locations:
AUTHOR
was developed by Hewlett-Packard Development Company, L.P.
FILES
The per-user Software Assistant configuration file. This file takes
precedence over the system-wide SWA configuration file.
An HP-supplied catalog file from the ITRC website that
contains known security issues and other defects along with
their solutions. This file is downloaded with the command swa
report or swa step catalog.
The analysis of the inventory file and the catalog file
created with swa report or swa step analyze.
The inventory of installed software created by swa
inventory or swa step inventory.
Use this file to specify issues for analyzers to ignore. It is
possible to use more than one ignore file by using the extended
option ignore_file.
The comprehensive report written by swa report and
swa step report.
Default alternative log file if you don't have permissions
to write to /var/opt/swa/swa.log.
The system-wide SWA configuration file.
An example configuration file outlining the usage of each
extended option.
Script to configure HP SIM 5.2 and later for SWA. Only
required if SWA is installed when HP SIM is installed but not
running. HP SIM must be running when configHPSIM is run.
Manpages.
The default directory for downloading software before it
is packaged in a depot. This directory can be set with the
extended option swcache. Note that this directory can consume a
significant amount of disk space.
Directory that holds all clients' files generated from SWA
within HP SIM. Files are kept in user and job-specific subdirec‐
tories. This directory might require significant space to sup‐
port clients' analysis, catalog, inventory, and report files.
User-specific directory used by SWA when running under
HP SIM.
Default log file.
Lists all files downloaded from HP to the swcache. It is
located in the swcache directory.
Lists special installation instructions and dependencies
for the patches in the depot. It is located in the depot direc‐
tory.
Lists all files downloaded from HP stored within the
a directory specified by the extended option.
Lists special installation instructions and other dependencies for the
patches in the depot.
Located in the root directory of the target depot.
Lists issue IDs to be ignored (e.g., they are completed or not applica‐
ble). Supports comments
and regular expressions. See regexp(5).
SEE ALSOswa-report(1M), swa-get(1M), swa-step(1M), swa-clean(1M), and secu‐
rity_patch_check(1M).
swa(1M)
