Detections
Analytics

1.2 Apply Latest OS Patches

Information

During the patch cluster installation process, administrators may ignore individual patches that fail to install returning either code 2 (indicates that the patch has already been installed on the system) or code 8 (the patch applies to an operating system package which is not installed on the machine). If a patch install fails with any other return code, consult the patch installation log in /var/sadm/install_data.

Note that in addition to installing the Patch Clusters as described above, administrators may wish to also check the Solaris<osrel>.PatchReport file (available from the same FTP site as the patch clusters) for additional security or functionality patches that may be required on the local system. Administrators are also encouraged to check the individual README files provided with each patch for further information and post-install instructions. Automated tools for maintaining current patch levels are also available, such as the Oracle Patch Manager tool ('man smpatch' for more info).

Note that best practices recommend verifying the integrity of downloaded software and patches using file or package signatures. Failure to do so may result in the system being compromised by a 'Trojan Horse' created by an attacker with unauthorized access to the archive site. Oracle provides digital signatures for its patches.

Note: This recommendation applies to all zones.

Installing the latest available patches provides protection from exploitation of known vulnerabilities that have been patched.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create a directory to extract the patches. Make sure this directory is owned by root and mode 755, such as /var/tmp/patches. Obtain OraclePatch Cluster from http://sunsolve.sun.com/show.do?target=patches/patch-access and look for the Recommended Patch Clusters. The downloaded file will, by default, be named <osrel>_Recommended_CPU_YYYY.MM.zip, where <osrel> is the Solaris OS release number. Download the Patch Cluster into /var/tmp/patches using the following commands:
# mkdir /var/tmp/patches
# chmod 755 /var/tmp/patches
# cd /var/tmp/patches

Once the patch cluster is downloaded, extract and install the patches using the following commands:
# unzip -qq *_Recommended.zip
# cd *_SunAlert_Patch_Cluster
# ./installcluster --<passcode>
# cd ..
# rm -rf *_Recommended*

The <passcode> may be found in the patch cluster README file and is required to ensure the README has been read.

See Also

https://workbench.cisecurity.org/files/614

Item Details

Plugin: Unix

Control ID: bacb67e2b049b6eb6942911af0e18d10ebd7464c4794c18ea93bb67e5e0454c3