What is the best practice for patching AIX with TEM?
What is Tivoli Endpoint Manager's recommended best practice for applying Service Packs and/or Technology Levels to AIX servers ?
Resolving the problem
Tivoli Endpoint Management's (TEM) recommended best practice is to patch AIX servers with Service Packs and/or Technology Levels, using the download cacher and software distribution tools from the TEM Patches for AIX site (this process is documented at http://support.bigfix.com/product/documents/aixpatches.pdf).
TEM does identify individual vulnerabilities, in accord with the vulnerability statements issued by IBM and vulnerability tracking databases and organizations. However, there is very clear documentation from IBM stating that their service strategy is to bundle the fixes for these vulnerabilities into Service Packs or Technology Levels. They have made changes to Fix Central to support this strategy as described in this document: http://www14.software.ibm.com/webapp/set2/sas/f/best/FC_changes_for_AIX.pdf.
Because of IBM's policy and website, the only way to apply individual fixes is to download the entire service pack and manually extract individual fixes you wish to apply. These fixes would then be distributed using the AIX Package Wizard. However, IBM documentation states that installing a subset of a Technology Level (TL) in this way is not supported:
"Technology Levels must be applied as a group, using the smitty update_all or install_all_updates commands. Installing a Technology Level is an 'all or nothing' operation. Initially, the plan was to add requisites to glue the TL together, but this was not done because of the complications of circular requisites. But, installing a partial Technology Level will not be recognized from a support standpoint."