Grounded in the Cloud
Showing results for 
Search instead for 
Do you mean 

4 Steps to Automate Server Patching

‎02-06-2014 02:21 PM - edited ‎12-04-2015 11:31 AM

With written contribution by Andy Mackay (HP Software Product Marketing)


For most IT organizations, patching servers can seem like a war without end, waged through a series of daily battles ad infinitum. Although it’s unquestionably necessary and vitally important, continuously plugging security vulnerabilities day after day can also be a time consuming task: carefully deploy one set of patches and you likely have at least one more waiting for you.


An entire industry has quietly built up around protecting the world’s servers. Security monitoring institutions like the National Vulnerability Database and SecPod regularly identify new vulnerabilities. In turn, most product vendors take that information and come up with ways to detect and rectify those vulnerabilities.


But at the end of the day, the rest is really up to you. How your IT organization manages the regular patching of potentially hundreds of servers and brings them into compliance is really where the rubber meets the road. Establishing the right lifecycle server management in order to deploy patches with efficient, flawless consistency goes a long way to a secure and reliable enterprise IT environment.


Make it look easy

Now just imagine delivering 18,000 patches to 500 servers with 99.9% success rate — and zero downtime. That is what one telecom provider achieved with HP Server Automation.


I have previously posted about how HP Server Automation simplifies a bare metal install, allowing you to provision the server within just four hours, with minimal hands-on configuration. But what about maintaining that newly provisioned server? Server Automation (HPSA) helps here too, by identifying vulnerable systems in a data center and remediating these vulnerable systems based on defined set of policies to bring them into compliance.


HPSA provides a single interface for patching diverse sets of physical and virtual servers from different vendors in a variety of environments and across geographies, and removes the hassle of learning a different tool from every vendor. It can also integrate with different scanning and patch metadata from disparate trusted sources. You have the flexibility to both control which patches get deployed in the environment as well as quickly and automatically bring new servers into compliance using vendor recommended patches.


> Sign up for a free 30-day free trial of HP Server Automation Standard (Virtual Appliance), a single HPSA core packaged as a virtual machine that you can set it up in under an hour.



How Server Automation Patching Works

The HPSA patching feature automates four steps: Import, Scan, Remediate and Report.


Let’s take a brief look at how each of these works in the context of HPSA.



1.     Import

At the core of HPSA is a scanning engine that uses vulnerability detection logic embedded in a metadata file; as new vulnerabilities are discovered, a new metadata file is released by patching vendors. HPSA imports the metadata file into its database for delivery to the managed servers in the data center, and also converts the metadata file so that it can be added to remediation policies and compliance.


The metadata file also contains a Web URL to download the patch binary, which will resolve the vulnerability when installed. As anyone who patches servers knows, the trick is in deciding what binaries to import — if you import all the patches, you might overload the servers with unwanted files, but if you import only a select few, you might not have all the patches to perform the remediation. So how do you know? The Server Automation scan.


2.     Scan

HPSA runs probes on the managed servers to look for vulnerabilities, using the scanning logic embedded in the vendors’ metadata files. The scan results can provide a high level assessment of your environment and help you in downloading only the patches required in your environment.




Scan results are stored in the HPSA core, and also generate a report that a site administrator can evaluate and select which vulnerabilities are to be remediated.


3.     Remediate

To fix a vulnerability, HPSA uses policies, which are essentially containers for patch metadata that are attached to a server or a server group. When remediation is triggered on a server or a server group, all of its policies are evaluated to create a job.


You don’t always have to run a new scan before every remediation. Instead, a remediation job runs an immediate automated scan to evaluate the current state of the server, which patches are already installed and then sends down the needed patch binaries to the servers.


Once all the patches have been staged to the managed server, HPSA installs one patch at a time. One of the last steps it performs is to compute “patch compliance” by comparing the installed patches with the patches defined in the policies. If all patches defined in the policy are installed on the server, it is considered to be compliant.


4.     Report

Once the metadata is present in the HPSA server, a site administrator can trigger a “patch compliance” scan on a single server or a group of servers to retrieve a report on the list of installed and missing patches. The scan result is stored in the HPSA database and a site administrator can review the list of patches needed in the environment.


After every remediation, HPSA runs a scan again on the managed server to detect the list of installed and uninstalled patches. This list is sent to the HPSA core server to be compared against policies currently in effect for the server. Any patch that is found in the policy but is marked as not installed by the scanner is treated as a missing patch and the server is considered to be non compliant. The compliance report can also be aggregated up to a server group.



Automate server lifecycle

Keeping even tens of thousands of servers properly patched and in compliance does not need to overwhelm an IT team. Lifecycle server management can now be efficiently automated, with only modest oversight by a server administrator, allowing organizations to scale to admin ratios of 1:300 to 1:500 servers while still a secure and reliable environment.


Experience it for yourself — HP Server Automation Standard (Virtual Appliance)is a single HP Server Automation (HPSA) core packaged as a virtual machine, and you can set it up in under an hour. Sign up for a free 30-day free trial here.


0 Kudos
About the Author


Lending 20 years of IT market expertise across 5 continents, for defining moments as an innovation adoption change agent.

Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all