IT Operations Management (ITOM)

4 Steps to Automate Server Patching

4 Steps to Automate Server Patching


With written contribution by Andy Mackay (HP Software Product Marketing)


For most IT organizations, patching servers can seem like a war without end, waged through a series of daily battles ad infinitum. Although it’s unquestionably necessary and vitally important, continuously plugging security vulnerabilities day after day can also be a time consuming task: carefully deploy one set of patches and you likely have at least one more waiting for you.


An entire industry has quietly built up around protecting the world’s servers. Security monitoring institutions like the National Vulnerability Database and SecPod regularly identify new vulnerabilities. In turn, most product vendors take that information and come up with ways to detect and rectify those vulnerabilities.


But at the end of the day, the rest is really up to you. How your IT organization manages the regular patching of potentially hundreds of servers and brings them into compliance is really where the rubber meets the road. Establishing the right lifecycle server management in order to deploy patches with efficient, flawless consistency goes a long way to a secure and reliable enterprise IT environment.


Make it look easy

Now just imagine delivering 18,000 patches to 500 servers with 99.9% success rate — and zero downtime. That is what one telecom provider achieved with HP Server Automation.


I have previously posted about how HP Server Automation simplifies a bare metal install, allowing you to provision the server within just four hours, with minimal hands-on configuration. But what about maintaining that newly provisioned server? Server Automation (HPSA) helps here too, by identifying vulnerable systems in a data center and remediating these vulnerable systems based on defined set of policies to bring them into compliance.


HPSA provides a single interface for patching diverse sets of physical and virtual servers from different vendors in a variety of environments and across geographies, and removes the hassle of learning a different tool from every vendor. It can also integrate with different scanning and patch metadata from disparate trusted sources. You have the flexibility to both control which patches get deployed in the environment as well as quickly and automatically bring new servers into compliance using vendor recommended patches.


> Sign up for a free 30-day free trial of HP Server Automation Standard (Virtual Appliance), a single HPSA core packaged as a virtual machine that you can set it up in under an hour.



HPSA Patching.pngHow Server Automation Patching Works

The HPSA patching feature automates four steps: Import, Scan, Remediate and Report.


Let’s take a brief look at how each of these works in the context of HPSA.



1.     Import

At the core of HPSA is a scanning engine that uses vulnerability detection logic embedded in a metadata file; as new vulnerabilities are discovered, a new metadata file is released by patching vendors. HPSA imports the metadata file into its database for delivery to the managed servers in the data center, and also converts the metadata file so that it can be added to remediation policies and compliance.


The metadata file also contains a Web URL to download the patch binary, which will resolve the vulnerability when installed. As anyone who patches servers knows, the trick is in deciding what binaries to import — if you import all the patches, you might overload the servers with unwanted files, but if you import only a select few, you might not have all the patches to perform the remediation. So how do you know? The Server Automation scan.


2.     Scan

HPSA runs probes on the managed servers to look for vulnerabilities, using the scanning logic embedded in the vendors’ metadata files. The scan results can provide a high level assessment of your environment and help you in downloading only the patches required in your environment.


HPSA Patch scan flow.png



Scan results are stored in the HPSA core, and also generate a report that a site administrator can evaluate and select which vulnerabilities are to be remediated.


3.     Remediate

To fix a vulnerability, HPSA uses policies, which are essentially containers for patch metadata that are attached to a server or a server group. When remediation is triggered on a server or a server group, all of its policies are evaluated to create a job.


You don’t always have to run a new scan before every remediation. Instead, a remediation job runs an immediate automated scan to evaluate the current state of the server, which patches are already installed and then sends down the needed patch binaries to the servers.


Once all the patches have been staged to the managed server, HPSA installs one patch at a time. One of the last steps it performs is to compute “patch compliance” by comparing the installed patches with the patches defined in the policies. If all patches defined in the policy are installed on the server, it is considered to be compliant.


4.     Report

Once the metadata is present in the HPSA server, a site administrator can trigger a “patch compliance” scan on a single server or a group of servers to retrieve a report on the list of installed and missing patches. The scan result is stored in the HPSA database and a site administrator can review the list of patches needed in the environment.


After every remediation, HPSA runs a scan again on the managed server to detect the list of installed and uninstalled patches. This list is sent to the HPSA core server to be compared against policies currently in effect for the server. Any patch that is found in the policy but is marked as not installed by the scanner is treated as a missing patch and the server is considered to be non compliant. The compliance report can also be aggregated up to a server group.



Automate server lifecycle

Keeping even tens of thousands of servers properly patched and in compliance does not need to overwhelm an IT team. Lifecycle server management can now be efficiently automated, with only modest oversight by a server administrator, allowing organizations to scale to admin ratios of 1:300 to 1:500 servers while still a secure and reliable environment.


Experience it for yourself — HP Server Automation Standard (Virtual Appliance)is a single HP Server Automation (HPSA) core packaged as a virtual machine, and you can set it up in under an hour. Sign up for a free 30-day free trial here.


Making Cloud Simple
  • infrastructure management
0 Kudos
About the Author


Lending 20 years of IT market expertise across 5 continents, for defining moments as an innovation adoption change agent.



  i'm facing some issue trying to obtain a report.

At the end of the day, i would like to see a list of patches available for a group of servers.

Somethign like this:


Servers name Name/KB Bulletin Severity

VM11 Q3079904 MS15-078 Critical

VM11 Q3079757 MS15-088 Important

VM12 Q3078601 MS15-080 Critical

VM12 Q3078071 MS15-079 Moderate


And so on.

I'm able to obtain it, using the menu for each devices, Inventory --> Patches.

But as youc an imagine, for multiple servers it is not the best solution, and honestly, having HPSA means to avoid doin this manual stuff.

How can i automate this report every month to obtain the final list of servers and KB/bulletin available?


Thank you.






Can you please help me to get the HP SA  - OO flows for patching through SA





//Add this to "OnDomLoad" event