1. Create Policies,Run Compliance Audits,and Remediate with HPServer Automation
An excellentfeature of HPServerAutomationprovidestools thatnotonly increase the efficiency of IT
staff but also improvesbothcomplianceandsystemsecuritywhile requiringminimal userinteraction.
ServerAutomationachievesthisusingacombinationof Audits,AuditPolicies,PatchesandPatch
Policies,SystemConfiguration specifications,software packages,andevenOSBuildPlans. ThisallowsIT
administratorstoautomate significantworkloadsusingServerAutomationandeliminateincessant
problemssuchasforgettingtoperforma specificstep,confirmingasystem’sconfigurationiscomplete,
or justtryingto track down a piece of software toinstall.HPServerAutomation(SA) alleviatesthese
problemsandsimplifiesprocessesdowntoonlyafew clicksof the mouse to achieve whatcouldtake
hoursor daysto performmanually.Thus,ineffortstodemonstratesome of SA’s mostattractive
featuresthe followingprovides aquicklookintothe ServerAutomation’suser interface andhow to
create policies,performaudits,andevenremediate non-compliantsystemsquickly.
Creating Policies
ServerAutomationincludesSoftware Policies,PatchPolicies,andAuditPoliciescontainingasmany
settingsone desires.However,abestpractice isto grouppoliciesbysome common factor.For instance,
creatinga patch policytodeploythe MicrosoftWindowsMaliciousSoftware RemovalTool alongwith
anotherpatch that installsanupdate fora RAIDcontrollerjustisnot a goodidea.Therefore,the
followingillustrateshowtocreate a Patch PolicyinSA to install aMicrosoftWindowsUpdate.
The SA userinterface providesahierarchical view of everythingincludingthe SA Librarycontaining
patches,patchpolicies,OSbuildplans,orevenmanagedorunmanagedservers,andthismakes
navigatingSA’slibrarymucheasier. Asshownabove,the patchlibraryforWindowsServer2008 x64
containsa vast collectionof patches.However,mostif notall uponinitial installationof HPSA shows
2. each patchgrayedout. Thismeansthe patch is notreadyand available todeploy.Therefore,one must
at leastright-clickaspecificpatchandchoose ImportContent> From Vendor(orFromFile if available).
ThiscausesSA to begindownloadingthe patchfromthe vendorautomatically,andwhenitfinishesthe
patch changesfromgrayedout to normal.Justkeepinmindthiscan be done forone, many or every
patch inthe library butthat can take a verylongtime dependingonthe Internetconnectionspeed.
Thus,a bestpractice isto onlydownloadthe onesneededbecauseit’smucheasiertodownloadothers
and add themtoan existingpatchpolicylater.
Othernoteworthyaspectof patchpoliciesisthe patchAvailabilityandOS.These settingsdetermine if a
patch isAvailable toeverymanagedserverinSA or Limitedtopreventdeploymentwithspecifically
designatingwhatservertoapplythe patch(es) tomanuallyduringtesting.Aftertestingthe ITstaff can
revisiteachpatchand setAvailabilityto“Available”,andstill use the OSdropdowntoindicate itisonly
allowedtoinstall onWindowsServer2008 R2 x64 forinstance.Thiswouldpreventthe patchfrom
deployingontoasystemithasnot beentestedonyet. AnothernoteworthytipistorememberSA
providesnowayto deploythispatchto a serverfromthe patcheslist.Therefore,the nextstepisto
create a PatchPolicy.
3. Creatinga Patch Policyissimple because all itrequiresisthe name of the policy(tryto be as descriptive
as possible butkeepitshort),the PolicyItems(we’lladdthe KB890830 update justimportedfromthe
vendor) andthe servers orDevice Groups(see HPSA documentationforfurtherdetails)
Choose the PolicyItemsonthe left,chose the dropdownforwhattoShow (selectPatchesNotAddedto
Policy – see below) andinthe top-rightsearchbox clickthe dropdownandspecifyAvailabilityandtype
an “L” forLimitedinthisexample todisplayonlythosepatchesjustdownloadedandnotcompleted
testing.
Thischangesthe viewto looksimilartothe screenshotbelow.
4. Selectthe appropriate patch,right-clickitandchoose AddPatch to Policy(notice itdisappearsbecause
of the optiontodisplayonlythose PatchesnotAddedtoPolicyspecifiedearlier).Save andclose the
Patch Policywhere youcanviewitinthe Patch Policylist.
Change to the Device viewandselectAll ManagedServers
Selectthe serversyouwanttoScan for Compliance asshownbelow (be sure toselectthe Compliance
viewoptioninthe top-leftcornerof thispane.
From the SA main menuwithatleast(1) device selected,choose Scan> PatchCompliance asshown
below,andthenthe Scanningprogresswindow will appear.
5. Afterthe scan completesitwill show astatusscreensimilartothe screenshotbelow IFyouhave not
alreadyclosedthe PatchCompliance ScanStatuswindow.If so,youcan still view the compliance status
fromthe mainDevicesscreen.
At thispointyoucan clickthe Remediate button,andthatopensa new window toguide youthrough
the remediationprocess.
6. Clickto Start Joband the Remediationwill completeonitsown.Justrememberyoucansetupschedules
inSA to completelyautomatethisentireprocessonaregularbasisand have itreturn the resultstoany
or as many recipientsasnecessaryviae-mail.
You may alsoleave the progresswindow openduringRemediationanditdisplaysdetailedstatusof each
stepof the remediationjob, oryoucan openthe Jobsand Sessionspartof SA andlookat the results
there,butnot inas much detail asshownhere below.
This concludes the tutorial on Server Automation policy compliance, scanning, and remediation.