Features

SA automates Ubuntu patching by providing the following features and capabilities:

  • A central repository where packages are stored and organized in their native formats.
  • A database that stores information about every package that has been applied.
  • Dynamic Patch Policies that analyze platform vulnerabilities based on the latest metadata from the vendor.
  • Advanced search abilities that identify servers that require package updates.
  • Auditing abilities for tracking the deployment of important package updates.

Scheduling and notifications

In the SA Client, you can separately schedule when you want patches to be imported from Microsoft into Server Automation, either by a schedule or on demand, and when you want these patches to be downloaded to managed servers.

Best Practice: Schedule patch installations for a day and time that minimize disruption to your business operation.

Ubuntu patching also allows you to set up email notifications that alert you when the download and installation operations completed, succeeded, or failed. When you schedule a patch installation, you can also specify reboot preferences to adopt, override, postpone, or suppress the vendor’s reboot options.

Patch policies

To provide flexibility in how you identify and distribute packages on managed servers or groups of servers, Ubuntu patching allows you to create patch policies that define groups of packages you need to install. By creating a patch policy and attaching it to a server or a group of servers, you can manage which packages get installed, and where, in your organization.

The Patch Policy model that Ubuntu uses is based on software and packages that are imported as patches.

  • Dynamic Policies can automatically import the latest Ubuntu packages from the vendor. When new Debian binary packages are imported, the icon shows that the policy now contains the latest package content and is active.
  • Dynamic Policies are designed to remediate servers.
  • Static Patch Policies contain metadata that defines the Debian binary package updates.

Best Practice: For reliable automated updates, use the Dynamic Policies.

For more information, see Creating a patch policy .

Patch installation preview

While Patch Management allows you to react quickly to newly discovered security vulnerabilities, it also provides support for strict testing and standardization of patch installation.

After you have scanned servers and have identified packages to install, Patch Management allows you to simulate (preview) the installation before you actually install a package. Use the preview process to identify whether the servers that you selected for the patch installation already have that package installed. In some cases, a server could already have a package installed if a system administrator had manually installed it.

After this type of package installation, if a compliance scan has not been run or the installed package has not been registered, SA does not know about it. Use the preview process for an up-to-date report of the package state of servers.

The preview process also reports on package dependency and supersedence information, such as packages that require certain Ubuntu products, and packages that supersede other packages or are superseded by other packages.

Exporting patch data

To help you track the patch state of servers or groups of servers, Patch Management allows you to export this information. This information can be exported in a comma‑separated value (.csv) file and includes details about when a patch was last detected as being installed, when a patch was installed by Server Automation, the patch compliance level, what patch policy exceptions exist, and so on. You can then import this information into a spreadsheet or database to perform a variety of patch analysis tasks.