Automatic Notification Upon Scheduled OS Patch Scanning Failures

Scenarios

Scheduled OS patch scanning is crucial for enterprise IT to meet security and compliance requirements. These scans identify vulnerabilities, assess missing patches, and drive the remediation process. However, in practice, scanning tasks often fail due to various anomalies. Traditional manual checks have significant risks.

• Expanded security exposure: A failed scan breaks the vulnerability detection chain. Critical vulnerabilities remain unidentified, leaving the system open to exploitation, which can lead to data breaches, workload disruptions, and other severe consequences.
• Low O&M efficiency: Manually checking the status of scanning tasks across hundreds or thousands of servers is labor-intensive and inefficient. O&M teams cannot quickly locate failed nodes, leading to delayed response times.
• Non-compliance: Compliance standards require closed-loop management of vulnerability scanning and remediation. Failure to address scanning errors in a timely manner can result in compliance audit failures and potential legal or financial penalties.
• Difficult root cause analysis: Scanning failures can stem from various sources, such as network interruptions, insufficient permissions, tool errors, or system service faults. Without automated notifications and log aggregation, identifying the root cause is difficult, which significantly extends recovery times.

Therefore, building an automated notification mechanism for scheduled OS patch scanning failures is an important practice for enterprise security. By enabling real-time alarms, rapid root-cause analysis, and closed-loop remediation, organizations can ensure comprehensive patch management and robust O&M security.

Solutions

Core design principles:

• Real-time: If a scanning failure is detected, notifications are sent within 1 minute, preventing delays.
• Accuracy: Notifications include the name, ID, time, and type of the failed task, reducing troubleshooting costs.
• Multiple channels: Notifications are sent via email, SMS, WeCom, and DingTalk, ensuring that O&M personnel receive them.
• Traceability: Full-link recording of failure events supports log query and review.

Creating a Scheduled OS Patch Scanning Task

1. Log in to COC.
2. In the navigation pane, choose Resource O&M > Automated O&M.
3. In the Routine O&M area, click Scheduled O&M.
4. On the displayed page, click Create Task.
5. On the displayed page, enter ScheduledscanOSpatches for the task name, set Risk Level to Low, and retain the default values for other parameters.
   Figure 1 Specifying basic information
   

6. Set the scheduled scanning rule by referring to Table 1. For details about the parameters, see Creating a Scheduled Task.
   Figure 2 Setting the scheduled scanning rule
   

   Table 1 Parameters for setting the scheduled scanning rule

   Parameter	Example Value	Description
   Time Zone	GMT+08:00	Select the time zone where the scheduled task will be executed from the drop-down list.
   Scheduled Type	Periodic execution	The task will be executed periodically based on the configured rule until the rule expires.
   Execution Time	Cron 0 15 3 5 * ?	Set it using a time expression. For details, see Using Cron Expressions. 0 15 3 5 * ? indicates that the OS patch scanning task will be executed at 03:15 on the fifth day of each month.
   Rule Expired	-	Set the rule expiration time. The scheduled task is executed periodically based on the user-defined execution period until the rule expires.

7. Set Task Type to Jobs. Set the task by referring to Table 2.
   Figure 3 Selecting a job
   

   Table 2 Parameters for configuring a job task

   Parameter	Example Value	Description
   Jobs	Scan_OS_Patch	On the Public Jobs tab page, select Scan_OS_Patch.
   IAM Permission Agency	ServiceAgencyForCOC	To prevent scheduled task execution failures due to insufficient agency permissions, the IAM agency is set to ServiceAgencyForCOC by default, and you need to apply for the action permission of iam:agencies:pass.
   Target Instance Mode	Consistent for all steps	All tasks are executed on the target instances using the same batch policy.
   Job Execution Procedure	-	Use default steps of public jobs.
   Target Instance	Target instances	Click Add and select the target instances.
   Batch Policy	Automatic batches	This parameter is configurable when multiple instances are selected. The target instances will be automatically divided into multiple batches based on the default rule.

8. Disable Manual Review.
   

   This example only demonstrates the basic functions of scheduled O&M. For routine O&M, you are advised to configure an approval process to evaluate operation risks.

9. Enable Send Notification and set notification rules.
   Figure 4 Setting notifications
   

   Table 3 Parameters for setting notification rules

   Parameter	Example Value	Description
   Notification Policy	Execution failed	When a scheduled task fails to be executed, notifications will be sent.
   Recipient	Shift	Select a shift scenario and corresponding roles from the drop-down lists. For details, see Creating a Shift Schedule.
   Notification Mode	Email	Notifications will be sent to recipients based on their reserved information. For details, see Modifying Personnel Information.

10. Click OK. The scheduled task is created.

Verifying the Execution Result

1. In the scheduled O&M task list, check the scheduled task created in Step 2: Create a Scheduled Task.
   Figure 5 Checking the scheduled task
   

2. Wait until the time set for the scheduled scanning task arrives. The system automatically scans the OS patches.
3. If the scanning task fails, an email notification will be sent to the configured recipients. They will analyze the failure causes and manually scan the patches again.
   Figure 6 Sending a notification
   
   Figure 7 Checking the failure logs