Help Center/Cloud Operations Center/Best Practices/Identifying Compliance Issues Using Patch Scan on COC
Updated on 2026-03-12 GMT+08:00
View PDF
Share

Identifying Compliance Issues Using Patch Scan on COC

Scenarios

An O&M engineer of an e-commerce company noticed that compliance issues with cloud resources were prominent in their daily work, particularly OS compliance risks. This raised concerns among customers about the security and compliance of the OS on the cloud. It was necessary to periodically check the compliance of the host OS patches to avoid vulnerabilities caused by missing patches, which may lead to business losses. There was no unified OS compliance management or self-closed loop tool on the cloud, making it difficult to fix compliance issues or seek help from Huawei. The goal was to automate the scanning of OS patches and promptly fix patch vulnerabilities to ensure compliance with host OS patches.

Solutions

  • Governance: COC provides automated and scheduled OS compliance inspections, with an out-of-the-box experience while retaining customer customization capabilities. This allows for the timely detection of OS compliance issues and the output of compliance reports.
  • O&M: Patch repair is triggered based on compliance reports, and ensures full coverage of OS compliance through incremental iterations, closing the loop on OS compliance issues within the SLA.
  • Patch management: COC offers OS patch management capabilities, supporting scanning and fixing patches for Linux OSs like Huawei Cloud EulerOS, CentOS, and EulerOS, in ECS node, CCE cluster, and BMS instance scenarios. This practice uses ECS as an example to describe how COC scans patches. COC scans host OS patches based on the rules in patch baselines and provides compliance reports. It has three common patch baselines and allows you to customize patch baselines to meet your specific needs. You can customize patch installation rules, patch compliance levels, and abnormal patches.

    Patch management allows you to:

    1. Create patch baselines based on the OS and its corresponding patch scan baselines.
    2. Scan patches for resources based on scan baselines.
    3. Check the summary for patch scan compliance once the scan is completed.
    4. Repair patches for uncompliant resources in batches.

Core Advantages

  • Dynamic identification: OS compliance risks
  • Safe production: Automatic batching and blast radius assessment during O&M operations
  • Automatic warnings: Notification sending through email, SMS message, and WeCom.

Prerequisites

You have installed UniAgent for the hosts where you want to execute automated O&M. For details about how to install UniAgent, see Installing UniAgent.

Creating a Patch Baseline

Create a patch baseline on COC.

  1. Log in to COC.
  2. In the navigation pane, choose Resource O&M > Automated O&M.
  3. In the Routine O&M area, click Patch Management.
  4. Click the Patch Baseline tab and click Create Patch Baseline.
  5. Fill in patch baseline information by referring to Table 1.

    Table 1 Basic information parameters

    Parameter

    Description

    Example Value

    Baseline Name

    Customize the name of the patch baseline based on the naming rule.

    Test baseline

    Scenario Type

    The value can be ECS, CCE, or BMS.

    ECS

    OS

    The value can be Huawei Cloud EulerOS, CentOS, or EulerOS.

    Huawei Cloud EulerOS

    Baseline Type

    Select a baseline type.

    Installation rule baseline

    Product

    Product for which you want to scan patches. Only the patches of the selected product are scanned and fixed.

    All

    Category

    Category of patches. Only the patches of the selected category are scanned and fixed.

    Bugfix

    Severity

    Severity level of patches. Only the patches of the selected severity are scanned and fixed.

    All

    Automatic Approval

    Automatically approve patches that meet specified conditions.

    Approve the patch after a specified number of days.

    Specified Days

    This parameter is mandatory when Automatic Approval is set to Approve the patch after a specified number of days.

    7

    Compliance Reporting

    Level at which patches that meet the patch baseline are displayed in the compliance report

    Medium

  6. Click OK.

    The Patch Management page is displayed.

Creating a Patch Scan Task

Patch scan allows you to scan patches on the target ECS instance for compliance. It scans against the compliance report based on the selected default baseline, instance, and batch execution policy.

If an instance cannot be selected, check whether its UniAgent status is normal or whether the OS is supported by COC's patch management.

  1. On the Patch Management page, click the Patch Scan tab.
  2. Click ECS for the scenario type set in Creating a Patch Baseline and then click Create Patch Scan Task.
  3. Set basic parameters for patch scan.

    This example describes only the mandatory parameters. Retain the preset values for other parameters.

    • Set Execution Type to Single.
    • Set Execution Mode to Immediately.
    • Click Add and select an ECS instance.
    • Set Batch Strategy to No Batch.

  4. Set Suspension Policy.

    Suspension threshold: You can set a suspension threshold to determine the execution success rate. Once the number of failed servers reaches the number calculated based on the threshold, the service ticket status will become abnormal and the patch scan will cease.
    Figure 1 Suspension policy

  5. Click OK.
  6. Once the service ticket is executed, click Compliance Reporting. On the displayed page, check the ECS compliance status in the Compliance Reporting List area.

    Figure 2 Service ticket details
    Figure 3 Compliance report list

Viewing the Patch Compliance Report

After patch compliance scanning or remediation, you can click the compliance report summary details to view patch details on the instance.

The patch compliance report will only retain the most recent scan or remediation record.

  1. On the Compliance Report page, click Summary in the Operation column.
  2. View the patch compliance report.

    Figure 4 Patch compliance report summary

    Table 2 Patch status description

    Patch Status

    Description

    Compliant (installed)

    The patch complies with the patch baseline and has been installed on an ECS. No update is available.

    Compliant (non-baseline patches installed)

    The patch is not included in the patch baseline, but it has been installed on the ECS.

    Non-compliant (installed and to be restarted)

    The patch has been repaired, and can take effect only after the ECS instance is restarted.

    Non-compliant (rejected)

    The rejected patch is defined in the abnormal patches of a patch baseline. This patch will not be repaired even if it is compliant with the patch baseline.

    Non-compliant (to be repaired)

    The patch complies with the baseline, but the patch version is earlier than the baseline version.

    Non-compliant (repair failed)

    A patch repair operation is performed, but the repair fails.

Repairing a Patch

The patch repair feature allows you to repair non-compliant ECS instances scanned by patches. The patch repair feature upgrades or installs non-compliant patches on ECS instances.

  1. On the Patch Management page, click the Patch Scan tab.
  2. Locate the target instance and click Repair in the Operation column.
  3. Set basic parameters for patch repair.

    This example describes only the mandatory parameters. Retain the preset values for other parameters.

    • Set Execution Type to Single.
    • Set Execution Mode to Immediately.
    • Set Batch Strategy to No Batch.

  4. Set whether to allow the restart. In this example, select No.

    Some patches require a restart to take effect. If you choose not to restart, you will need to schedule a restart later.

  5. Click OK.