Managing security vulnerabilities
A security vulnerability is a report from a device vendor that advises you about the devices that have operating systems vulnerable to security threats. You can import a vendor's advisory or bulletin into BMC Network Automation by using a security vulnerability importer. The imported information is a summary of the full report. You need to consult the vendor's site for complete information. For information about security vulnerability importers, see Managing security vulnerability importers.
The process of importing a security vulnerability report involves mapping of the reported vulnerable operating systems to the operating system version strings that are used by BMC Network Automation and discovered from the live devices that BMC Network Automation manages. After you import the security vulnerability report, you can use it to create a compliance rule that reports a violation if a managed device is running a vulnerable operating system.
BMC Network Automation is shipped with a canned set of security vulnerabilities that are derived from Cisco's Common Vulnerability Reporting Framework (CVRF) advisory repository. These vulnerabilities are a snapshot of the available CVRF files that are captured prior to the product release date. All advisories published by Cisco in CVRF format are included. Note that Cisco updates their advisories frequently. Therefore, BMC recommends that you import the updates regularly to keep the database current. BMC Network Automation does not update security vulnerabilities during the software upgrade process. You might choose to import the shipped versions, which are included in the BNA_HOME\public\bmc\bca-networks\securityVulnerabilities directory.
The CVRF database shipped with BMC Network Automation version 8.9.02 is current as of August 16, 2017, with version 8.9.01 is current as of February 7, 2017, and with version 8.9.00 is current as of August 30, 2016.
BMC Network Automation is also shipped with a canned rule set, named Vulnerable OS images reported in Cisco CVRF advisories, which contains rules that enforce the canned security vulnerabilities. This rule set is disabled by default. You must enable it when you want to manage the violations that the rule set might detect. Use the Compliance Summary report before enabling the rule set to gauge the volume of violations to be detected. Some of the canned security vulnerabilities do not have an associated rule. This is due to the advisory being pertinent, but not reporting any specific operating system versions. These vulnerabilities are included for completeness and you might want to develop your own rules to enforce them.
The following topics describe how to import and view security vulnerabilities and how to associate rules with them: