Important

   

Starting version 8.9.03, BMC Network Automation is renamed to TrueSight Network Automation. This space contains information about BMC Network Automation 8.9.02 and previous versions. For TrueSight Network Automation 8.9.03 and later releases, see the TrueSight Network Automation documentation.

Adding or editing security vulnerability importers

BMC Network Automation is shipped with one canned security vulnerability importer, named Import Cisco Advisory From CVRF XML File that supports the import of security advisories from the Cisco Common Vulnerability Reporting Framework (CVRF) repository. Use the procedure described in this topic if you want to add or edit your own importer.

To add or edit a security vulnerability importer

  1. Open the Security Vulnerability Importers page by navigating to Admin > Network Admin > Security Vulnerability Importers.
  2. Perform one of the following actions:
    • To define a new importer, click Add.
      The Add Security Vulnerability Importer page is displayed.
    • To create a new importer by duplicating and editing an existing importer, click Copy .
    • To edit an existing importer, click Edit .
  3. Enter or update information in the following fields:

    FieldDescription
    NameSpecify a unique name for the security vulnerability importer.
    This name appears in the list of available importers when importing a security vulnerability.
    VendorSpecify the vendor from which the security vulnerabilities are originated that this importer can process.
    Transform Input File Using

    Specify how the source file from the vendor will be converted to an internal XML format for processing:

    • No Conversion Necessary: Source files are already in the internal format.
    • Stylesheet: Source files contain XML, which will be converted to the internal XML format by a stylesheet.
    • Endorsed Program: Source files contain text that can be parsed and converted by a program or a script to the internal XML format.
    Stylesheet File

    If you have selected Stylesheet as the transformation mechanism, specify the stylesheet file.

    Note: The file must be named with the .xsl extension (case-insensitive). Also, the file must contain legal XSLT 2.0 syntax, which is validated when you save the importer.

    Executable Program Name If you have selected Endorsed Program as the transformation mechanism, specify the name of the program or script, which is placed in the BCAN_DATA/endorsed directory. The program or script must exist and be executable by the web server. The program must accept one argument that specifies the name of the source file to be parsed, and must print the converted results to its standard output (stdout). The program or script must exit with a return code of 0 to indicate success, and any other value to indicate failure. The program or script is given two minutes to run to completion. If the program or script does not complete within two minutes, BMC Network Automation times out and declares it to have failed.
    OS Image Name Conversions

    (Optional) Specify how to convert a raw <affectedOsVersion> value into a value that closely resembles the device OS image values that BMC Network Automation discovers while it is logged on to the managed device.

    These conversions are ordered. The output of one conversion is passed as the input to the next conversion, and every conversion that matches is executed. Use the Move Up and Move Down buttons to control the ordering. For more information, see OS Image Name Conversions.

    Applicable OS Image Pattern Generators (Applicable for versions 8.9.01 and later) (Optional) Specify how to generate the regular expressions to be used in a compliance rule and its applicable OS image name-matching patterns. These generators are ordered; only the first one that matches an affected OS version is used and subsequent ones are ignored. If none match, the default is used. Use the Move Up and Move Down buttons to control the ordering. For more information, see Applicable OS Image Name Pattern Generators.
    OS Image Subject Pattern Generators (Applicable for version 8.9.00)(Optional) Specify how to generate the regular expressions to be used in a compliance rule and its subject patterns. These generators are ordered; only the first one that matches an affected OS version is used and subsequent ones are ignored. If none match, the default is used. Use the Move Up and Move Down buttons to control the ordering. For more information, see Applicable OS Image Name Pattern Generators.
  4. Click Save.

OS Image Name Conversions

The fields in the OS Image Name Conversion dialog box (shown in the following figure) specify how to convert a raw <affectedOsVersion> value into a value that closely resembles a device OS image string that BMC Network Automation discovers while it is logged on to the managed device. A vendor might not report its product versions in a security advisory or bulletin in the same format as the versions BMC Network Automation discovers from a live device (which you can view in the OS image library). Because the <affectedOsVersion> values are displayed when viewing the resulting imported security vulnerability, it is desirable that those values look like the device OS image values that are displayed in the rest of BMC Network Automation. The versions are also used to generate the patterns filled into any generated compliance rule, so they need to match the device version strings closely.

The OS Image Name Conversion dialog box contains the following fields:

FieldDescription
Input MatchSpecify a regular expression for the affected OS version string to look for, with parentheses around capture groups for the data to be transferred into the output or result.
Output Result Format

Specify the format in which to generate the result, with regular brackets around arguments to plug in data from input capture groups.

Annotation(Optional) Specify a description for the conversion.

For example, a source file reports IPS device versions, such as 7.1(5)E4. However, BMC Network Automation discovers versions, such as 7.1-5-E4. The conversion shown in the OS Image Name Conversion dialog box converts the parentheses in the source string into dashes.

Applicable OS Image Name Pattern Generators 

The fields in the Applicable OS Image Name Pattern Generator dialog box (shown in the following figure) specify how to convert an affected OS version (resulting from the OS image name conversions) into a regular expression that is suitable for use in the applicable OS image patterns (subject patterns in version 8.9.00) of a compliance rule. By default, an affected OS version, when copied into a rule, has its regular expression meta characters escaped, and gets a (,[,\,.,;\-].+|$) appended to match the trailing content. However, this conversion might not be sufficient to create a pattern that will match the device OS versions discovered by BMC Network Automation. In the Applicable OS Image Name Pattern Generator dialog box fields, you can define how to further massage the affected OS version to generate a properly matching regular expression.


The Applicable OS Image Name Pattern Generator dialog box contains the following fields:

FieldDescription
Input MatchSpecify a regular expression for the affected OS version string to look for, with parentheses around capture groups for the data to be transferred into the output or result.
Output Result Format

Specify the format in which to generate the resulting regular expression, with regular brackets around arguments to plug in data from input capture groups.

Annotation(Optional) Specify a description for the generator.

In the example shown in the preceding figure, the affected OS version looks like IPS-K9-7.0 Base, where the trailing word Base means any version starting with 7.0. The resulting regular expression that would appear in a generated compliance rule, would be IPS-K9-7\.0(-.+|$) to account for the dash being the version delimiter in the discovered IPS version strings.

Where to go from here

Importing security vulnerabilities

Related topic

Viewing the security vulnerability importers listing

Was this page helpful? Yes No Submitting... Thank you

Comments