Mapping vulnerabilities to remediation content
The Vulnerabilities page lets you map vulnerabilities identified in a vulnerability scan to remediation content.
In BMC Server Automation (BSA), remediation content can be depot content, such as BLPackages, software packages, or NSH scripts. When connected to BSA, the vulnerabilities imported from a scan can include information for multiple operating systems—assuming you have permissions to manage multiple operating systems in the system where you performed the scan. In fact, a single vulnerability can apply to multiple operating systems.
For BNA, remediation content must be a rule that is used to enforce a configuration best practice.
In SCCM, remediation content can be patches, hotfixes, and other types of critical software updates from Microsoft. When connected to SCCM, the vulnerabilities imported from a scan includes information relating to many versions of a software update. Remediation content can also be applications or application packages, but you must manually map these to vulnerabilities.
This page provides the following capabilities:
- Automatically mapping vulnerabilities
- Manually mapping vulnerabilities to remediation actions
- Removing mapping for a vulnerability
- Excluding a vulnerability
- Showing details about a vulnerability
- Filtering data in columns
- Filtering by security group
- Filtering by mapping status
- Filtering by exclusion status
Automatically mapping vulnerabilities
To display the Vulnerabilities page, select SecOps Response > Vulnerabilities.
The Vulnerabilities page lets you automatically map vulnerabilities to remediation content.
Auto-mapping in BMC Server Automation
For BSA, auto-mapping attempts to match the Common Vulnerability and Exposure (CVE) number in the metadata for a vulnerability to a CVE number associated with a patch. When you create a remediation operation, SecOps Response creates a Patch Analysis operation for every patch catalog that is needed to perform remediation. If the same CVE number appears in multiple patch catalogs, the system attempts to map vulnerabilities to CVE numbers from patch catalogs that will minimize the number of required Patch Analysis operations.
For BMC Server Automation, during auto-mapping, a vulnerability can potentially be mapped to the same patch in multiple patch catalogs. When this occurs, the vulnerability may not appear in the list of Actionable Vulnerabilities on the Operator Dashboard, depending on the following conditions:
- If the same patch is included in multiple patch catalogs and each catalog is used for a different operating system, SecOps Response can infer when a mapping constitutes an Actionable Vulnerability.
- If the same patch is included in multiple patch catalogs and there are multiple patch catalogs for the same operating system (for example, one catalog for each version of the OS), then SecOps Response cannot determine what patch should be used for remediation purposes. In this situation, auto-mapping will create mappings to multiple patch catalogs, but the mappings will require additional user input. To resolve these situations, scan the list of mapped vulnerabilities to find vulnerabilities where multiple remediation content items have been mapped. Click on any entry in the Remediation column to see how target rules have been defined. Entries requiring additional input will have target rules that include the phrase
Value_Required. Use the manual mapping procedure described below and modify the target rules to replace instances of
Value_Requiredwith the appropriate target information.
Auto-mapping in BNA
For BNA, auto-mapping attempts to match the CVE number in a vulnerability to a CVE number associated with a rule used to enforce configuration best practices.
Auto-mapping in SCCM
For SCCM, auto-mapping attempts to match Microsoft Bulletin IDs associated with vulnerabilities to the same Bulletin IDs associated with software updates. Because there are typically many versions of a software update, the auto-mapping process also defines target rules that specify the architecture, operating system, and OS version for each software package. These rules allow a vulnerability to be mapped to the correct executable that will be used as a remediation package. You cannot auto-map applications or application packages.
To perform auto-mapping
- If you want to completely re-map all vulnerabilities, select Update existing mappings.
If you do not select this option, an auto-map attempts to map only unmapped vulnerabilities. Selecting this option discards existing auto-mappings and attempts to auto-map all vulnerabilities except for existing manual mappings, which are not affected by this option.
A full auto-mapping can take a considerable amount of time. If you are confident that your existing mappings are accurate, BMC recommends that you do not select this option and instead perform an incremental auto-mapping.
Click Auto-map at top right. A message tells you that mapping has occurred.
Vulnerabilities that are auto-mapped are marked with a icon in the Auto-mapped column at far left.
Auto-mapping recognizes different operating systems as well as different operating system versions. If the same content is required for multiple versions of an operating system, auto-mapping will correctly map the vulnerability for all versions of the operating system. For example, if the same CVE number is assigned to one patch in a patch catalog for Windows 2012 and another patch in a patch catalog for Windows 2008, auto-mapping will match a vulnerability to both patches.
Manually mapping vulnerabilities to remediation actions
After you perform automatic mapping, some vulnerabilities may remain unmapped. For these, you can perform a manual mapping procedure.
You can only perform manual mapping for one vulnerability at a time. If you want to map the same remediation content to multiple vulnerabilities, you must perform the following procedure for each vulnerability that requires manual mapping.
If you are mapping an OS patch to a vulnerability that applies to multiple ports on the same asset, the patch you select applies automatically to all instances of the vulnerability on that asset.
- In the list of vulnerabilities, select a vulnerability that requires mapping.
If necessary, use the filtering capability at the top of each column. For example, you might want to filter by severity level so you can map vulnerabilities with the highest severity first.
- At right, select Actions > Map.
The Map Remediation to Vulnerability page opens. Use it to search for remediation packages.
Search for the remediation content that you want to map to the selected vulnerability:
Enter a text string in the Search text box and click Search .
Your text is matched against the names of any remediation content.
Results of a search return the first 100 items.Click here to to see examples.
- BSA and SCCM only: Optionally, use the filters at left to refine your search. In the example below, notice how the search filtered for BLPackages produces 2 results while the search shown above produces 37.
- Take one of the following actions:
- BSA and SCCM: Select an entry in the list of remediation content.
- BNA: Select one or more entries in the list of remediation content.
- BSA and SCCM only: If you need to map multiple remediation packages to the same vulnerability, define target rules that determine the types of targets where the package should be deployed.
Typically, target rules specify different packages for different operating systems and architectures.
When using SCCM, be aware that there are typically many versions of a software update. You can use target rules to specify the architecture, operating system, and OS version for each software package. In this way you can map a vulnerability to the correct software update. Using different target rules, you can also deploy a mix of software updates, applications, and application packages for a particular vulnerability.
- Click Use Target Rules.
A set of options appear that establish rules for deploying the package.
- In the row defining the rule, for the first field select any of the following:
- OS–For example, Windows.
- OS Platform–For example, x86_64.
- OS Version–For example, 2008 R2.
- OS Release–For example, 6.1
- OS Vendor–For example, Microsoft.
- In the last field in the row, enter text as a criteria. Evaluation is based on whether a field contains the string you entered.
For example, if you are specifying the Windows operating system, enter a string such as win. When evaluating targets, if the OS name contains the string win, the package is deployed there.
- To add another rule, click Add Criteria. A new row appears. Use its fields to define an additional rule.
- Select the remediation package that should be deployed to targets according to the rules you have set up.
To define another set of target rules for another remediation package, click. Then, repeat the previous steps.
For example, the second set of target rules might apply to Red Hat targets (that is, OS contains RHEL).
To remove a set of target rules, click the X on the tab containing those rules.
- Click Use Target Rules.
The remediation content items you select are mapped to the vulnerability you originally selected.e
Removing mapping for a vulnerability
Use this procedure to remove mapping after a vulnerability has been mapped to remediation content.
- Select the vulnerability that has been previously mapped.
- At right, select Actions > Remove Mapping.
Excluding a vulnerability
You can exclude a vulnerability, which means the vulnerability is not included in dashboard data, remediation operations, or any statistics on vulnerabilities.
When you exclude a vulnerability, the Vulnerabilities page continues to list the item in a gray font to distinguish it from other vulnerabilities.
- Select a vulnerability.
- At right, select Actions > Exclude. A dialog asks for confirmation.
Showing details about a vulnerability
Click the name of any vulnerability to display more information, including its severity level, CVEs that are included, a description, links to the related vendor (such as the Red Hat Network), and links to the patches that can be deployed to fix the vulnerability.
Showing details about a remediation
After remediation content has been mapped to a vulnerability, you can click the name of the remediation to display a pop-up window containing more information. If an entry provides information for multiple remediations, the pop-up window lists information for each remediation. The information includes the type of content (such as a patch or BLPackage), the path to the file (for BSA content), bulletin ID (for SCCM content), and any target rules that are defined for deploying the package.
Sorting data in columns
Sort columns of data on this page by clicking on column headers.
Filtering data in columns
Using the text boxes at the top of each column, enter any number of characters. As you enter characters, the list narrows its results to show only items with data that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.
Some columns provide a list of choices that you can select. The columns are filtered to show only the values you select.
Filtering by security group
If your user ID is assigned to multiple security groups, you can filter the vulnerabilities displayed by selecting an option from the Security Groups filter at the top of the page. The page shows only vulnerabilities to which that security group has access.
Filtering by mapping status
You can filter the vulnerabilities displayed with the Mapping Status filter at the top of the page. The options are Mapped, Not Mapped, or All.
Filtering by exclusion status
You can filter the vulnerabilities displayed with the Exclusion Status filter at the top of the page. When you exclude a vulnerability, it is not included in dashboard data, remediation operations, or any statistics on vulnerabilities. The filtering options are Excluded, Included, or All.
Where to go next
Use the Security Dashboard to assess security threats.
Use the Operator Dashboard to identify the highest priority vulnerabilities and then launch a remediation wizard.