Associating security vulnerabilities with compliance rules
This topic describes how to associate a rule with a security vulnerability and how to remove that association.
In this topic, applicable OS image patterns are applicable for 8.9.01 and subject patterns are applicable for version 8.9.00.
A security vulnerability on its own does nothing, but serves as documentation. When you associate a compliance rule with a vulnerability, and include that rule in an enabled rule set, you can find devices that are running a vulnerable operating system by reviewing compliance violations.
When a rule is associated with a security vulnerability, the applicable OS image (or subject) patterns of the rule are maintained automatically to match the affected OS versions of the security vulnerability, whenever the security vulnerability is updated. You can associate one security vulnerability with many rules. However, you can associate one rule with only one security vulnerability.
You can associate a rule with a security vulnerability by using one of the following methods:
- On the Security Vulnerabilities page, use the Generate Rule option for the security vulnerability. This option enables you to create a new rule with the values initialized to detect the operating system versions that match the affected OS versions in the selected security vulnerability. For more information, see Generating compliance rules.
- On the Security Vulnerabilities page, use the Manage Rules option for the security vulnerability. This option allows you to select one or more unassociated rules to associate with the selected security vulnerability. When you save a new association, the rule is updated to contain the applicable OS image (or subject) patterns to match the affected OS versions in the selected security vulnerability. For more information, see Managing compliance rules.
Use a rule import task to import an XML file in which the rule specifies a security vulnerability by vendor and ID. When a new association is being made at import time, the applicable OS images (or subject) of the rule are forced to be patterns that will match the affected OS versions in the security vulnerability. Any applicable OS image name patterns or minimum/maximum version range (or subject) provided with the import data is ignored if a new association is being made.
- Use the RuleService web services API and its importRules() method, where the supplied ruleDTO specifies a security vulnerability. When a new association is being made at import time, the applicable OS images (or subject) of the rule is forced to be patterns that will match the affected OS version in the security vulnerability. Any applicable OS image name patterns or minimum/maximum version range (or subject) provided with the ruleDTO is ignored if a new association is being made.
When a new association is made that causes the applicable OS images (or subject) to be changed, TrueSight Network Automation clears all the existing violations for that rule. You must run a Refresh Device Status action for Compliance Violation Status to install current violations. An event is logged whenever such a new association is made to help you determine if a refresh is necessary.
Generating compliance rules
When you click the Generate Rule option on the Security Vulnerabilities page, the Add Rule page appears, in which most of the values are pre-populated. Notice and review the following settings:
- By default, Domain is set to OS Image Name, which means that only the image name of a device is validated when performing compliance checks.
Applicable OS Images is set to Patterns, which contains regular expressions for matching the affected OS versions.
Starting with version 8.9.01, the applicable OS image versions are populated into the applicable OS image version patterns (instead of into the subject).
- Subject is set to Pattern, which contains
.*to match any OS version string. If the security vulnerability has specific instructions about device configuration, you can update the subject and domain to detect illegal settings in the configuration.
- Verify that the default applicable trail of Running is sufficient.
- Pay special attention to the Device Type and Applicable Model settings. By default, both these fields are set to All. However, you might want to narrow them down based on the security vulnerability. The system performance can improve by narrowing these settings down, whenever possible.
Review all the settings on the Add Rule page to ensure that the rule will perform the required checks. Also note any unenforceable versions reported in the security vulnerability. TrueSight Network Automation cannot translate these versions into a usable specific OS version, and thus cannot generate a pattern for inclusion in the applicable OS images (or subject), which results in no violation being reported. BMC recommends that you create and maintain your own rule and do not associate this rule with any security vulnerability.
When you save a generated rule, the rule is associated with the security vulnerability. When the security vulnerability is later updated by importing a newer version, the associated rule(s) are also updated automatically to reflect the changes to the affected OS versions. All other settings of the rule are not changed. Only the applicable OS images (or subject) are forced to be Pattern(s) (or Patterns) containing the latest affected versions. If you made changes to the applicable OS images (or subject), all of those changes are deleted.
If a security vulnerability has no affected OS versions (which might occur when the vendor provides no such specific information), you might still generate or associate a rule. When the vulnerability is updated, the applicable OS images (or subject) will not be changed in this case.
When you view a rule, the associated security vulnerability is also displayed, to make you aware about the way the applicable OS images (or subject) are managed automatically.
You might want to generate more than one rule from a single vulnerability (for example, to include in different per-realm rule sets).
Managing compliance rules
Use the Manage Rules option on the Security Vulnerabilities page to create rules manually that enforce security checks and to associate and dissociate rules with security vulnerabilities. Once you dissociate a rule, its applicable OS images (or subject) are no longer updated automatically.
To make new associations, click Add, then choose a rule from the list. You can choose only those rules that you are allowed to edit and that are not already associated with another security vulnerability.
To remove an association, select the rule in the Associated Rule(s) list, and click Remove.
When you have finished adding and removing rules, click Save to save the changes. Any rule that you have added will have its applicable OS images (or subject) deleted and changed to match the affected OS versions via patterns. You must ensure that the rest of the rule (including the domain and subject) is configured correctly. Like any rule update, you must run a Refresh Device Status action for Compliance Violation Status for violations to be detected by using the updated rule settings.