Managing security vulnerabilities
A security vulnerability is a report from a device vendor that advises you about the devices that have operating systems vulnerable to security threats. You can import a vendor's advisory or bulletin into BMCTrueSight Network Automation by using a security vulnerability importer. The imported information is a summary of the full report. You need to consult the vendor's site for complete information. For information about security vulnerability importers, see Managing security vulnerability importers.
The process of importing a security vulnerability report involves mapping of the reported vulnerable operating systems to the operating system version strings that are used by TrueSight Network Automation and discovered from the live devices that TrueSight Network Automation manages. After you import the security vulnerability, you can use it to create a compliance rule that reports a violation if a managed device is running a vulnerable operating system.
TrueSight Network Automation is shipped with a canned set of security vulnerabilities that are derived from the following repositories:
- Cisco's Common Vulnerability Reporting Framework (CVRF) advisory repository
- Cisco's National Vulnerability Database (NVD) repository
- Juniper's NVD repository
- Aruba's NVD repository
- NEW IN 8.904.001 Extreme Networks's NVD repository
- NEW IN 8.904.001 Hewlett Packard Enterprise (HPE) Aruba's NVD repository
- NEW IN 8.904.001 Palo Alto's NVD repository
These vulnerabilities are a snapshot of the available XML files that are captured prior to the product release date. Note that these device vendors update their advisories frequently. Therefore, BMC recommends that you import the updates regularly to keep the database current. TrueSight Network Automation does not update security vulnerabilities during the software upgrade process. You might choose to import the shipped versions, which are included in the BNA_HOME\public\bmc\bca-networks\securityVulnerabilities directory.
The CVRF database shipped with the product version 8.9.02 is current as of August 16, 2017, with version 8.9.01 is current as of February 7, 2017, and with version 8.9.00 is current as of August 30, 2016.
The publicly available Cisco CVRF database is currently devoid of specific operating system version information and is not suitable for generating compliance rules. For that reason, the canned database of CVRF files is frozen as of August 16, 2017, where the operating system versions are still present. Reports made by Cisco dated after August 16, 2017, and contain the necessary operating system version data can be imported from NVD instead. A new canned importer named "Import Cisco Advisories From NVD XML File, Published After 08/15/17" is provided for this purpose.
As of release 8.9.03, the canned CVRF database is no longer updated. The publicly available CVRF files from Cisco no longer contain detailed operating system version information, which renders these reports unsuitable for the purpose of rule creation and vulnerable device detection. Thus the canned database contains the last snapshot, taken on August 16, 2017, where operating system versions are still present. Reports published by Cisco after that date and containing the operating system versions are available from NVD instead.
TrueSight Network Automation is also shipped with the following canned rule sets, Vulnerable OS images reported in Cisco CVRF advisories and Vulnerable OS images reported in NVD advisories. The canned rule sets contain rules that enforce the canned security vulnerabilities which identify specific vulnerable operating system versions. These rule sets are disabled by default. You must enable them when you want to manage the violations that the rule set might detect. Use the Compliance Summary report before enabling the rule set to gauge the volume of violations to be detected. Some of the canned security vulnerabilities do not have an associated rule. This is due to the advisory not reporting any specific operating system versions. These vulnerabilities are included for completeness and you might want to develop your own rules to enforce them.
The following topics describe how to import and view security vulnerabilities and how to associate rules with them: