Risks
Risks include missing patches, vulnerabilities, and compliance violations that are identified on assets.
In the TrueSight Network Automation endpoint manager, risks includes only the vulnerabilities identified on the network devices (assets).
Missing patches
For TrueSight Server Automation endpoint manager onlyWhen patch policies identify missing patches on assets, details about the missing patches are displayed on the Missing Patches page under Risks. Missing patches are identified only for assets with Windows or Linux operating systems.
Vulnerabilities
You can import scan results for vulnerabilities that are scanned by the scanning systems such as Nessus, Qualys, and Rapid7. When you import the results in Automation Console, vulnerabilities get mapped to the remediation content automatically, or you may need to map them manually. Imported vulnerabilities are displayed on the Vulnerabilities page under Risks.
You can also import scan results on assets with the following operating systems:
- Microsoft Windows
- IBM AIX
- HP-UX
- Solaris
- CentOS
- SUSE
- Ubuntu
- Debian
- Oracle Linux ULN
For CentOS, Errata's are not supported, hence the vulnerabilities cannot be automatically mapped to the remediation content. You can create remediation operations for other OS only if the remediation content type is BLPackage and NSH script. Operations to remediate vulnerabilities can only be created if vulnerabilities are mapped to appropriate remediation content.
Auto-mapping process
When you import a scan file, if both of the following conditions are fulfilled, then the vulnerabilities get automatically mapped to the remediation content:
- Assets in the scan file are either automatically or manually mapped to endpoints in the endpoint manager.
- Patch catalogs that contain remediation for Common Vulnerability and Exposure (CVE) numbers associated with the vulnerabilities are already imported in Automation Console.
If you import a patch catalog after importing the scan file, vulnerabilities are not automatically mapped.
By default, Automation Console attempts to match the CVE ID of a vulnerability to a CVE ID associated with a bulletin or errata in a catalog imported in Automation Console. During auto-mapping, if a vulnerability with a CVE ID is mapped to patch catalogs of two different operating systems, and that same vulnerability is reported on the assets of different operating systems too, then Automation Console maps the remediation content to both the assets automatically.
On the Risks > Vulnerabilities page, the vulnerability status shows the remediation content mapping status. Consult the following table to understand the scenarios for each status.
Vulnerability Status | Scenario | Action required |
---|---|---|
Auto-mapped | There is a one-to-one mapping between CVE IDs and remediation content. For example, each CVE ID is mapped to one remediation content. | None. Remediation operation can be created with no changes required in the mapping. |
Partially Mapped | Multiple CVE IDs for a vulnerability, but remediation content is mapped only for a few CVE IDs. If an operation is created, this vulnerability is partially remediated and no longer appears in the Vulnerabilities list. Such a vulnerability still appears in the next scan. | None. Remediation operation can be created. However, vulnerability is partially remediated for the CVE IDs for which the remediation content is available. |
Partially Mapped (Action Required) | One CVE ID is mapped to more than one remediation content. | Yes. Remove the current mapping and manually map the vulnerability to the appropriate remediation content. After mapping the status changes to Mapped. Now, a remediation operation can be created. |
Unmapped | Vulnerability is not mapped to any remediation content. This can happen if assets are not mapped to endpoints in the endpoint manager or patch catalogs are not imported in Automation Console. | Yes. Manually map the vulnerability to an appropriate remediation content. |
Important
In some cases, a vulnerability may be mapped to a remediation content, but the underlying assets may not be mapped because of limited target scope defined in the criteria. In such cases, even though the vulnerability status is mapped, the vulnerability asset instances' status will remain unmapped. As such, these will be listed as unmapped in Vulnerability dashboard and appear in filter results for 'Unmapped' filter.
Manual mapping process
If some of vulnerabilities remain unmapped during import or during auto-mapping of new vulnerabilities, you can manually map them to remediation content. You can perform manual mapping for only one vulnerability at a time.
When you import scans for vulnerabilities on CentOS assets, the vulnerabilities are not automatically mapped to the remediation content as only RPMs are supported, and not Erratas. You must manually map vulnerabilities with the remediation content later to perform remediation operations.
When mapping manually, the remediation content can be of the following types:
- BLPackages
- Network Shell (NSH) scripts
- Patches
- Installshield packages
- Microsoft Installer (MSI) packages
- Operating system service packs
- Red Hat packages
- Custom software
Compliance violations
For TrueSight Server Automation endpoint manager onlyWhen you create a compliance scan policy, it runs based on a predefined schedule and collates data about compliance violations on the assets in the policy on the Risks > Compliance page. The Compliance page shows the total number of compliance violations, number of assets scanned by each policy, number of rules evaluated in a policy, and the compliance posture of the scanned assets, which is the percentage of compliant, non-compliant, and indeterminate assets. Using this data, you can further create remediation operations to resolve the violations.
Where to go from here
To view missing patches and vulnerabilities, and map vulnerabilities to remediation content, see Working with risks.
Comments
Log in or register to comment.