Mapping vulnerabilities to remediation content

The Vulnerabilities page lets you map vulnerabilities identified in a vulnerability scan to the remediation content and create exceptions for vulnerabilities.

In TrueSight Server Automation, remediation content can be depot content, such as BLPackages, software packages, or NSH scripts. When connected to TrueSight Server Automation, the vulnerabilities imported from a scan can include information for multiple operating systems—assuming you have permissions to manage multiple operating systems in the system where you performed the scan. In fact, a single vulnerability can apply to multiple operating systems.

For TrueSight Network Automation, remediation content must be a rule that is used to enforce a configuration best practice.

In SCCM, remediation content can be patches, hotfixes, and other types of critical software updates from Microsoft. When connected to SCCM, the vulnerabilities imported from a scan includes information relating to many versions of a software update. Remediation content can also be applications or application packages, but you must manually map these to vulnerabilities.

This page provides the following capabilities:

Viewing vulnerabilities

To display the Vulnerabilities page, select TrueSight Vulnerability Management > Vulnerabilities.

The Vulnerabilities page lets you map vulnerabilities to remediation content.

Note: The Add Exception button is available only for 3.0.01 and later versions. The Exclusion Status filter is removed in 3.0.01 and later versions.

Auto-mapping vulnerabilities

This section describes how to auto-map vulnerabilities to remediation content.

Auto-mapping process in TrueSight Server Automation

For TrueSight Server Automation, auto-mapping attempts to match the Common Vulnerability and Exposure (CVE) number in the metadata for a vulnerability to a CVE number associated with a patch. When you create a remediation operation, TrueSight Vulnerability Management creates a Patch Analysis operation for every patch catalog that is needed to perform remediation. If the same CVE number appears in multiple patch catalogs, the system attempts to map vulnerabilities to CVE numbers from patch catalogs that will minimize the number of required Patch Analysis operations.

During auto-mapping, a vulnerability is mapped to multiple patches in multiple patch catalogs, if the CVE ID exists in patch catalogs. 

  • If a vulnerability with a CVE ID is mapped to multiple patch catalogs and each catalog is for different operating system, TrueSight Vulnerability Management can infer when a mapping constitutes an Actionable Vulnerability.
  • If a vulnerability with a CVE ID is mapped to multiple patch catalogs and these catalogs are of the same operating system (for example, one catalog for each version of the OS), then you need to reconfigure the target rules. To do this, you need to either create an ini file, or modify the target rules and use the manual mapping, as follows:
    • Perform the following steps to create the required ini file:
      1. Copy the sample patch_information.ini file (attached to this page) to <TSVM_INSTALL_DIR>/application/app/vulnerability-management-portal/data/configuration directory.
      2. Create one section for each of the patch catalogs that you want to use. For example, if the patches with the CVE ID are found and mapped to the RHEL7 and RHEL6 patch catalogs, create one section for RHEL7 patch catalog and one for RHEL6 patch catalog. The section name must be same as the complete path of the patch catalog and enclosed in square brackets ([  ]). For example, [Depot/Patch Catalogs/RHEL7]and [Depot/Patch Catalogs/RHEL 6].

      3. Specify the OS, OS Vendor, OS version, and Platform information in the OS, OS_VENDOR, OS_VERSION, and OS_PLATFORM parameters. For example, the sections in the ini file look like:

        [Depot/Patch Catalogs/RHEL7]
        OS : LINUX
        OS_VENDOR : RED HAT
        OS_VERSION : Red Hat ES 7
        OS_PLATFORM : x86-64
        
        [Depot/Patch Catalogs/RHEL 6]
        OS : LINUX
        OS_VENDOR : RED HAT
        OS_VERSION : Red Hat ES 6
      4. If the vulnerabilities were auto-mapped earlier, and you want to use the catalog mentioned in the ini file, then you need to select the Update existing mappings option and then auto-map the vulnerabilities.
        Target rules are created based on the settings in the ini file.
    • If you do not want to use the ini files, modify the target rules, as follows:
      1. Go through the list of auto-mapped vulnerabilities to find the vulnerabilities that are mapped to multiple patch catalogs of the same OS.
      2. Select the vulnerability and click Actions > Map to see how target rules have been defined.
      3. Entries requiring additional input will have target rules that include the phrase Value_Required. Modify the target rules to replace instances of Value_Required with the appropriate target information.

Auto-mapping process in TrueSight Network Automation

For TrueSight Network Automation, auto-mapping attempts to match the CVE number in a vulnerability to a CVE number associated with a rule used to enforce configuration best practices.

Rules are mapped based on CVEs irrespective of the device type. The remediation process leverages the TrueSight Network Automation intelligence in as it doesn’t need to scan the device to understand what rules apply to the devices and applies only the relevant rules to the correct devices.

Auto-mapping process in SCCM

For SCCM, auto-mapping attempts to match Microsoft Bulletin IDs associated with vulnerabilities to the same Bulletin IDs associated with software updates. Because there are typically many versions of a software update, the auto-mapping process also defines target rules that specify the architecture, operating system, and OS version for each software package. These rules allow a vulnerability to be mapped to the correct executable that will be used as a remediation package. You cannot auto-map applications or application packages.

Auto-mapping for all imported security groups (Applicable only for TrueSight Server Automation and TrueSight Network Automation)

NEW IN 3.0.01 In versions earlier than 3.0.01, when a TrueSight Vulnerability Management user belonging to any security group performs auto-mapping, vulnerabilities with CVE IDs under the security group context of the logged in user are auto-mapped and notification is shown to the logged in user on the Activity Status page.

Starting from version 3.0.01, vulnerabilities with CVE IDs under all imported security groups irrespective of the logged in user (aligned to endpoint managers) are also mapped depending upon the following factors:

  • Whether a security group has permission to access the remediation content
  • Value of a property in the application.properties file

Before you begin

Before you perform auto-mapping, ensure that the following prerequisites are met:

  • Ensure that the vulnerability scan file is formatted well and the vulnerabilities page shows the CVE IDs in the CVE column for each vulnerability. For more information, see Obtaining scan files eligible for import.

  • (TrueSight Server Automation only) Using the TrueSight Server Automation Console, ensure that at least one of the Update Patch Catalog job runs is successful (green) and the patch catalogs have patches with associated CVE IDs. Vulnerabilities are mapped to the patches available from the last successful run of the Update Catalog Job. For more information about the Update Patch Catalog jobs, see,  Updating an existing catalog
  • If you want to auto map CVE Ids under all imported security groups, ensure that the following prerequisites are met:
    • Ensure that at least one user of each imported security group has logged in once to TrueSight Vulnerability Management.
    • Ensure that imported security groups have permission to access the remediation content in the endpoint.
    • Enable the auto-mapping in the application.properties file as follows:
      1. On the application server, navigate to the <TSVM_INSTALL_DIR>/application/app/vulnerability-management-portal/data/configuration directory and open the file in a text editor.
      2. Depending on the endpoint manager, set the following property to true in the file:

        Endpoint ManagerProperty=valueDefault

        TrueSight Server Automation

        globalmap.tssa=true
        globalmap.tssa=false

        TrueSight Network Automation

        globalmap.tsna=trueglobalmap.tsna=false
      3. Save and close the file.
      4. Restart the application using the Stack Manager tool.

To perform auto-mapping

  1. If you want to completely re-map all vulnerabilities, select Update existing mappings.
    If you do not select this option, an auto-map attempts to map only unmapped vulnerabilities. Selecting this option discards existing auto-mappings and attempts to auto-map all vulnerabilities except for existing manual mappings, which are not affected by this option.
    A full auto-mapping can take a considerable amount of time. If you are confident that your existing mappings are accurate, BMC recommends that you do not select this option and instead perform an incremental auto-mapping.
  2. Click Auto-map at top right.
    A message informs you that auto mapping has occurred. If you have enabled auto-mapping for all imported security groups, the number of vulnerabilities in the message includes the vulnerabilities that were auto-mapped for all other imported security groups apart from the security group of the logged in user. The mapping happens only if an imported security group has access to the remediation content.
    Vulnerabilities that are auto-mapped are marked with a  icon in the Auto-mapped  column at far left. In addition, the Activity Status page displays the vulnerabilities mapped for the security group of the logged in user. If you have enabled the auto-mapping for all imported security groups, a separate message shows the number of vulnerabilities mapped for each of the imported security groups.

    Note

    Auto-mapping recognizes different operating systems as well as different operating system versions. If the same content is required for multiple versions of an operating system, auto-mapping will correctly map the vulnerability for all versions of the operating system. For example, if the same CVE number is assigned to one patch in a patch catalog for Windows 2012 and another patch in a patch catalog for Windows 2008, auto-mapping will match a vulnerability to both patches.

 Manually mapping vulnerabilities to remediation actions

After you perform automatic mapping, some vulnerabilities may remain unmapped. For these, you can perform a manual mapping procedure.

You can only perform manual mapping for one vulnerability at a time. If you want to map the same remediation content to multiple vulnerabilities, you must perform the following procedure for each vulnerability that requires manual mapping. If you are mapping an OS patch to a vulnerability that applies to multiple ports on the same asset, the patch you select applies automatically to all instances of the vulnerability on that asset.

Manual mapping for all imported security groups (Applicable only for TrueSight Server Automation and TrueSight Network Automation)

NEW IN 3.0.01In versions earlier than 3.0.01, when a TrueSight Vulnerability Management user belonging to a security group performs manual mapping of a vulnerability, TrueSight Vulnerability Management fetches remediation content from the endpoint (for example, NSH script or BLPackages from TrueSight Server Automation) under the logged in user's security group context. The user can then map the remediation content to the vulnerability. In version 3.1, a user can map vulnerabilities with CVE IDs for all imported security groups (aligned to endpoint managers) depending upon the following factors:

  • Whether a security group has permission to access the remediation content
  • Value of a property in the application.properties file

Before you begin

Before you perform manual mapping, ensure that the following prerequisites are met:

  • Ensure that the vulnerability scan file is formatted well and the vulnerabilities page shows the CVE IDs in the CVE column for each vulnerability. For more information, see Obtaining scan files eligible for import.
  • (TrueSight Server Automation only) Using the TrueSight Server Automation Console, ensure that at least one of the Update Patch Catalog job runs is successful (green) and the patch catalogs have patches with associated CVE IDs. Vulnerabilities are mapped to the patches available from the last successful run of the Update Catalog Job. For more information about the Update Patch Catalog jobs, see,  Updating an existing catalog
  • If you want to manually map CVE Ids under all imported security groups, ensure that the following prerequisites are met:
    • Ensure that the imported security groups have permission to access the remediation content in the endpoint.
    • Enable the manual mapping in the application.properties file as follows:
      1. On the application server, navigate to the <TSVM_INSTALL_DIR>/application/app/vulnerability-management-portal/data/configuration directory and open the file in a text editor.
      2. Depending on the endpoint manager, set the following property to true in the file:

        Endpoint ManagerProperty=valueDefault

        TrueSight Server Automation

        globalmap.tssa=true

        globalmap.tssa=false

        TrueSight Network Automation

        globalmap.tsna=trueglobalmap.tsna=false
      3. Save and close the file.
      4. Restart the application using the Stack Manager tool.

To perform manual mapping

  1. In the list of vulnerabilities, select the vulnerabilities that requires mapping.
    If necessary, use the filtering capability at the top of each column. For example, you might want to filter by severity level so you can map vulnerabilities with the highest severity first. 
  2. At right, select Actions > Map.
    The Map Remediation to Vulnerability page opens. Use it to search for remediation packages. 
  3. Search for the remediation content that you want to map to the selected vulnerabilities:

    1. Enter a text string in the Search text box and click Search
      Your text is matched against the names of any remediation content.
      Results of a search return the first 100 items.

       Click here to see examples.

      TrueSight Server Automation example:

      TrueSight Network Automation example:


      SCCM example:

    2. TrueSight Server Automation and SCCM onlyOptionally, use the filters at left to refine your search. In the example below, notice how the search filtered for BLPackages produces 5 results while the search shown above produces 13.
    3. Take one of the following actions:
      • TrueSight Server Automation and SCCM: Select an entry in the list of remediation content.
      • TrueSight Network Automation: Select one or more entries in the list of remediation content.

  4. TrueSight Server Automation and SCCM only: If you need to map multiple remediation packages to the same vulnerability, define target rules that determine the types of targets where the package should be deployed.
    Typically, target rules specify different packages for different operating systems and architectures.
    When using SCCM, be aware that there are typically many versions of a software update. You can use target rules to specify the architecture, operating system, and OS version for each software package. In this way you can map a vulnerability to the correct software update. Using different target rules, you can also deploy a mix of software updates, applications, and application packages for a particular vulnerability.
    1. Click Use Target Rules.
      A set of options appear that establish rules for deploying the package.
    2. In the row defining the rule, for the first field select any of the following:
      • OS–For example, Windows.
      • OS Platform–For example, x86_64.
      • OS Version–For example, 2008 R2.
      • OS Release–For example, 6.1
      • OS Vendor–For example, Microsoft.
    3. In the last field in the row, enter text as a criteria. Evaluation is based on whether a field contains the string you entered.
      For example, if you are specifying the Windows operating system, enter a string such as win. When evaluating targets, if the OS name contains the string win, the package is deployed there. 
    4. To add another rule, click Add Criteria. A new row appears. Use its fields to define an additional rule.
    5. Select the remediation package that should be deployed to targets according to the rules you have set up.
    6. To define another set of target rules for another remediation package, click . Then, repeat the previous steps.
      For example, the second set of target rules might apply to Red Hat targets (that is, OS contains RHEL). 

      Note

      To remove a set of target rules, click the X on the tab containing those rules.
       

  5. Click Save.
    The remediation content items you select are mapped to the vulnerabilities you originally selected. 
    A message informs you about the same. The Activity Status page displays the message that the selected vulnerabilities are mapped for all imported security groups that have access to the selected remediation content. 

Removing mapping for a vulnerability

Use this procedure to remove mapping after a vulnerability has been mapped to remediation content.

  1. Select the vulnerability that has been previously mapped.
  2. At right, select Actions >Remove Mapping.

Excluding a vulnerability

(Applicable only for version 3.0) You can exclude a vulnerability, which means the vulnerability is not included in dashboard data, remediation operations, or any statistics on vulnerabilities.

When you exclude a vulnerability, the Vulnerabilities page continues to list the item in a gray font to distinguish it from other vulnerabilities.

  1. Select a vulnerability. 
  2. At right, select Actions > Exclude. A dialog asks for confirmation.

Adding exceptions

NEW IN 3.0.01You can create exceptions for vulnerabilities so that the vulnerabilities do not affect the assets on which they are reported. The Add Exception button enables you to create exceptions for vulnerabilities manually. This button is enabled only when For more information about exceptions, see Managing exceptions.

Showing details about a vulnerability

Click the name of any vulnerability to display more information, including its severity level, CVEs that are included, a description, links to the related vendor (such as the Red Hat Network), and links to the patches that can be deployed to fix the vulnerability.

 Click here to see examples.

TrueSight Server Automation example:

TrueSight Network Automation example:

SCCM example:

 

Showing details about a remediation

After remediation content has been mapped to a vulnerability, you can click the name of the remediation to display a pop-up window containing more information. If an entry provides information for multiple remediations, the pop-up window lists information for each remediation. The information includes the type of content (such as a patch or BLPackage), the path to the file (for TrueSight Server Automation content), bulletin ID (for SCCM content), and any target rules that are defined for deploying the package.  

 Click here to see examples.

TrueSight Server Automation example:

 

TrueSight Network Automation example:

SCCM example:




Sorting data in columns

Sort columns of data on this page by clicking on column headers.

Filtering data in columns

Using the text boxes at the top of each column, enter any number of characters. As you enter characters, the list narrows its results to show only items with data that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.

Some columns provide a list of choices that you can select. The columns are filtered to show only the values you select.

Filtering by security group

If your user ID is assigned to multiple security groups, you can filter the vulnerabilities displayed by selecting an option from the Security Groups filter at the top of the page. The page shows only vulnerabilities to which that security group has access.

Filtering by mapping status

You can filter the vulnerabilities displayed with the Mapping Status filter at the top of the page. The options are Mapped, Not Mapped, or All.

Filtering by exclusion status

(Applicable only for version 3.0) You can filter the vulnerabilities displayed with the Exclusion Status filter at the top of the page. When you exclude a vulnerability, it is not included in dashboard data, remediation operations, or any statistics on vulnerabilities. The filtering options are ExcludedIncluded, or All.

Where to go next

Use the Security Dashboard to assess security threats.

Use the Operator Dashboard to identify the highest priority vulnerabilities and then launch a remediation wizard.

Was this page helpful? Yes No Submitting... Thank you

Comments