Creating a Remediation operation for TrueSight Server Automation
A Remediation operation uses information that a vulnerability management system gathers to create one or more corrective operations in TrueSight Server Automation. When using TrueSight Vulnerability Management, you launch a Remediation operation from the Operator-Dashboard.
For an example showing how to create a Remediation operation for TrueSight Server Automation, see Using-TrueSight-Server-Automation-to-remediate-server-issues-detected-in-a-vulnerability-scan.
This topic contains the following sections:
Overview
In TrueSight Vulnerability Management, security personnel typically use the Security-Dashboard to assess the vulnerabilities affecting their server or network environment, spot historical trends, and project days needed to close all vulnerabilities. Operations personnel use the Operator-Dashboard to identify vulnerabilities on servers or network devices and filter those vulnerabilities down to a set with the highest priority for remediation.
When you are done using the Operator Dashboard to identify a set of vulnerabilities that require remediation, you can launch the Remediation operation wizard directly from the dashboard. After you complete the wizard, TrueSight Vulnerability Management schedules one or more operations that run jobs in TrueSight Server Automation. A different job is created for each type of remediation task. If TrueSight Vulnerability Management is creating Patch Analysis Jobs, a separate job is created for each patch catalog. You can view the progress of all operations on the home page.
Using a Remediation operation, you can launch a Patch Analysis job for:
- Microsoft Windows 2008 and later
- Red Hat Linux 5 and later
- SuSE 11 and later
To create a Remediation operation
Open the Operator Dashboard by selecting
TrueSight Vulnerability Management
> Operator Dashboard.
- Use the filtering tools to identify a set of vulnerabilities that require remediation, as described here.
Launch the Remediation wizard by clicking Remediate. The wizard opens and shows the Definition page.
- Perform the following steps:
- Complete each page in the Remediation Operation wizard. The pages are listed below. Each page corresponds to one of the following sections on this page.
After you provide all required information for a page, proceed to the next page by clicking Next (at bottom) or clicking the next chevron in the ribbon at top. At any time you can click Back (at bottom) to display the previous page in the process. Do not use the browser's Back button. - When you have finished defining the operation, click Finish.
You can click Finish to save the operation, even if you have not visited all the pages in the wizard.
When you click Finish, a placeholder message appears on the home page. The placeholder states that one or more operations are being created. You can follow links in the message to check the status of any operations being created. Refreshing the page shows the updated status of the operations. When the creation of all operations is complete, you can refresh the page so the operations appear on the home page and are ready to run according to their defined schedules.
- Complete each page in the Remediation Operation wizard. The pages are listed below. Each page corresponds to one of the following sections on this page.
The following sections describe in detail each step in the Remediation Operation wizard.
Definition
The Definition page provides general information about the operation.
The Definition page includes the following options:
Option | Description |
---|---|
Name | Name of the operation. When the wizard creates operations, it uses the following schemes to generate names: <text entered in Name field>_<type of operation>_<number assigned to operation, if necessary> For example, if you name this operation PasswordSecurity and the wizard creates a Patching operation and a Deploy operation, two vulnerability management operations are created. They are called PasswordSecurity_Patching_Job_01 and PasswordSecurity_Deploy_Job_01. |
Description | Optional descriptive text for the operation. By default, descriptive text is added that lists the filters in effect and the scan files being used when you launched this wizard. |
Security Group | Specifies your current security group. If you are assigned to more than one group, this option is available. If you are assigned to only one group, this option defaults to that group and you cannot edit this option. |
The boxes at right summarize the information provided for each page in the wizard.
Remediations
The Remediations page consists of a list of vulnerabilities requiring remediation. Each row represents a separate vulnerability that has been discovered on an endpoint and mapped to remediation content.
To appear on the Remediations page, a vulnerability must appear in the Actionable Vulnerabilities list of the Operator Dashboard. You can use filters on the Operator Dashboard to control the contents of the Actionable Vulnerabilities list.
Using the Remediations page, you can remove remediations from the list of those being deployed by clearing checkmarks on each row.
If necessary, you can sort the list of remediations by clicking on header names. You can also filter the items displayed in the list using the search boxes at the top of each column. Be aware that filtering items so they do not appear in the list does not remove those items from the list of remediations to be corrected. To remove a vulnerability, you must explicitly deselect that row so it does not include a check mark.
Modifying contents of the list
To remove a target from the list, click on a row representing a server. Clicking the row again, selects the target.
To remove all targets from the list, click the deselect all option, shown below. Clicking the option again, selects all targets.
Sorting data in columns
Sort columns of data on this page by clicking on column headers.
Filtering data in columns
Using the text boxes at the top of each column, enter any number of characters. As you enter characters, the list narrows its results to show only items with data that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.
Some columns provide a list of choices that you can select. The columns are filtered to show only the values you select.
Operation
The Operation page lists the operations created by the Remediation operation wizard. This page lets you define a schedule and perform other types of configuration for the operations you are about to perform. If you have configured a connection to TrueSight Orchestration and set up job approval in TrueSight Server Automation, you can also use the Operation page to configure the job approval request, as described in Requesting job approvals.Specifying a job group
The first time you access the Operations page, you are prompted to select a job group where jobs that are automatically created should be stored in TrueSight Server Automation.After selecting a job group, you can modify that selection by clicking Browse next to the Job Group option. A dialog box opens. Select a job group and click OK.You do not have to define a job group if a default job group has been set up for your security group.Defining schedules
You can define a schedule that applies to all operations generated by this Remediation operation.If the wizard creates multiple operations, you can define a schedule that applies to them all, but you can also choose to modify the schedule for some or all operations.To define a global schedule
beside Run Once At.
An interface similar to a digital clock appears.To define schedules for individual operations
By default, all operations listed in the Planned Operations list use the global job schedule..
The Configuration dialog box opens. beside Run Once At.
An interface similar to a digital clock appears.Requesting job approvals
If you set up job approval and change tracking, you can request a job approval through a change management system, such as BMC Remedy IT Service Management (ITSM) and execute the Change Automation use case. By default, the approval applies to this operation and all sub-operations that are automatically generated. Alternatively, you can also request approvals for individual sub-operations, as described in the following sections. For an overview of the Change Automation use case, see Change-Automation.To request job approval for the entire operation
If you are requesting job approval for the overall job, under the Change Approval Information section, select the change template and various approval parameters, as described in Job approval options.To request job approval for individual operations
By default, all operations listed in the Planned Operations list use the same job approval. If you are requesting job approvals for individual operations in the Planned Operations list, perform the following steps:.
The Configuration dialog box opens.Job approval options
You can also create customized templates in BMC Remedy ITSM and configure the DEFAULT_TEMPLATE_MAP parameter in TrueSight Orchestration to display and use that template in Vulnerability Management. For more information about this parameter, see Configuring-the-ITSM-Automation-run-book in the TrueSight Orchestration documentation.Executing operations immediately
.
The Configuration dialog box opens.Enabling auto-remediation
Patch Analysis operations can be configured to allow for auto-remediation, which means that when the Patch Analysis operation completes, additional operations are launched automatically to deploy required patches. If you do not enable the auto-remediation, you need to launch the remediation operation manually when the Patch Analysis operation completes.You can define auto-remediation so each phase occurs sequentially, or you can schedule each phase of the auto-remediation process.Before you enable auto-remediation
To use auto-remediation, a deploy template must be specified for your security group. When you specify a deploy template, you identify a corresponding advanced BLPackage Deploy Job in TrueSight Server Automation that has settings you want to use in TrueSight Vulnerability Management.Administrators can specify deploy templates for a particular security group or they can specify deploy templates the apply across an entire site.To enable auto-remediation . The Configuration dialog box opens. It includes two tabs: Remediation Details and Remediation Setting.
Two additional tabs appear: Deploy Settings and Phase Schedules and Execution.Providing additional configuration for operations
A Remediation Operation wizard can automatically create many different types of operations. For example, it can create Deploy or NSH Script operations. In some situations, these operations may require additional configuration. Those scenarios are described below.To provide local properties for Deploy operations
If a Deploy operation is deploying a BLPackage and local properties have been defined for the BLPackage, you may need to provide values for the local properties. .
The Configuration dialog box opens. It includes a tab called Local Properties. If no properties are listed on the tab, no local property values are required. The procedure is complete.
A dialog box displays information and options about the property.To provide parameters for NSH Script operations
If an NSH Script operation is running script that requires parameter values, you may need to provide values for the parameters. .
The Configuration dialog box opens. It includes a tab called Script Properties. If no properties are listed on the tab, no parameter values are required. The procedure is complete.
A dialog box displays information and options about the parameter.
If the Network Shell script is defined so the job requires a flag for this parameter, you cannot modify the setting.
You can only modify parameters that are defined to be editable when the Network Shell script was created.
If you want to include a reference to a property in the parameter, enter a variable bracketed with double question marks (such as ??WINDIR??/rsc). Alternatively, you can click Properties to find and select the appropriate property.
If the Network Shell script is defined so the job requires a value for this parameter, this cell is set to Required and you cannot modify the setting.
If the parameter is defined so it does not accept a value, and the parameter has never had a value associated with it, you cannot modify the setting.To select deploy templates
If you are configuring a Deploy operation, you can optionally specify a deploy template, which encapsulates the deploy settings to be used for the new operation. To enable this functionality, an administrator must define one or more deploy templates for your connector or security group..
The Configuration dialog box opens. If deploy templates are enabled, a tab called Remediation Setting appears.
The Deploy job appears in the Selected Deploy Template field. To remove a Deploy template, select the Deploy job again from the list of possible Deploy jobs.
Notifications
The Notifications page defines notifications that are generated based on conditions you specify. For example, you can instruct the system to send an email when an operation fails or aborts.
This page only applies when TrueSight Vulnerability Management is connected to TrueSight Server Automation.
To add a notification
- From the Notify On drop-down list, select the operational status that generates a message:
- Success
- Failed
- Aborted
- Consistent (only available for Compliance operations)
- Inconsistent (only available for Compliance operations)
- For Notification Method, select Email or SNMP.
- In the next field, identify who gets notified about the status:
- For Email, enter one or more email addresses. Separate multiple addresses with semicolons.
- For SNMP traps, enter email addresses or names of servers.
- Click
.
To remove a notification
Find the row for the notification you want to delete and click under Remove.
Where to go next
After you have launched a remediation operation, it appears on the home page. There you can use the capabilities of TrueSight Vulnerability Management for ongoing management of operations, such as executing the operation again, deleting the operation, or viewing its results.
When you view the results of operations, the tools available to you vary, depending on the type of operation. For more information, see Using-results-of-operations.