Creating a Remediation operation for TrueSight Server Automation

A Remediation operation uses information that a vulnerability management system gathers to create one or more corrective operations in TrueSight Server Automation. When using TrueSight Vulnerability Management, you launch a Remediation operation from the Operator Dashboard.

For an example showing how to create a Remediation operation for TrueSight Server Automation, see Using TrueSight Server Automation to remediate server issues detected in a vulnerability scan.

This topic contains the following sections:

Overview

In TrueSight Vulnerability Management, security personnel typically use the Security Dashboard to assess the vulnerabilities affecting their server or network environment, spot historical trends, and project days needed to close all vulnerabilities. Operations personnel use the Operator Dashboard to identify vulnerabilities on servers or network devices and filter those vulnerabilities down to a set with the highest priority for remediation.  

When you are done using the Operator Dashboard to identify a set of vulnerabilities that require remediation, you can launch the Remediation operation wizard directly from the dashboard. After you complete the wizard, TrueSight Vulnerability Management schedules one or more operations that run jobs in TrueSight Server Automation. A different job is created for each type of remediation task. If TrueSight Vulnerability Management is creating Patch Analysis Jobs, a separate job is created for each patch catalog. You can view the progress of all operations on the home page

Using a Remediation operation, you can launch a Patch Analysis job for:

  • Microsoft Windows 2008 and later
  • Red Hat Linux 5 and later
  • SuSE 11 and later

To create a Remediation operation

  1. Open the Operator Dashboard by selecting TrueSight Vulnerability Management > Operator Dashboard
  2. Use the filtering tools to identify a set of vulnerabilities that require remediation, as described here
  3. Launch the Remediation wizard by clicking Remediate. The wizard opens and shows the Definition page.

     If the Remediate button is not enabled, click here for more information.

    The Remediate button is only enabled when a set of conditions are satisfied, as illustrated in the following flowchart.

      Enable Remediate button flowchart


    If you answer yes to all the questions in the flowchart and the Remediate button is still not enabled, contact BMC Support

  4. Perform the following steps:

    1. Complete each page in the Remediation Operation wizard. The pages are listed below. Each page corresponds to one of the following sections on this page.
      After you provide all required information for a page, proceed to the next page by clicking Next (at bottom) or clicking the next chevron in the ribbon at top. At any time you can click Back (at bottom) to display the previous page in the process. Do not use the browser's Back button.

    2. When you have finished defining the operation, click Finish.
      You can click Finish to save the operation, even if you have not visited all the pages in the wizard.
      When you click Finish, a placeholder message appears on the home page. The placeholder states that one or more operations are being created. You can follow links in the message to check the status of any operations being created. Refreshing the page shows the updated status of the operations. When the creation of all operations is complete, you can refresh the page so the operations appear on the home page and are ready to run according to their defined schedules. 

The following sections describe in detail each step in the Remediation Operation wizard.

Definition

The Definition page provides general information about the operation.


The Definition page includes the following options:

OptionDescription
Name

Name of the operation.

When the wizard creates operations, it uses the following schemes to generate names:

<text entered in Name field>_<type of operation>_<number assigned to operation, if necessary>

For example, if you name this operation PasswordSecurity and the wizard creates a Patching operation and a Deploy operation, two vulnerability management operations are created. They are called PasswordSecurity_Patching_Job_01 and PasswordSecurity_Deploy_Job_01.

Description

Optional descriptive text for the operation.

By default, descriptive text is added that lists the filters in effect and the scan files being used when you launched this wizard.

Security GroupSpecifies your current security group. If you are assigned to more than one group, this option is available. If you are assigned to only one group, this option defaults to that group and you cannot edit this option.

The boxes at right summarize the information provided for each page in the wizard.

Remediations

The Remediations page consists of a list of vulnerabilities requiring remediation. Each row represents a separate vulnerability that has been discovered on an endpoint and mapped to remediation content.

To appear on the Remediations page, a vulnerability must appear in the Actionable Vulnerabilities list of the Operator Dashboard. You can use filters on the Operator Dashboard to control the contents of the Actionable Vulnerabilities list.

Using the Remediations page, you can remove remediations from the list of those being deployed by clearing checkmarks on each row.

If necessary, you can sort the list of remediations by clicking on header names. You can also filter the items displayed in the list using the search boxes at the top of each column. Be aware that filtering items so they do not appear in the list does not remove those items from the list of remediations to be corrected. To remove a vulnerability, you must explicitly deselect that row so it does not include a check mark.

Modifying contents of the list

To remove a target from the list, click on a row representing a server. Clicking the row again, selects the target.

To remove all targets from the list, click the deselect all option, shown below. Clicking the option again, selects all targets.

 

Sorting data in columns

Sort columns of data on this page by clicking on column headers.

Filtering data in columns

Using the text boxes at the top of each column, enter any number of characters. As you enter characters, the list narrows its results to show only items with data that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.

Some columns provide a list of choices that you can select. The columns are filtered to show only the values you select.

Operation

The Operation page lists the operations created by the Remediation operation wizard. This page lets you define a schedule and perform other types of configuration for the operations you are about to perform. If you have configured a connection to TrueSight Orchestration and set up job approval in TrueSight Server Automation, you can also use the Operation page to configure the job approval request, as described in Requesting job approvals.


Specifying a job group

The first time you access the Operations page, you are prompted to select a job group where jobs that are automatically created should be stored in TrueSight Server Automation.

After selecting a job group, you can modify that selection by clicking Browse next to the Job Group option. A dialog box opens. Select a job group and click OK.

You do not have to define a job group if a default job group has been set up for your security group.

Defining schedules

You can define a schedule that applies to all operations generated by this Remediation operation.

If the wizard creates multiple operations, you can define a schedule that applies to them all, but you can also choose to modify the schedule for some or all operations.

To define a global schedule

  1. Under Global Job Schedule and Approval Settings, click the clock icon  beside Run Once At.
    An interface similar to a digital clock appears.
  2. Set the hour and time for the operation. Then click AM or PM to toggle between those choices.
  3. Select the date when the operation runs.
  4. Select a time zone for the operation.

To define schedules for individual operations

  1. Click Override Global Scheduling and/or Approval.
    By default, all operations listed in the Planned Operations list use the global job schedule.

  2. For any operation in the Planned Operations list that you want to schedule, click the configuration icon .
    The Configuration dialog box opens.

  3. Take one of the following actions:
    • Click the No Schedule tab to assign no schedule to the operation. Typically this option is used when you are defining an operation and you plan to schedule it later. You cannot use the No Schedule option if you are requiring job approval for this operation.
    • Click the Execute Now tab so the operation runs as soon as you finish the wizard. You cannot use this option if you are requiring job approval for this operation.
    • Click the With Schedule tab to define a schedule for the operation. Then take the following steps.
      1. Click the clock icon  beside Run Once At.
        An interface similar to a digital clock appears.
      2. Set the hour and time for the operation. Then click AM or PM to toggle between those choices.
      3. Select the date when the operation runs.
      4. Select a time zone for the operation.
  4. Click OK.

Requesting job approvals

If you set up job approval and change tracking, you can request a job approval through a change management system, such as BMC Remedy IT Service Management (ITSM) and execute the Change Automation use case. By default, the approval applies to this operation and all sub-operations that are automatically generated. Alternatively, you can also request approvals for individual sub-operations, as described in the following sections. For an overview of the Change Automation use case, see Change Automation.

To request job approval for the entire operation

If you are requesting job approval for the overall job, under the Change Approval Information section, select the change template and various approval parameters, as described in Job approval options.

To request job approval for individual operations

By default, all operations listed in the Planned Operations list use the same job approval. If you are requesting job approvals for individual operations in the Planned Operations list, perform the following steps:

  1. Click Override Global Scheduling and/or Approval.
  2. For any individual operation in the Planned Operations list that you want to schedule, click the configuration icon .
    The Configuration dialog box opens.

  3. Ensure that you have selected the With Schedule tab. You can only request job approvals for scheduled jobs. See Job approval options for a description of various parameters in the Change Approval Information section.
  4. Click OK.

Job approval options

OptionDescription
Template

Select Default Template from the list. When you choose this option, change request will be created in BMC Remedy ITSM based on the default template.
You can also create customized templates in BMC Remedy ITSM and configure the DEFAULT_TEMPLATE_MAP parameter in TrueSight Orchestration to display and use that template in Vulnerability Management. For more information about this parameter, see Configuring the ITSM Automation run book in the TrueSight Orchestration documentation.

Urgency

Enter the urgency of the change being requested.

  • Critical—The change is immediately necessary to prevent severe business impact. Change approval is needed by the CAB or Emergency Committee (CAB/E-CAB).
  • High—The change is needed as soon as possible because of potentially damaging service impact.
  • Medium—The change will solve irritating problems or repair missing functionality. This change can be scheduled.
  • Low—The change will lead to improvements, changes in workflow, or configuration. This change can be scheduled.
Impact

Select the scope of the change being requested. For example, is the job targeted for one server or a large number of servers? The default value is Minor/Localized.

  • Extensive—There is significant business service impact because multiple customers are affected by the change. Considerable human and technical resources are needed. Management is involved in the decision process. The RFC must be discussed in the Change Advisory Board (CAB) meeting and approved by the Change Manager. The Change Manager seeks advice on change authorization and planning.
  • Significant—There is clear service impact because at least one customer is affected by the change. The RFC must be discussed in the CAB meeting and approved by the Change Manager. The Change Manager seeks advice on authorization and planning.
  • Moderate—There is little impact on current services because no customers are affected as a result of the change. The Change Manager can authorize this RFC.
  • Minor—The change can be executed without prior approval from the Change Manager because no customers are affected by the change.
ReasonForChange

Select the reason to be specified in the change request. Valid values are:

  • 1-Fix/Repair
  • 2-New Functionality
  • 3-Maintenance
  • 4-Upgrade
  • 5-Other
ChangeClass

Select the class for the change request. Valid values are:

  • Emergency
  • Expedited
  • Latent
  • Normal
  • No Impact
  • Standard

Executing operations immediately

  1. Click Override Global Scheduling and/or Approval .
  2. For any operation in the Planned Operations list, click the configuration icon .
    The Configuration dialog box opens.

  3. Select the Execute Now tab.
  4. Click OK.

Enabling auto-remediation

Patch Analysis operations can be configured to allow for auto-remediation, which means that when the Patch Analysis operation completes, additional operations are launched automatically to deploy required patches. If you do not enable the auto-remediation, you need to launch the remediation operation manually when the Patch Analysis operation completes.

You can define auto-remediation so each phase occurs sequentially, or you can schedule each phase of the auto-remediation process.

Before you enable auto-remediation

To use auto-remediation, a deploy template must be specified for your security group. When you specify a deploy template, you identify a corresponding advanced BLPackage Deploy Job in TrueSight Server Automation that has settings you want to use in TrueSight Vulnerability Management.

Administrators can specify deploy templates for a particular security group or they can specify deploy templates the apply across an entire site.

To enable auto-remediation 

  1. For any patching operation in the Planned Operations list, click the configuration icon  . The Configuration dialog box opens. It includes two tabs: Remediation Details and Remediation Setting

  2. Using the two tabs, perform the following steps:
    1. On the Remediation Details tab, specify a job group and depot group to store jobs and depot content that are automatically generated during auto-remediation.
      1. In the navigation tree, expand Depot Group and select a sub-group for storing depot content.
      2. Expand Job Group (you may have to collapse the Depot Group first) and select a sub-group for storing jobs.
    2. Click the Remediation Setting tab.
    3. Select a deploy template and click Details.
      Two additional tabs appear: Deploy Settings and Phase Schedules and Execution.

    4. Optionally, inspect the settings of the template by clicking Details. TrueSight Vulnerability Management lists settings for the selected job, such as its logging level and reboot settings. To return to the list of template jobs, click Templates.

      Note

      Many options are available for controlling a remediation job. See here for a complete list. For instructions on using TrueSight Server Automation to implement those options, see Setting deploy options for remediation jobs.

      For a patch remediation operation that uses a deploy template with the Use item defined reboot settings and reboot at end of job setting enabled, targets are rebooted at the end of the job once patches are deployed. Also, associated vulnerabilities are closed for those targets for which patches are deployed once the Data Refresh cycle is run. For more information about this setting, see DeployOptions properties for controlling autoremediation.

    5. To schedule the individual phases of auto-remediation (that is, simulate, stage, and commit), perform the following steps:
      1. Click the Phase Schedules and Execution tab.
      2. Take any of the following actions:
        • If you do not want to schedule the phases of the remediation action, select Do not execute.
        • If you want to schedule all phases to run sequentially, select Execute sequentially and then specify a time zone, a start date, and a time for execution.
        • If you want to schedule each phase individually, select Execute selected phases. Select a time zone. Then specify a start date and time for each phase that you want to schedule. Instead of setting a start time, you can click After Previous Phase to indicate that the phase should begin after the previous phase completes. You can also click Not Scheduled to specify that a particular phase is not scheduled.
    6. Click OK to confirm all auto-remediation settings.

Providing additional configuration for operations

A Remediation Operation wizard can automatically create many different types of operations. For example, it can create Deploy or NSH Script operations. In some situations, these operations may require additional configuration. Those scenarios are described below.

To provide local properties for Deploy operations

If a Deploy operation is deploying a BLPackage and local properties have been defined for the BLPackage, you may need to provide values for the local properties. 

  1. For a Deploy operation in the Planned Operations list, click the configuration icon  .
    The Configuration dialog box opens. It includes a tab called Local Properties. If no properties are listed on the tab, no local property values are required. The procedure is complete.
  2. If local properties are listed on Local Properties tab and you want to change the value for a property, click the name of the local property. 
    A dialog box displays information and options about the property.
  3. Modify the local property value by clicking in the Value text box and entering a new value.
  4. Click OK.

To provide parameters for NSH Script operations

If an NSH Script operation is running script that requires parameter values, you may need to provide values for the parameters. 

  1. For an NSH Script operation in the Planned Operations list, click the configuration icon  .
    The Configuration dialog box opens. It includes a tab called Script Properties. If no properties are listed on the tab, no parameter values are required. The procedure is complete.
  2. If parameters are listed on Script Properties tab and you want to change the value for a parameter, click the name of the parameter. 
    A dialog box displays information and options about the parameter.
  3. Modify parameter values by taking any of the following actions: 
    • To specify whether the operation should use a flag for this parameter, for Flag runtime usage, select one of the following options:
      • Use — The operation uses the parameter flag.
      • Ignore — The operation does not use the parameter flag.
        If the Network Shell script is defined so the job requires a flag for this parameter, you cannot modify the setting.
    • To modify the value of the parameter, click in the Value text box and enter a new value.
      You can only modify parameters that are defined to be editable when the Network Shell script was created. 
      If you want to include a reference to a property in the parameter, enter a variable bracketed with double question marks (such as ??WINDIR??/rsc). Alternatively, you can click Properties to find and select the appropriate property.
    • To specify whether the operation should use a value for this parameter, for Value runtime usage, select one of the following options:
      • Use — The operation uses this parameter value.
      • Ignore — The operation does not use this parameter value.
        If the Network Shell script is defined so the job requires a value for this parameter, this cell is set to Required and you cannot modify the setting. 
        If the parameter is defined so it does not accept a value, and the parameter has never had a value associated with it, you cannot modify the setting.
  4. Click OK.

To select deploy templates

If you are configuring a Deploy operation, you can optionally specify a deploy template, which encapsulates the deploy settings to be used for the new operation. To enable this functionality, an administrator must define one or more deploy templates for your connector or security group.

  1. For a Deploy operation in the Planned Operations list, click the configuration icon  .
    The Configuration dialog box opens. If deploy templates are enabled, a tab called Remediation Setting appears.
  2. On the Remediation Setting tab, select a Deploy job.
    The Deploy job appears in the Selected Deploy Template field. To remove a Deploy template, select the Deploy job again from the list of possible Deploy jobs. 
  3. Optionally, inspect the settings of the template by clicking Details. A list shows settings for the selected job, such as its logging level and reboot settings. To return to the list of template jobs, click Templates.

    Note

    • Many options are available for controlling the behavior of a Deploy Job (that is, a deploy template) used for remediation purposes. See here for a complete list. For instructions on using TrueSight Server Automation to implement those options, see Setting deploy options for remediation jobs.

    • For a patch remediation operation that uses a deploy template with the Use item defined reboot settings and reboot at end of job setting enabled, targets are rebooted at the end of the job once patches are deployed. Also, associated vulnerabilities are closed for those targets for which patches are deployed once the Data Refresh cycle is run.

  4. If you have selected a Deploy template that is defined as an Advanced Deploy job in TrueSight Server Automation, you can schedule the individual phases of the remediation operation (that is, simulate, stage, and commit). Take the following steps:
    1. Click the Phase Schedules and Execution tab.
    2. Take any of the following actions:
      • If you do not want to schedule the phases of the remediation action, select Do not execute. 
      • If you want to schedule all phases to run sequentially, select Execute sequentially and then specify a time zone and a start date and time for when execution begins.
      • If you want to schedule each phase individually, select Execute selected phases. Select a time zone. Then specify a start date and time for each phase that you want to schedule. Instead of setting a start time, you can click After Previous Phase to indicate that the phase should begin after the previous phase completes. You can also click Not Scheduled to specify that a particular phase is not scheduled.
  5. Click OK. The settings in the Deploy job that the template identifies are used to define the Deploy operation.

Notifications

The Notifications page defines notifications that are generated based on conditions you specify. For example, you can instruct the system to send an email when an operation fails or aborts.

This page only applies when TrueSight Vulnerability Management is connected to TrueSight Server Automation.

To add a notification

  1. From the Notify On drop-down list, select the operational status that generates a message:
    • Success
    • Failed
    • Aborted
    • Consistent (only available for Compliance operations)
    • Inconsistent (only available for Compliance operations)
  2. For Notification Method, select Email or SNMP.
  3. In the next field, identify who gets notified about the status:
    • For Email, enter one or more email addresses. Separate multiple addresses with semicolons. 
    • For SNMP traps, enter email addresses or names of servers.
  4. Click .

To remove a notification

Find the row for the notification you want to delete and click  under Remove.

Where to go next

After you have launched a remediation operation, it appears on the home page. There you can use the capabilities of TrueSight Vulnerability Management for ongoing management of operations, such as executing the operation again, deleting the operation, or viewing its results.

When you view the results of operations, the tools available to you vary, depending on the type of operation. For more information, see Using results of operations.

Was this page helpful? Yes No Submitting... Thank you

Comments