Using TrueSight Server Automation to remediate server issues detected in a vulnerability scan
This use case demonstrates how to use TrueSight Vulnerability Management to analyze and remediate the results of a vulnerability scan by running a job in TrueSight Server Automation. This topic continues the process of using TrueSight Vulnerability Management to remediate scan results. The initial steps in the process are described in Mapping vulnerability scan results to a server environment.
This topic includes the following sections:
The following video demonstrates how to use TrueSight Vulnerability Management to analyze and remediate the results of a vulnerability scan by running a job in TrueSight Server Automation.
You can use TrueSight Vulnerability Management to analyze the results of a vulnerability scan after those results have been imported into TrueSight Vulnerability Management. You can remediate (or correct) vulnerabilities by running a Remediation operation, which in turn launches one or more TrueSight Vulnerability Management operations, such as Patching or Deploy operations.
Before you can remediate vulnerabilities, you must first import results of a vulnerability scan from a tool such as Qualys, Nessus, or Rapid7 and then map those results to servers and remediation content in TrueSight Server Automation. The process is demonstrated in Mapping vulnerability scan results to a server environment.
After those steps are complete, you can use the Security Dashboard to assess vulnerabilities from a security standpoint and the Operator Dashboard to identify and prioritize vulnerabilities that require attention. With filtering, you can limit the information presented on either dashboard. After you have refined the display to show a group of vulnerabilities that you want to correct, you can use the Operator Dashboard to launch the Remediation operation wizard, which lets you choose the specific vulnerabilities to address and configure the individual operations that are being created.
When you finish using the Remediation operation wizard, TrueSight Vulnerability Management launches one or more operations, which appear on the home page. You can manage those operations as you do any operation in TrueSight Vulnerability Management. You can also view and use those results just as you do other operations.
What do I need to get started?
- You must have a user ID that can access and use TrueSight Vulnerability Management.
- You must import vulnerability scans and map their assets and vulnerabilities to servers and content in your TrueSight Server Automation system. For a demonstration of that process, see Mapping vulnerability scan results to a server environment.
- To use auto-remediation, a deploy template must be defined for your security group, and that deploy template must be an advanced Deploy Job.
- To enable job approval, TrueSight Vulnerability Management must be connected to TrueSight Orchestration and TrueSight Server Automation must be integrated with BMC Remedy ITSM.
- To enable blind spot detection, TrueSight Vulnerability Management must be connected to BMC Discovery.
How to remediate vulnerabilities detected in a scan
Example (click to enlarge)
Select TrueSight Vulnerability Management > Operator Dashboard.
The Operator Dashboard provides charts and filters that help you identify vulnerabilities that require attention. When you have narrowed the focus down to a set of critical vulnerabilities that require action, you can launch a remediation operation.
By default the dashboard shows data from the last 90 days.
At upper left, note the value of Unscanned, which shows the number of servers that were detected using BMC Discovery but were not included in the scan files imported into TrueSight Vulnerability Management. Unscanned servers are potential blind spots in the server environment you are scanning and thus potential security risks.
Note: You must set up a connection to BMC Discovery to display the Unscanned option.
From the Operator Dashboard you can export of list of unscanned servers so you can take further actions with them.
Use filters to limit the number of items in the Actionable Vulnerabilities list. This is the list of servers and their vulnerabilities that you can potentially remediate by running a Remediation operation.
In this example we begin with 1654 items in the Actionable Vulnerabilities list. Applying the following filters limits the Actionable Vulnerabilities to two.
After selecting filtering options, click Apply Filters to activate your choices.
The Remediation operation wizard opens.
On the Definition page of the wizard, enter a name for the operation. If your user ID is assigned to more than one security group, you also must select a security group. Then click Next.
When the wizard generates operations, it uses the name you enter and appends the type of remediation action and a number. For example, if the name you enter is Linux Fix and the wizard generates a Patch Analysis job, the operation is called Linux Fix_DareDevilLinux Patches.
On the Remediations page, review the list of remediations that the Remediation wizard will deploy. If you do not want to deploy one, select the check mark to deselect it. Then click Next.
If necessary, you can use filters to limit the number of remediations displayed. Bear in mind that filtering remediations does not remove them from the list of remediations to deploy. The only way to remove a remediation is to clear the check mark or to return to the Operator Dashboard and use filters there to control the list of remediations that you are going to remediate.
When you first launch the operations page, you are prompted to select a job group. This is a location in TrueSight Server Automation Jobs folder where jobs are stored when they are automatically created by TrueSight Vulnerability Management. Select a Jobs folder and click OK.
On the Operation page, you can set up global job approvals that apply to all operations that the wizard generates. You can also set up job approvals for each individual operation. In this example we are going to set up job approval globally.
In the Change Approval Information section, ensure that Approval Required section is selected.
When you make this selection, all operations that the wizard generates will require automatic job approval.
Note: To enable job approval, you must connect to TrueSight Orchestration, and TrueSight Server Automation must be integrated with BMC Remedy ITSM.
The Operation page also lets you set up a global schedule or schedule individual operations. In this example, we're going to set a global schedule but we are going to override that schedule for one of the operations. First we set the global schedule.
Now we override the global schedule for the Patching operation. We want that operation to run during a maintenance window over the weekend.
On the Schedule & Change Approval tab, take the following actions:
We could also set up an individual value for job approval, but in this example we are accepting the global approach to job approval, which we set up earlier in this use case.
Although no more information is required in this example, some type of operations do require additional configuration. For example, you might have to provide parameter values for an NSH Script operation. If additional information is required, click the configuration icon next to that operation. Then use the dialog that appears to provide the necessary information.
In the Planned Operations list, make sure all operations have green checks, indicating they are configured so their execution can launch correctly.
Note that you can also use the Notifications page (the next page in the wizard) to set up notifications that are generated when an operations run. For the purposes of this example, we are not setting up notifications.
Click Finish. The home page may display a message like the following while the operations you have defined are created:
When the operations have been generated, you can refresh the home page and the operations appear. If you scheduled the operations to run immediately, they begin to execute. In this example they are ready to execute according to schedule.
Wrapping it up
In this topic you used the Operator Dashboard in TrueSight Vulnerability Management to filter vulnerabilities and then launch the Remediation Operation wizard. The wizard generates two operations to correct vulnerabilities detected in the vulnerability scan.
Where to go from here
You can view the results of the operations that this procedure generates as you do any other operations in TrueSight Vulnerability Management.
If you want to learn more about using the options available in the Remediation Operation wizard, see Creating a Remediation operation for TrueSight Server Automation.