Working with scans

Vulnerability management systems, such as Qualys, Tenable.sc (Nessus), and Rapid7, scan the assets in your organization. These scans discover potential issues affecting the assets in your environment.

This topic describes the following methods for generating scans:

  • Integrate with scanner connectors to retrieve the vulnerability scan results from multiple connector instances
  • Import scan files containing information about assets and the vulnerabilities associated with those assets from various vulnerability management systems

To view vulnerability data retrieved by scanner connectors

Tenable.sc (Nessus), Qualys and Rapid7 are comprehensive vulnerability management solutions that provide complete visibility of the security risks across your IT infrastructure. You can integrate with these connectors to retrieve the vulnerability scan results from multiple connector instances and process the vulnerabilities to map the remediation content.

To view vulnerability scan results, make sure that the administrator has configured the scanner connector in your system. For more information, see the following topics:

After you configure and run the scanner connector, the scan results are displayed on the Manage > Import page.

From 23.4.01, BMC Helix Automation Console does not support TrueSight Network Automation as an endpoint manager. You will be unable to access BMC Helix Automation Console for using with TrueSight Network Automation.

Importing a scan file manually

An exported scan file collects information about assets, such as servers,​​​​​​ and the vulnerabilities associated with those assets. You can import scan files with assets belonging to the following operating systems:

  • Microsoft Windows
  • IBM
  • HP
  • Solaris 
  • Red Hat Enterprise Linux
  • SUSE Linux
  • CentOS 
  • Oracle Enterprise Linux 

Errata are not supported for CentOS, so vulnerabilities cannot be automatically mapped to the remediation content. 

When a vulnerability scan is imported into Automation Console, assets included in the scan are automatically mapped to endpoints managed by the underlying endpoint manager, TrueSight Server Automation. The automatic asset mapping process matches the Domain Name Server (DNS) and then the IP address of an asset in a vulnerability scan to an endpoint managed in TrueSight Server Automation.

You can remediate these assets against the vulnerabilities using Automation Console. Currently, you can import a scan file up to 1 GB.

Automatically importing scan files in Automation Console
You can integrate BMC Helix Automation Console with TrueSight Orchestration to automatically import scan files from the Nessus system. For details, see Automatically importing vulnerability scan files.

Prerequisites for importing scans

Before importing a scan, ensure that you have exported scan results from the vulnerability management system. 

For information about supported versions of the scanning systems, see System-requirements

The exported file must meet the following requirements:

Scan file name

Requirement

Rapid7

The scan file exported from Rapid7 must use the XML Export 2.0 format.

Qualys

The scan file exported from Qualys:

Nessus

  • The scan file exported from Nessus can be based on different types of scans (such as OS or network scans) but at a minimum, it must include the following details:
    • Server name
    • Server IP address
    • Server operating system
    • Associated plugin IDs (a plugin is a check for a vulnerability)
  • The scan file must be in XML format, and the file must end with the .nessus extension.

To import a scan file manually

On the Manage > Import page, click Import Scan, and perform the following steps:

  1. Select the vulnerability management vendor.

  2. Attach the scan file based on the selected vendor.

    Best practice

    Import files larger than 400 MB from a local area network with a latency of less than 50 milliseconds as large scans from remote networks might not succeed. You can also import a compressed file (single file only).

    Is there a file size limit for importing a scan file?

    Yes. You can import files up to 1 GB.

  3. To apply filters while importing data from a scan file, do the following:
    1. Select the operating systems.
      When you select Others, the scan file includes the scanning results for the assets of various operating systems such as AIX, HP-UX, Solaris, CentOS, SUSE, Ubuntu, Debian, and Oracle Linux ULN. If you are importing a vulnerability scan file for the TrueSight Network Automation endpoint manager, select Others.

    2. Select one or more vulnerability severity options.

      Severity levels

      Qualys, Nessus, and Rapid7 use different scoring for severity levels. Qualys uses scores of 1-5. Nessus uses scores of 0-4. Rapid7 uses scores of 1-10. To maintain consistency, BMC increases the Nessus severity levels by one (so they become 1-5) and maps the ten Rapid7 severity levels to five levels. 

    3. Specify any one of the following IP addresses in the Classless Inter-Domain Routing (CIDR) format:
      • Single IP address. Example: 168.19.13.12/24
      • Comma-separated multiple IP addresses. Example: 168.19.13.12/24,10.25.24.12/12

      • A combination of the above formats. Example: 168.19.13.12/24, 168.19.13.12/32,10.25.24.12/12

        Important

        Data is imported from the scan file only for servers belonging to the specified IP address range. The default value is 0.0.0.0/0, which imports data for all servers from the scan file.

  4. Click Import.
    After the import is complete, a message confirms that the scan was imported and informs how many assets were automatically mapped to endpoints. To search for a scan file, enter the scan file name in the search field and the results that match the search term are displayed. 

Importing the same scan file more than once

If you need to import the same scan file more than once, perform the following steps:

    • For Qualys and Rapid7, scan files are identified by a unique <SCAN> tag within the XML file. If you are using those vulnerability management tools and you want to import the same scan more than once, you must modify the value of the <SCAN> tag.

      Change the name of each scan to avoid confusion.

    • For Nessus, you must edit the existing .nessus file and enter a new name value for the <Report> tag. For example, in a tag such as <Report name="ProdAdmins_Linux" xmlns:cm="http://www.nessus.org/cm">, the new name value could be, name="NewProdAdmins_Linux"

      If the imported scans do not include a time zone, which time zone is considered?

      If no time zone is specified, it is browser's time zone.

To understand the scan results

  • If you have configured the Tenable.sc connector, the Import page displays the scan results that are automatically imported from the Tenable.sc instances.
  • The scan results include the vulnerability detection date. If you have configured the Tenable.sc connector, the scan results display the vulnerability detection date as follows:
    • For fresh installations, the detection date indicates when the vulnerability is first seen in Tenable.
    • For upgrades, the detection date for an existing vulnerability indicates when the vulnerability is posted in TrueSight Automation Console.
  • In a scan file, the vulnerability detection date indicates the date the scan was first conducted.
  • The scan results also include the last observed date of a vulnerability. If you have configured the Tenable.sc connector, the scan results display the last observed date of the vulnerability as follows:
    • For fresh installations, the last observed date indicates when the vulnerability instance is last seen in Tenable.
    • For upgrades, the last observed date for an existing vulnerability instance indicates when the vulnerability is first seen in Tenable.
  • In a scan file, the last observed date of a vulnerability indicates the date of the latest conducted scan.
  • When you import scan results for vulnerabilities on CentOS assets, the vulnerabilities are not automatically mapped to the remediation content. You must manually map vulnerabilities with the remediation content later to perform remediation operations. 
  • If you import multiple scan files one after another, the Scanned Assets page and Import page show all the data that you import, including the results of the most recent import. When you import a scan file, the asset and vulnerability information is added to any information that is already imported. The operating system is defined in the scan file. For example, if an AIX asset is defined as Linux in a Nessus scanning file, the asset shows Linux as the operating system. If the same asset is defined as AIX in a scan file from Qualys, then when you import the scan file, the latest data is considered.

​​​​

Considerations for reconciling assets and VATs imported from an xml scan file or a scanner connector

BMC Helix Automation Console considers a record as one asset with one VAT. For example, two assets with 10 vulnerabilities each equals 20 records. The following scenarios display some of the considerations for reconciling the VAT records in BMC Helix Automation Console:

Considerations for reconciling imported assets

  • If a scan lists multiple instances of an asset with the same Asset name but different IP Addresses, BMC Helix Automation Console counts it as one record of the violation.
  • If a scan lists multiple instances of an asset with the same Asset name and the same IP Address but different Operating Systems, BMC Helix Automation Console counts it as one record of the violation.
  • If a scan lists multiple instances of an asset with the same Asset name, the same IP Address, and the same Operating System but different vendor-assigned Asset IDs, BMC Helix Automation Console counts it as one record of the violation.

Important

When there are multiple instances of an asset in a scan, BMC Helix Automation Console selects the last recorded instance of the asset.

Considerations for reconciling imported VATs

  • If an asset has no VATs, it is not counted as a record in BMC Helix Automation Console.
  • If there are multiple instances of a VAT in the same asset, BMC Helix Automation Console counts them as one record.
  • When a VAT is recorded against a port, the nomenclature used to record the VAT is <Violation Title Max 256 character>:<VAT ID>:<Protocol>:<Port>.
    • If a scan lists multiple ports for the same VAT, BMC Helix Automation Console counts each instance as a separate record.
    • If a scan lists the same VAT for an asset, both with and without a port, BMC Helix Automation Console counts them as one record.
  • If the Auto Close option is selected for a scanner connector and any asset is duplicated in the post-processing phase, some VATs are closed automatically BMC Helix Automation Console. These VATs are not counted as records.
  • If subsequent scans include assets with VATs that have already been found, those VATs are not counted again as a record. 

Important

To manage record counts, you can reduce the scope of a scan (for example, you can only scan for vulnerabilities with severity 4 and 5) or remove unnecessary devices from the scan, such as endpoints not managed by TrueSight Server Automation.

To delete a scan file

On the Manage > Import page, click Action > Remove for a file.

If the scan file size is large, it may take some time for deletion. 

Consult the following table for the impact of deleting a scan file on each of the entities in Automation Console.

Vulnerabilities

  • All associations between the endpoints and vulnerabilities contained in the scan file are deleted unless the same association is also included in another scan file. 

Operations

  • If an operation is created, but not yet executed (scheduled), the vulnerabilities are removed from the remediation operations.
  • If you import the deleted scan file again, the same vulnerabilities are considered in the operation automatically. 

Exceptions

  • The vulnerabilities are removed from the exception created on it.
  • If an exception is created for a vulnerability on selected assets after deleting the file and importing it again, the vulnerabilities are not automatically added to the exception. You have to create new exceptions for those vulnerabilities.
  • If an exception is created for a vulnerability on all the assets, after deleting the file and importing it again, the old exception gets Active. 

To share a scan file

  1. On the Manage > Import page, click Action > Share for the file that you want to share with security groups.
  2. From the Security Groups list, select the required groups to share the scan file. You can use the search filter to quickly locate the required groups.
  3. Click Share.

The names of security groups with whom the file is shared are displayed under the Shared with Security Groups column. You can share a scan file that you have imported with one or more security groups. However, users of these security groups cannot delete or further share this scan file.

Important

If you access the Automation Console in the Helix endpoint, you can share a scan file only with the security groups that are imported there. These security groups are Helix Portal Roles.

You can use the same option to stop sharing the file or share it with different security groups.

  • To stop the sharing, click Clear in the Security Groups list and click Share.
  • To share the file with additional or different security groups, select the required groups from the Security Groups list and click Share
  • To stop sharing the file with a specific security group, click Delete for the corresponding security group.

    delete_security_group.png
    {{/confluence_layout-cell}}
    {{/confluence_layout-section}}

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*