Documentation update To provide a better user experience, we have now created a separate documentation space for BMC Helix Automation Console (previously called BMC Helix Vulnerability Management). Users of BMC Helix Automation Console can find the latest documentation at BMC Helix Automation Console..

Risks

Risks include missing patches, vulnerabilities, and compliance violations that are identified on assets.

In the TrueSight Network Automation endpoint manager, risks includes only the vulnerabilities identified on the network devices (assets).

Missing patches

For TrueSight Server Automation endpoint manager onlyWhen patch policies identify missing patches on assets, details about the missing patches are displayed on the Missing Patches page under Risks. Missing patches are identified only for assets with Windows or Linux operating systems.

Vulnerabilities

You can import scan results for vulnerabilities that are scanned by the scanning systems such as Nessus, Qualys, and Rapid7. When you import the results in Automation Console, vulnerabilities get mapped to the remediation content automatically, or you may need to map them manually. Imported vulnerabilities are displayed on the Vulnerabilities page under Risks. 

You can also import scan results on assets with the following operating systems:

  • Microsoft Windows 
  • IBM AIX
  • HP-UX
  • Solaris
  • CentOS
  • SUSE
  • Ubuntu
  • Debian
  • Oracle Linux ULN

For any operating system, when the supported patch types do not include CVE IDs, you can manually map the CVE IDs later to patches by using the Patches API. For details, see Using-REST-APIs

You can create remediation operations for OS' only when the following requirements are met:

  • The remediation content type is BLPackage and NSH script.
  • Vulnerabilities are mapped to the appropriate remediation content.


Auto-mapping process

When you import a scan file, if both of the following conditions are fulfilled, then the vulnerabilities get automatically mapped to the remediation content: 

  • Assets in the scan file are either automatically or manually mapped to the endpoints (managed assets) in the endpoint manager. 
  • Patch catalogs that contain remediation for Common Vulnerability and Exposure (CVE) numbers associated with the vulnerabilities are already imported in Automation Console.
    If you import a patch catalog or map the CVE IDs to a patch after importing the scan file, vulnerabilities are not automatically mapped. You can click on Automap new to trigger Automap again.

By default, Automation Console attempts to match the CVE ID of a vulnerability to a CVE ID associated with a patch in a catalog imported in Automation Console. These imported patch catalogs contain multiple patches as remediation content. Assets with vulnerabilities are mapped to this remediation content based on the operating system, OS vendor, and version of the assets and the type of remediation content. Consult the following table to understand the remediation content allowed for various OS and OS Vendor combinations.

OS

OS Vendor

Remediation Content Type

Windows

Microsoft

BULLETIN

Linux

Red Hat

ERRATA

Linux

Oracle

ERRATA

Linux

SuSE

SUSE_PATCH

Linux

CentOS

RPM


During auto-mapping, the following events occur:

  • If a vulnerability with a CVE ID is mapped to patch catalogs of two different operating systems, and that same vulnerability is reported on the assets of different operating systems too, then Automation Console maps the remediation content to both the assets automatically.
  • (Only for the TrueSight Server Automation endpoint manager) If multiple patches (remediation content) from the same catalog match the operating system type, vendor, and version of an asset, all the patches are mapped with the asset. 

On the Risks > Vulnerabilities page, the vulnerability status shows the remediation content mapping status. Consult the following table to understand the scenarios for each status. 

Vulnerability Status

Scenario

Action required

Auto-mapped

There is a one-to-one mapping between CVE IDs and remediation content.

For example, each CVE ID is mapped to one remediation content.

None.

Remediation operation can be created with no changes required in the mapping.

Partially Mapped

Multiple CVE IDs for a vulnerability, but remediation content is mapped only for a few CVE IDs.

If an operation is created, this vulnerability is partially remediated and no longer appears in the Vulnerabilities list. Such a vulnerability still appears in the next scan. 

None.

Remediation operation can be created. However, vulnerability is partially remediated for the CVE IDs for which the remediation content is available.

Partially Mapped (Action Required)

One CVE ID is mapped to more than one remediation content from different catalogs.

Yes.

Remove the current mapping and manually map the vulnerability to the appropriate remediation content. After mapping the status changes to Mapped.

Now, a remediation operation can be created.

Unmapped

Vulnerability is not mapped to any remediation content.

This can happen if assets are not mapped to endpoints in the endpoint manager or patch catalogs are not imported in Automation Console.

Yes.

Manually map the vulnerability to an appropriate remediation content.

See Manual mapping process.

Important

In some cases, vulnerability may be mapped to a remediation content, but underlying assets may not be mapped because of the limited target scope defined in the criteria. In such cases, even though the vulnerability status is mapped, the status of vulnerability asset instances remains unmapped. Therefore, these instances are listed as unmapped on the Vulnerability dashboard and appear in filter results for the Unmapped filter.

Manual mapping process

If some of the vulnerabilities remain unmapped during import or during auto-mapping of new vulnerabilities, you can manually map them to remediation content. You can perform manual mapping for only one vulnerability at a time. 

When mapping manually, the remediation content can be of the following types:

  • BLPackages
  • Network Shell (NSH) scripts
  • Patches
  • Installshield packages
  • Microsoft Installer (MSI) packages
  • Operating system service packs
  • Red Hat packages
  • Custom software

You can map multiple patches from the same catalog with an asset.

Compliance violations

For TrueSight Server Automation endpoint manager onlyWhen you create a compliance scan policy, it runs based on a predefined schedule and collates data about compliance violations on the assets in the policy on the Risks > Compliance page. The Compliance page shows the total number of compliance violations, number of assets scanned by each policy, number of rules evaluated in a policy, and the compliance posture of the scanned assets, which is the percentage of compliant, non-compliant, and indeterminate assets. Using this data, you can further create remediation operations to resolve the violations. 

Where to go from here

To view missing patches and vulnerabilities, and map vulnerabilities to remediation content, see Working-with-risks.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*