Risks
Risks include missing patches, vulnerabilities, and compliance violations that are identified on assets.
In the TrueSight Network Automation endpoint manager, risks includes only the vulnerabilities identified on the network devices (assets).
Missing patches
For TrueSight Server Automation endpoint manager onlyWhen patch policies identify missing patches on assets, details about the missing patches are displayed on the Missing Patches page under Risks. Missing patches are identified only for assets with Windows or Linux operating systems.
Vulnerabilities
You can import scan results for vulnerabilities that are scanned by the scanning systems such as Nessus, Qualys, and Rapid7. When you import the results in Automation Console, vulnerabilities get mapped to the remediation content automatically, or you may need to map them manually. Imported vulnerabilities are displayed on the Vulnerabilities page under Risks.
You can also import scan results on assets with the following operating systems:
- Microsoft Windows
- IBM AIX
- HP-UX
- Solaris
- CentOS
- SUSE
- Ubuntu
- Debian
- Oracle Linux ULN
For any operating system, when the supported patch types do not include CVE IDs, you can manually map the CVE IDs later to patches by using the Patches API. For details, see Using-REST-APIs.
You can create remediation operations for OS' only when the following requirements are met:
- The remediation content type is BLPackage and NSH script.
- Vulnerabilities are mapped to the appropriate remediation content.
Auto-mapping process
When you import a scan file, if both of the following conditions are fulfilled, then the vulnerabilities get automatically mapped to the remediation content:
- Assets in the scan file are either automatically or manually mapped to the endpoints (managed assets) in the endpoint manager.
- Patch catalogs that contain remediation for Common Vulnerability and Exposure (CVE) numbers associated with the vulnerabilities are already imported in Automation Console.
If you import a patch catalog or map the CVE IDs to a patch after importing the scan file, vulnerabilities are not automatically mapped. You can click on Automap new to trigger Automap again.
By default, Automation Console attempts to match the CVE ID of a vulnerability to a CVE ID associated with a patch in a catalog imported in Automation Console. These imported patch catalogs contain multiple patches as remediation content. Assets with vulnerabilities are mapped to this remediation content based on the operating system, OS vendor, and version of the assets and the type of remediation content. Consult the following table to understand the remediation content allowed for various OS and OS Vendor combinations.
OS | OS Vendor | Remediation Content Type |
|---|---|---|
Windows | Microsoft | BULLETIN |
Linux | Red Hat | ERRATA |
Linux | Oracle | ERRATA |
Linux | SuSE | SUSE_PATCH |
Linux | CentOS | RPM |
During auto-mapping, the following events occur:
- If a vulnerability with a CVE ID is mapped to patch catalogs of two different operating systems, and that same vulnerability is reported on the assets of different operating systems too, then Automation Console maps the remediation content to both the assets automatically.
- (Only for the TrueSight Server Automation endpoint manager) If multiple patches (remediation content) from the same catalog match the operating system type, vendor, and version of an asset, all the patches are mapped with the asset.
On the Risks > Vulnerabilities page, the vulnerability status shows the remediation content mapping status. Consult the following table to understand the scenarios for each status.
Vulnerability Status | Scenario | Action required |
|---|---|---|
Auto-mapped | There is a one-to-one mapping between CVE IDs and remediation content. For example, each CVE ID is mapped to one remediation content. | None. Remediation operation can be created with no changes required in the mapping. |
Partially Mapped | Multiple CVE IDs for a vulnerability, but remediation content is mapped only for a few CVE IDs. If an operation is created, this vulnerability is partially remediated and no longer appears in the Vulnerabilities list. Such a vulnerability still appears in the next scan. | None. Remediation operation can be created. However, vulnerability is partially remediated for the CVE IDs for which the remediation content is available. |
Partially Mapped (Action Required) | One CVE ID is mapped to more than one remediation content from different catalogs. | Yes. Remove the current mapping and manually map the vulnerability to the appropriate remediation content. After mapping the status changes to Mapped. Now, a remediation operation can be created. |
Unmapped | Vulnerability is not mapped to any remediation content. This can happen if assets are not mapped to endpoints in the endpoint manager or patch catalogs are not imported in Automation Console. | Yes. Manually map the vulnerability to an appropriate remediation content. |
Manual mapping process
If some of the vulnerabilities remain unmapped during import or during auto-mapping of new vulnerabilities, you can manually map them to remediation content. You can perform manual mapping for only one vulnerability at a time.
When mapping manually, the remediation content can be of the following types:
- BLPackages
- Network Shell (NSH) scripts
- Patches
- Installshield packages
- Microsoft Installer (MSI) packages
- Operating system service packs
- Red Hat packages
- Custom software
You can map multiple patches from the same catalog with an asset.
Compliance violations
For TrueSight Server Automation endpoint manager onlyWhen you create a compliance scan policy, it runs based on a predefined schedule and collates data about compliance violations on the assets in the policy on the Risks > Compliance page. The Compliance page shows the total number of compliance violations, number of assets scanned by each policy, number of rules evaluated in a policy, and the compliance posture of the scanned assets, which is the percentage of compliant, non-compliant, and indeterminate assets. Using this data, you can further create remediation operations to resolve the violations.
Where to go from here
To view missing patches and vulnerabilities, and map vulnerabilities to remediation content, see Working-with-risks.