Walkthrough for Threat Director: Remediating server issues detected in a vulnerability scan

This walkthrough demonstrates how to use Threat Director to generate remediation operations for vulnerabilities detected in a vulnerability scan. This topic continues the process of integrating remediation scan results into Threat Director. The initial steps in the process are described in Walkthrough-for-Threat-Director-Mapping-vulnerability-scan-results-to-a-server-environment.

This topic includes the following sections:

The video at the right demonstrates how to use Threat Director (BladeLogic Portal 2.2) to analyze the results of a vulnerability scan that has been imported into BladeLogic Portal.

https://youtu.be/AP8k1f3cKSU

Introduction

You can use Threat Director to analyze the results of a vulnerability scan after those results have been imported into BladeLogic Portal. You can remediate (or correct) vulnerabilities by running a Remediation operation, which in turn launches one or more BladeLogic Portal operations, such as Patching or Deploy operations.

Before you can remediate vulnerabilities, you must first import results of a vulnerability scan from a tool such as Qualys, Nessus, or Rapid7 and then map those results to servers and remediation content in BMC BladeLogic Server Automation. The process is demonstrated in Walkthrough-for-Threat-Director-Mapping-vulnerability-scan-results-to-a-server-environment.

After those steps are complete, you can use the Security Dashboard to assess vulnerabilities from a security standpoint and the Operator Dashboard to identify and prioritize vulnerabilities that require attention. With filtering, you can limit the information presented on either dashboard. After you have refined the display to show a group of vulnerabilities that you want to correct, you can use the Operator Dashboard to launch the Remediation operation wizard, which lets you choose the specific vulnerabilities to address and configure the individual operations that are being created.

When you finish using the Remediation operation wizard, BladeLogic Portal launches one or more operations, which appear on the portal's home page. You can manage those operations as you do any portal operation. You can also view and use those results just as you do other operations.

What do I need to get started?

You must have a user ID that can access and use BladeLogic Portal.
The user ID must be associated with a portal security group that has the Threat Director permission. For more information, see Managing-portal-security-groups-for-BMC-Server-Automation.
You must import vulnerability scans and map their assets and vulnerabilities to servers and content in your BladeLogic system. For a demonstration of that process, see Walkthrough-for-Threat-Director-Mapping-vulnerability-scan-results-to-a-server-environment.
To enable job approval, BladeLogic Portal must be connected BMC Atrium Orchestrator (BAO) and BMC Server Automation must be integrated with BMC Remedy ITSM.
To enable blind spot detection, BladeLogic Portal must be connected to BMC Discovery.

How to remediate vulnerabilities detected in a scan

	Procedure	Example (click to enlarge)
1	Select Threat Director > Operator Dashboard. The Operator Dashboard provides charts and filters that help you identify vulnerabilities that require attention. When you have narrowed the focus down to a set of critical vulnerabilities that require action, you can launch a remediation operation. By default the dashboard shows data from the last 90 days.
2	At upper left, note the value of Unscanned, which shows the number of servers that were detected using BMC Discovery but were not included in the scan files imported into BladeLogic Portal. Unscanned servers are potential blind spots in the server environment you are scanning and thus potential security risks. Note: You must set up a connection to BMC Discovery to display the Unscanned option. From the Operator Dashboard you can export of list of unscanned servers so you can take further actions with them.
3	Use filters to limit the number of items in the Actionable Vulnerabilities list. This is the list of servers and their vulnerabilities that you can potentially remediate by running a Remediation operation. In this example we begin with 1654 items in the Actionable Vulnerabilities list. Applying the following filters limits the Actionable Vulnerabilities to two. For O/S, we select Windows, which limits vulnerabilities to those found on Windows servers. For Severity, we select 4 and 5, which excludes vulnerabilities with a severity of level 1, 2, or 3. For SLA, we choose to show information for vulnerabilities that are Approaching SLA or Exceeded SLA. For Status, we select Awaiting Attention, which excludes vulnerabilities for which remediation is already in progress. After selecting filtering options, click Apply Filters to activate your choices.
4	Click Remediate. The Remediation operation wizard opens.
5	On the Definition page of the wizard, enter a name for the operation. If your user ID is assigned to more than one portal security group, you also must select a security group. Then click Next. When the wizard generates operations, it uses the name you enter and appends the type of remediation action and a number. For example, if the name you enter is Windows fix 10-20 and the wizard generates an NSH Script job, the operation is called Windows fix 10-20_Remediation Script.
6	On the Remediations page, review the list of remediations that the Remediation wizard will deploy. If you do not want to deploy one, select the check mark to deselect it. Then click Next. If necessary, you can use filters to limit the number of remediations displayed. Bear in mind that filtering remediations does not remove them from the list of remediations to deploy. The only way to remove a remediation is to clear the check mark or to return to the Operator Dashboard and use filters there to control the list of remediations that you are going to remediate.
7	When you first launch the operations page, you are prompted to select a job group. This is a location in BMC Server Automation Jobs folder where jobs are stored when they are automatically created by the portal. Select a Jobs folder and click OK.
8	On the Operation page, you can set up global job approvals that apply to all operations that the wizard generates. You can also set up job approvals for each individual operation. In this example we are going to set up job approval globally. For Approval Type, select Change Management Automatic Approval. When you make this selection, all operations that the wizard generates will require automatic job approval. Note: To enable job approval, you must connect the portal to BMC Atrium Orchestrator (BAO), and BMC Server Automation must be integrated with BMC Remedy ITSM.
9	The Operation page also lets you set up a global schedule or schedule individual operations. In this example, we're going to set a global schedule but we are going to override that schedule for one of the operations. First we set the global schedule. Under Global Schedule and Approval Settings, select With Schedule. This indicates you are defining a global schedule. Next to Run Once At, use the clock and calendar icons to set a time and date for the operation to execute. You must set a time at least five minutes in the future. In this example, we select a time of 1 AM the next morning, which is our next maintenance window.
10	Now we override the global schedule for the Patching operation. We want that operation to run during a maintenance window over the weekend. Click Override Global Scheduling and/or Approval. Selecting this option lets us define separate schedules for each operation that will be created. On the row for the Patching operation, click the configuration icon . A dialog opens that includes the Schedule and BAO Approval tab.
11	On the Schedule and BAO Approval tab, take the following actions: Make sure the With Schedule option is selected. On the row that reads Run Once At, use the clock and calendar icons to set a time and date for the operation to execute. For this example, we change the date to the next Saturday, which is the maintenance window we prefer. Click OK to close the dialog box. We could also set up an individual value for job approval, but in this example we are accepting the global approach to job approval, which we set up earlier in this walkthrough. Although no more information is required in this example, some type of operations do require additional configuration. For example, you might have to provide parameter values for an NSH Script operation. If additional information is required, click the configuration icon next to that operation. Then use the dialog that appears to provide the necessary information.
12	In the Planned Operations list, make sure all operations have green checks, indicating they are configured so their execution can launch correctly. Note that you can also use the Notifications page (the next page in the wizard) to set up notifications that are generated when an operations run. For the purposes of this example, we are not setting up notifications.
13	Click Finish. The home page may display a message like the following while the operations you have defined are created: When the operations have been generated, you can refresh the browser page and the operations appear on the portal's home page. If you scheduled the operations to run immediately, they begin to execute. In this example they are ready to execute according to schedule.

Wrapping it up

In this topic you used Threat Director to use the Operators Dashboard to filter vulnerabilities and then launch the Remediation Operation wizard. The wizard generates two operations to correct vulnerabilities detected in the vulnerability scan.

Where to go from here

You can view the results of the operations that this procedure generates as you do any other operations in BladeLogic Portal.

If you want to learn more about using the options available in the Remediation Operation wizard, see Creating-a-Remediation-operation-Threat-Director.