Walkthrough: Remediating problems detected in a vulnerability scan

This walkthrough demonstrates how to use the results of a vulnerability scan to generate remediation operations in BladeLogic Portal. This topic continues the process of integrating remediation scan results into BladeLogic Portal. The initial steps in the process are described in Walkthrough: Mapping vulnerability scan results to your environment.

This topic includes the following sections:

The video at right demonstrates the process described in this walkthrough. The video was created using BladeLogic Portal 2.0.00.00. If you are using a later version of BladeLogic Portal, you may detect minor differences in the user interface.

https://youtu.be/5zPJgcn1cTI

Introduction

You can use BladeLogic Portal to view and remediate the results of a vulnerability scan after those results have been imported into BladeLogic Portal. You remediate (or correct) vulnerabilities by running a Remediation operation, which in turn launches one or more BladeLogic Portal operations, such as Patching or Deploy operations.

Before you can remediate vulnerabilities, you must first import results of a vulnerability scan from a tool such as Qualys or Nessus and then map those results to servers and remediation content in BMC BladeLogic Server Automation. That process is demonstrated in Walkthrough: Mapping vulnerability scan results to your environment.

After those steps are complete, you can use the SecOps Dashboard to view summary and detailed results of the vulnerabilities that have been detected. With filtering, you can limit the information presented on the dashboard. After you have refined the display to show a group of vulnerabilities that you want to correct, you can launch the Remediation operation wizard, which lets you choose the specific vulnerabilities to address and configure the individual operations that are about to run.

When you finish using the Remediation operation wizard, BladeLogic Portal launches one or more operations, which appear on the portal's home page. You can manage those operations as you do any portal operation. You can also view and use those results just as you do other operations.

What do I need to get started?

You must have a user ID that can access and use BladeLogic Portal.
The user ID must be associated with a portal security group that has the necessary permissions to perform vulnerability management procedures. For more information, see Managing-portal-security-groups.
You must import vulnerability scans and map their assets and vulnerabilities to servers and content in your BladeLogic system. For a demonstration of that process, see Walkthrough: Mapping vulnerability scan results to your environment.
To enable job approval, BladeLogic Portal must be connected BMC Atrium Orchestrator (BAO) and BMC Server Automation must be integrated with BMC Remedy ITSM.

How to remediate vulnerabilities detected in a scan

	Procedure	Example (click to enlarge)
1	Select Vulnerability Manager > SecOps Dashboard. The SecOps Dashboard appears. It shows summary and detailed information about the servers and vulnerabilities detected in a vulnerability scan and mapped to the servers and content in your BladeLogic system. The dashboard does not show any data until you select one or more scans.
2	Under Filter By, use the Scan filter to select the scan files to be included on the dashboard. After selecting scan files, click Apply Filters to activate your choices.
3	Use filters to limit the number of items in the Mapped Asset Details list. This is the list of servers and their vulnerabilities that you can potentially remediate by running a Vulnerabilities Management operation. In this example we begin with 100 items in the Mapped Asset Details list. The Vulnerabilities by Severity section shows vulnerabilities of severity 1, 2, 4, and 5. (The most severe is 5.) Then we apply the following filters, which limits the total vulnerabilities to 25. For Target OS, we select Windows, which limits vulnerabilities to those found on Windows servers. For Severity, we select 2, 3, 4 and 5, which excludes vulnerabilities with a severity of level 1. For Server Group, we select a group named WinG1, which is the group where we want to deploy remediation content. The groups available in this filter are the groups (smart groups and static groups) defined on your BSA system. After selecting filtering options, click Apply Filters to activate your choices.	Before filtering After filtering
4	Click Remediate. The Remediation operation wizard opens.
5	On the Definition page of the wizard, enter a name for the operation. If your user ID is assigned to more than one portal security group, you also must select a security group. Then click Next. When the wizard generates operations, it uses the name you enter and appends the type of remediation action (such as a Deploy job) and a number. For example, if the name you enter is password security and the wizard generates one Deploy job, the operation is called password security: Deploy_job_01.
6	On the Remediations page, review the list of remediations that the Remediation wizard will deploy. If you do not want to deploy one, select the check mark to deselect it. Then click Next. If necessary, you can use filters to limit the number of remediations displayed. Bear in mind that filtering remediations does not remove them from the list of remediations to deploy. The only way to remove a remediation is to clear the check mark. Alternatively, you can go back to the SecOps Dashboard and use filters there to control the list of remediations that you are going to remediate.
7	When you first launch the operations page, you are prompted to select a job group. This is a location in BMC Server Automation Jobs folder where jobs are stored when they are automatically created by the portal. Select a Jobs folder and click OK.
8	On the Operation page, you can set up global job approvals that apply to all operations that the wizard generates, or you can set up job approvals for each individual operation. In this example we are going to set up job approval globally. For Approval Type, select Change Management Automatic Approval. When you make this selection, all operations that the wizard generates will require automatic job approval. Note: To enable job approval, you must connect the portal to BMC Atrium Orchestrator (BAO), and BMC Server Automation must be integrated with BMC Remedy ITSM.
9	The Operation page also lets you set up a global schedule or schedule individual operations. In this example, we're going to set a global schedule but we are going to override that schedule for one of the operations. First we set the global schedule. Under Global Schedule and Approval Settings, select With Schedule. This indicates you are defining a schedule. Next to Run Once At, use the clock and calendar icons to set a time and date for the operation to execute. You must set a time at least five minutes in the future. In this example, we select a time of 1 AM of the next morning, which is our next maintenance window.
10	Now we override the global schedule for the Patching operation. We want that operation to run during a maintenance window over the weekend. Click Override Global Scheduling and/or Approval. Selecting this option lets us define separate schedules for each operation that will be created. On the row for the Patching operation, click the configuration icon . A dialog opens that includes the Schedule and BAO Approval tab.
11	On the Schedule and BAO Approval tab, take the following actions: Make sure the With Schedule option is selected. On the row that reads Run Once At, use the clock and calendar icons to set a time and date for the operation to execute. For this example, we change the date to the next Saturday, which is the maintenance window we prefer. Click OK to close the dialog box. We could also set up an individual value for job approval, but in this example we are accepting the global approach to job approval, which we set up earlier in this walkthrough.
12	Some types of operations require additional information. In this example, we configure parameters for an NSH Script operation. On the row for NSH Script operation, click the configuration icon . A dialog opens that includes the Script Properties tab. Click the Script Properties tab. The tab opens and lists any parameters that may require configuration. Click the name of a parameter. A dialog box lets you configure the parameter. Provide any information that is necessary for the NSH Script to execute. Click OK to close the dialog and then click OK again to close the Configuration dialog.
13	In the Planned Operations list, make sure all operations have green checks, indicating they are configured so their execution can launch correctly. Note that you can also use the Notifications page (the next page in the wizard) to set up notifications that are generated when an operations run. For the purposes of this example, we are not setting up notifications.
14	Click Finish. The operations that are generated appear on the portal's home page. If you scheduled them to run immediately, they begin to execute.

Wrapping it up

In this topic you used BladeLogic Portal to use the Remediation Management Dashboard to filter vulnerabilities and then launch the Remediation Operation wizard. The wizard generates two operations to correct vulnerabilities detected in the vulnerability scan.

Where to go from here

You can view the results of the operations that this procedure generates as you do any other operations in BladeLogic Portal.

If you want to learn more about using the options available in the Remediation Operation wizard, see Creating-a-Remediation-operation-Vulnerability-Manager.