Unsupported content This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Creating a Remediation operation - Vulnerability Manager

A Remediation operation uses information that a vulnerability management system gathers to create one or more operations that correct those vulnerabilities on servers that you manage.

This topic includes the sections listed below.

Overview

Before you can create a Remediation operation, you must go through a process (described below) of importing vulnerability information from a vulnerability management system (such as Qualys, Nessus, or Rapid7) into BladeLogic Portal and mapping that information to your BladeLogic system.

After mapping is complete, you can use the SecOps Dashboard to view summary and detailed information about target servers and their vulnerabilities. Filtering tools let you limit the vulnerabilities that must be remediated. A list at the bottom of the SecOps dashboard shows the complete list of servers and vulnerabilities to be remediated.

When you have a set of vulnerabilities that require remediation, use the SecOps Dashboard to launch the Remediation Operation wizard, which generates one or more operations to correct the vulnerabilities you have specified. If only one type of remediation task is necessary, the wizard will generate one operation. If multiple types of remediations tasks are included in the list of vulnerabilities to be remediated, the wizard generates an operation for each type of task. For example, if you are only deploying patches from a single patch catalog, a single Patch Analysis operation is generated. For multiple patch catalogs, multiple operations are required. 

When you finish with the wizard, all operations are scheduled. You can view their progress on the home page, just as you would for any other operation in portal. 

 

Using a Remediation operation, you can launch a Patch Analysis job for:

 

  • Microsoft Windows 2008 and later
  • Red Hat Linux 5 and later
  • SuSE 11 and later

Before you begin

Before you can run a Remediation operation, you must go through the process of importing a scan file from a vulnerability management system and mapping its contents to your BladeLogic system. Here is an outline of the process:

  • After running a vulnerability scan in a vulnerability management system, such as Qualys, Nessus, or Rapid7, import the scan file into BladeLogic Portal.
  • Map the assets detected in the scan to servers under BladeLogic management. While importing scan files, BladeLogic Portal automatically maps assets in the scan file to servers managed by BMC BladeLogic Server Automation. However, sometimes assets require manual mapping.
  • Map the vulnerabilities detected in the scan to content in the BladeLogic depot that can be used for remediation.
  • Use the SecOps Dashboard to limit the servers and vulnerabilities that need remediation.

To limit the vulnerabilities being remediated

Before you run a Remediation operation, you typically want to limit the vulnerabilities being addressed. Select scan files and use filters to limit the list of vulnerabilities in question.

  1. From the Vulnerability Manager drop-down list, select SecOps Dashboard.
    The SecOps Dashboard opens. It provides summary and detailed information about vulnerabilities detected in a vulnerability scan.
  2. Under Filter By, for Scan, select one or more scans for which you want to display information on the dashboard. 
  3. Use the other filtering options to refine the servers and vulnerabilities included in the Dashboard display. 
  4. Click Apply Filters.
    The Mapped Asset Details list at bottom shows the complete list of mapped servers and mapped vulnerabilities you have chosen to display
    SecOpsDashboard.gif.


To create a Remediation operation from the SecOps dashboard

This procedure describes how to use the Remediation Operation wizard to generate one or more operations to correct vulnerabilities. 

Launch the Remediation wizard by clicking Remediate and perform the following steps:

If the Remediate button is not enabled, click here for more information.

The Remediate button is only enabled when a set of conditions are satisfied, as illustrated in the following flowchart.

 

 

Enable Remediate button flowchart.png

If you answer yes to all the questions in the flowchart and the Remediate button is still not enabled, contact BMC Support

  1. Complete each page in the Remediation Operation wizard. The pages are listed below. Each page corresponds to one of the following sections on this page.
    After you provide all required information for a page, proceed to the next page by clicking Next (at bottom) or clicking the next chevron in the ribbon at top. At any time you can click Back (at bottom) to display the previous page in the process. Do not use the browser's  Back  button.
  2. When you have finished defining the operation, click Finish.
    You can click Finish to save the operation, even if some pages are complete.
    When you click Finish, a placeholder message appears on the home page. The placeholder states that one or more operations are being created. You can follow links in the message to check the status of any operations being created. Refreshing the page shows the updated status of the operations. When the creation of all operations completes, you can refresh the page so the operations appear on the portal's home page and are ready to run according to their defined schedules. 

    The following sections describe in detail each step in the Remediation Operation wizard.

Definition

The Definition page provides general information about the operation.

The boxes at right summarize the information provided for each page in the wizard. 

VulnWizardDefinition.gif

The Definition page includes the following options:

Option

Description

Name

Name of the operation.

When the wizard creates operations, it uses the following schemes to generate names:

  • When connected to BMC Server Automation: <text entered in Name field>_<type of operation>_<number assigned to operation, if necessary>.
    For example, if you name this operation PasswordSecurity and the wizard creates a Patching operation and a Deploy operation, two vulnerability management operations are created. They are called PasswordSecurity_Patching_Job_01 and PasswordSecurity_Deploy_Job_01.
  • When connected to BMC Network Automation: <text entered in Name field>_<BNA Job ID>.
    For example, if you name this operation RouterConfig and BNA generates a job ID of BNA0000008432, the operation is named RouterConfig_BNA0000008432.

Description

Optional descriptive text for the operation.

By default, descriptive text is added that lists the filters in effect when you launched this wizard.

Security Group

The Security Group option specifies your current role in BSA or realm in BNA. If you are assigned to more than one role or realm, this option is available. If you are assigned to only one role or realm, this option defaults to that role or realm and you cannot edit this option.

Back to list of steps

Remediations

The Remediations page lists the targets and the remediation content that will be deployed to those targets to correct vulnerabilities. Targets are servers in BMC Server Automation or network devices in BMC Network Automation.

A list on the Remediations page shows vulnerabilities on scanned targets that are mapped to servers or network devices. Each row represents a vulnerability on a target that is mapped to remediation content, such as a patch in BSA or a rule in BNA.

To appear on the Remediations page, a target must appear in the Mapped Asset Details list of the SecOps Dashboard (if you are using Vulnerability Manager) or the Actionable Vulnerabilities list of the Operator Dashboard (if you are using Threat Director). On each of those dashboards, you can use filters to control the contents of the lists.

Using the Remediations page, you can remove remediations to be deployed by clearing checkmarks on each row.

If necessary, you can sort the list of remediations by clicking on header names. You can also filter what items are displayed in the list using the search boxes at the top of each column. Be aware that filtering items so they do not appear in the list does not remove those items from the list of remediations to be corrected. To remove a vulnerability, you must explicitly deselect that row so it does not include a checkmark.

VulnMgmtOpRemediationsPorts.gif

Modifying contents of the list

To remove a target from the list, click on a row representing a server. Clicking the row again, selects the target.

To remove all targets from the list, click the deselect all option, shown below. Clicking the option again, selects all targets.

 VulnMgmtOpDeselectAll.gif

Sorting data in columns

Sort columns of data on this page by clicking on column headers.

Filtering data in columns

Using the text boxes at the top of each column, enter any number of characters. As you enter characters, the list narrows its results to show only items with data in that column that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.

Some columns provide a list of choices that you can select. The columns are filtered to show only the values you select.

Back to list of steps

Operation

The Operation page lets you schedule and configure the operation or operations that the wizard creates. If you have configured a connection to BMC Atrium Orchestrator and set up job approval, you can also configure the job approval request.

The Operation page lists the operations created by the Remediation operation wizard. This page lets you define a schedule and perform other types of configuration for the operations you are about to perform.

If you have configured a connection to BMC Atrium Orchestrator and set up job approval in BMC Server Automation, you can also use the Operation page to configure the job approval request.

VulnMgmtOpOperations.gif

Specifying a job group

The first time you access the Operations page, the portal prompts you to select a job group where jobs that are automatically created should be stored in BMC Server Automation. 

After selecting a job group, you can modify that selection by clicking Browse next to the Job Group option. A dialog opens. Select a job group and click OK.

Defining schedules

You can define a schedule that applies to all operations generated by this Remediation operation.

If the wizard creates multiple operations, you can define a schedule that applies to them all, but you can also choose to modify the schedule for some or all operations.

To define a global schedule
  1. Under Global Schedule and Approval Settings, click the clock icon ClockIcon.gif beside Run Once At.
    An interface similar to a digital clock appears.
    DigitalClock.gif
  2. Set the hour and time for the operation. Then click AM or PM to toggle between those choices.
  3. Select the date when the operation runs.
  4. Select a time zone for the operation.
To define schedules for individual operations
  1. Click Override Global Scheduling and/or Approval .
    By default, all operations listed in the Planned Operations list use the global schedule.
  2. For any operation in the Planned Operations list that you want to schedule, click the configuration icon ConfigureIcon.gif.
    The Configuration dialog box opens
    ConfigurationDialog.gif 
  3. Take one of the following actions:
    • Click the No Schedule tab to assign no schedule to the operation. Typically this option is used when you are defining an operation and you plan to schedule it later. You cannot use the No Schedule option if you are requiring job approval for this operation.
    • Click the Execute Now tab so the operation runs as soon as you finish the wizard. You cannot use this option if you are requiring job approval for this operation.
    • Click the With Schedule tab to define a schedule for the operation. Then take the following steps.
      1. Click the clock icon ClockIcon.gif beside Run Once At.
        An interface similar to a digital clock appears.
        DigitalClock.gif
      2. Set the hour and time for the operation. Then click AM or PM to toggle between those choices.
      3. Select the date when the operation runs.
      4. Select a time zone for the operation.
  4. Click OK.

Requesting job approvals

If you integrate BladeLogic Portal with BMC Atrium Orchestrator, you can request a job approval through BMC Remedy ITSM Change Management. By default, the approval applies to this operation and all sub-operations that are automatically generated. Alternatively, you can also request approvals for individual sub-operations.

To request job approval for the entire operation

If you are requesting job approval for the overall job, under BAO Approval Information, for Approval Type, select a type of approval. See Job approval options for a description of the different approval types. If you want to customize the approval request, click Show Advanced Options and provide the information described in Job approval options.

To request job approval for individual operations

If you are requesting job approvals for individual operations in the Planned Operations list, perform the following steps:

  1. Click Override Global Scheduling and/or Approval .
    By default, all operations listed in the Planned Operations list use the same job approval.
  2. For any individual operation in the Planned Operations list that you want to schedule, click the configuration icon ConfigureIcon.gif.
    The Configuration dialog box opens
    ConfigurationDialogWithBAO.gif 
  3. Ensure that you have selected the With Schedule tab. You can only request job approvals for scheduled jobs. For Approval Type, select a type of approval. 
    See Job approval options for a description of the different approval types. If you want to customize the approval request, click Show Advanced Options and provide the information described in Job approval options.
  4. Click OK.
Job approval options

Option

Description

Approval Type

Manual—Use this option for jobs that require a BMC Remedy ITSM administrator to review the job details and impact level prior to approving execution. By default, this option generates a change request with a Change Timing value of  Normal .

Automatic—Use this option for change requests that use an Approval Process Configuration form to automatically approve the request. By default, this option generates a change request with a Change Timing value of No impact.

Emergency—Use this option for jobs that need immediate attention and must be run immediately. By default, this option generates a change request with a Change Timing value of Emergency and an Urgency value of High.

No Approval Required—Use this option if you are not required to enter the additional BMC Remedy ITSM parameters. If a job type requires approval and you select  No approval , the approval mechanism is bypassed and the job executes either immediately or as scheduled.

Change Type

Enter the type of change being requested.

Impact

Select the scope of the change being requested. For example, is the job targeted for one server or a large number of servers? The default value is Minor/Localized.

Risk Level

Select the severity of the change being requested.

 

Executing operations immediately

  1. Click Override Global Scheduling and/or Approval .
  1. For any operation in the Planned Operations list, click the configuration icon ConfigureIcon.gif.
    The Configuration dialog box opens
    ConfigurationDialog.gif
  2. Select the Execute Now tab.
  3. Click  OK.

Enabling auto-remediation (Threat Director only)

Patch Analysis operations can be configured to allow for auto-remediation, which means that when the Patch Analysis operation completes, additional operations are launched automatically to deploy required patches.

You can define auto-remediation so each phase occurs sequentially, or you can schedule each phase of the auto-remediation process.

Notes

To use auto-remediation:

  • Your portal security group must be granted the Threat Director portal level permission; without the Threat Director permission, none of the following sections related to auto-remediation are applicable.

  • A deploy template must be defined for your portal security group, and that deploy template must be an advanced Deploy Job.

    Click here for more information about deploy templates.

    When you specify a deploy template, you identify a BLPackage Deploy Job in BSA that has settings you want to use in BladeLogic Portal. A deploy template's settings can be applied to any Deploy operations you create in BladeLogic Portal, including Deploy operations that are automatically created as part of auto-remediation processes.

    Deploy templates are only applicable when BladeLogic Portal is connected to BSA.

    Administrators can specify deploy templates for a particular security group or they can specify deploy templates the apply across an entire site.

    If you are setting up a Remediation operation in Threat Director that involves auto-remediation, a deploy template must be defined and the designated Deploy Job must be an advanced Deploy job. BMC recommends that you create a stand-alone advanced Deploy Job that is only used as a deploy template. Having a dedicated Deploy Job prevents changes to a live Deploy Job in BSA from affecting operations in the portal that are based on the Deploy Job.

 

  1. For any patching operation in the Planned Operations list, click the configuration icon  ConfigureIcon.gif. The Configuration dialog box opens. It includes two tabs:  Remediation Details and Remediation Setting
    AutoremediationTabs.gif 
  2. Using the two tabs, perform the following steps:
    1. On the Remediation Details tab, specify a job group and depot group to store jobs and depot content that are automatically generated during auto-remediation.
      1. In the navigation tree, expand Depot Group and select a sub-group for storing depot content.
      2. Expand Job Group (you may have to collapse the Depot Group first) and select a sub-group for storing jobs.
    2. Click the Remediation Setting tab.
    3. Select a deploy template and click Details
      Two additional tabs appear: Deploy Settings and Phase Schedules and Execution.
      AutoremediationSetting.gif 
    4. Optionally, inspect the settings of the template by clicking Details. The portal lists settings for the selected job, such as its logging level and reboot settings. To return to the list of template jobs, click Templates.
      NoteMany options are available for controlling a remediation job. See here for a complete list. For instructions on using BMC Server Automation to implement those options, see Setting deploy options for remediation jobs.
    5. To schedule the individual phases of auto-remediation (that is, simulate, stage, and commit), perform the following steps:
      1. Click the Phase Schedules and Execution tab.
        AutoremediationPhasesSettings.gif
      2. Take any of the following actions:

        • If you do not want to schedule the phases of the remediation action, select Do not execute.
        • If you want to schedule all phases to run sequentially, select Execute sequentially and then specify a time zone, a start date, and a time for execution.
        • If you want to schedule each phase individually, select Execute selected phases. Select a time zone. Then specify a start date and time for each phase that you want to schedule. Instead of setting a start time, you can click After Previous Phase to indicate that the phase should begin after the previous phase completes. You can also click Not Scheduled to specify that a particular phase is not scheduled.
    6. Click OK to confirm all auto-remediation settings.

Providing additional configuration for operations

A Remediation Operation wizard can automatically create many different types of operations. For example, it can create Deploy or NSH Script operations. In some situations, these operations may require additional configuration. Those scenarios are described below.

To provide local properties for Deploy operations

If a Deploy operation is deploying a BLPackage and local properties have been defined for the BLPackage, you may need to provide values for the local properties. 

  1. For a Deploy operation in the Planned Operations list, click the configuration icon  ConfigureIcon.gif.
    The Configuration dialog box opens. It includes a tab called Local Properties. If no properties are listed on the tab, no local property values are required. The procedure is complete.
  2. If local properties are listed on Local Properties tab and you want to change the value for a property, click the name of the local property. 
    A dialog box displays information and options about the property.
    EditLocalProperty.gif
  3. Modify the local property value by clicking in the Value text box and entering a new value.
  4. Click OK.
To provide parameters for NSH Script operations

If an NSH Script operation is running script that requires parameter values, you may need to provide values for the parameters. 

  1. For an NSH Script operation in the Planned Operations list, click the configuration icon  ConfigureIcon.gif.
    The Configuration dialog box opens. It includes a tab called Script Properties. If no properties are listed on the tab, no parameter values are required. The procedure is complete.
  2. If parameters are listed on Script Properties tab and you want to change the value for a parameter, click the name of the parameter. 
    A dialog box displays information and options about the parameter.
    EditParameter.gif
  3. Modify parameter values by taking any of the following actions: 
    • To specify whether the operation should use a flag for this parameter, for Flag runtime usage, select one of the following options:
      • Use — The operation uses the parameter flag.
      • Ignore — The operation does not use the parameter flag.
        If the Network Shell script is defined so the job requires a flag for this parameter, you cannot modify the setting.
    • To modify the value of the parameter, click in the Value text box and enter a new value.
      You can only modify parameters that are defined to be editable when the Network Shell script was created. 
      If you want to include a reference to a property in the parameter, enter a variable bracketed with double question marks (such as ??WINDIR??/rsc). Alternatively, you can click Properties to find and select the appropriate property.
    • To specify whether the operation should use a value for this parameter, for Value runtime usage, select one of the following options:
      • Use — The operation uses this parameter value.
      • Ignore — The operation does not use this parameter value.
        If the Network Shell script is defined so the job requires a value for this parameter, this cell is set to Required and you cannot modify the setting. 
        If the parameter is defined so it does not accept a value, and the parameter has never had a value associated with it, you cannot modify the setting.
  4. Click OK.
To select deploy templates

If you are configuring a Deploy operation, you can optionally specify a deploy template, which encapsulates the deploy settings to be used for the new operation. To enable this functionality, a portal administrator must define one or more deploy templates for your site or portal security group.

  1. For a Deploy operation in the Planned Operations list, click the configuration icon  ConfigureIcon.gif.
    The Configuration dialog box opens. If deploy templates are enabled, a tab called Deploy Template appears.
  2. On the Deploy Template tab, select a Deploy job.
    The Deploy job appears in the Selected Deploy Template field. To remove a Deploy template, select the Deploy job again from the list of possible Deploy jobs. 
    DeployTemplateTab.gif 

  3. Optionally, inspect the settings of the template by clicking Details. The portal lists settings for the selected job, such as its logging level and reboot settings. To return to the list of template jobs, click Templates.
    DeployTemplateTabSettings.gif

    Note

    Many options are available for controlling the behavior of a Deploy Job (that is, a deploy template) used for remediation purposes. See here for a complete list. For instructions on using BMC Server Automation to implement those options, see Setting deploy options for remediation jobs.

  4. If you have selected a Deploy template that is defined as an Advanced Deploy job in BMC Server Automation, you can schedule the individual phases of the remediation operation (that is, simulate, stage, and commit). Take the following steps:

    1. Click the Phase Schedules and Execution tab.
      DeployTemplateTabPhaseSchedulte.gif
    2. Take any of the following actions:

      • If you do not want to schedule the phases of the remediation action, select Do not execute. 
      • If you want to schedule all phases to run sequentially, select Execute sequentially and then specify a time zone and a start date and time for when execution begins.
      • If you want to schedule each phase individually, select Execute selected phases. Select a time zone. Then specify a start date and time for each phase that you want to schedule. Instead of setting a start time, you can click After Previous Phase to indicate that the phase should begin after the previous phase completes. You can also click Not Scheduled to specify that a particular phase is not scheduled.
  5. Click OK. The settings in the Deploy job that the template identifies are used to define the Deploy operation.

 

Back to list of steps

Notifications

The Notifications page defines notifications that are generated based on conditions you specify. For example, you can instruct the portal to send an email when an operation fails or aborts.  
 

 

Back to list of steps

Where to go next

After you have launched a remediation operation, it appears on the portal's home page. There you can use the portal's capabilities for ongoing management of operations, such as executing the operation again, deleting the operation, or viewing its results.

When you view operation results, the tools available to you vary, depending on the type of operation. For more information, see Viewing-and-using-results-of-operations.

 

 

 

 

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*