Skip to Content

Remediating vulnerabilities by using the Ansible Automation Platform

Related topics

Roles and permissions for BMC Helix Portal

Creating a vulnerability remediation operation to use an Ansible job template

A vulnerability is a flaw or weakness in a system that can compromise security. Tens of thousands of vulnerabilities, many with high or critical severity, affect assets daily. As an operator in BMC Helix Automation Console, you must monitor vulnerabilities affecting assets, investigate the associated risks, and quickly prioritize remediation to restore the health of the impacted assets.

By integrating BMC Helix Automation Console with BMC Helix Intelligent Automation, you can remediate vulnerabilities by using the Ansible Automation Platform, in addition to other remediation platforms such as TrueSight Server Automation and TrueSight Network Automation. This integration also serves as a strong alternative for managing and remediating assets that are not handled by TrueSight Server Automation or TrueSight Network Automation.

BHAC_IA integration

Scenario

Sofia, an Operator at Acme, is responsible for remediating vulnerabilities imported from multiple scanners into BMC Helix Automation Console. However, due to Acme’s strict security policies, she is not permitted to perform remediation using TrueSight Server Automation. Instead, the organization prefers to remediate using Ansible job templates managed within the Ansible Automation Platform.
While creating a vulnerability remediation operation in BMC Helix Automation Console, Sofia realizes that she cannot directly access the required Ansible job templates. She escalates this limitation to her management team.
To address the gap, Acme decides to integrate BMC Helix Automation Console with BMC Helix Intelligent Automation, a platform capable of connecting with automation engines, including the Ansible Automation Platform.
Once the integration is complete, Sofia can seamlessly map vulnerabilities to specific Ansible job templates directly from BMC Helix Automation Console. When she runs a remediation operation, the system automatically executes the mapped Ansible remediation job template, ensuring that the identified vulnerabilities are addressed using Acme’s approved automation method.
This integration allows Sofia to maintain compliance with organizational security policies while streamlining and standardizing the vulnerability remediation process.

Workflow for remediating vulnerabilities in BMC Helix Automation Console by using the Ansible Automation Platform

The following table lists the tasks to implement the workflow:

Task

Action

Product

User role

Description

Reference

1.

Complete the minimum required actions to set up the Ansible Automation Platform.

For more information, see the Ansible online documentation.

Ansible Automation Platform

Automation engineer

  • Create an organization (a collection of users, teams, projects, and inventories)
  • Add the inventory (a collection of hosts)
  • Create credentials
  • Create a job template to remediate vulnerabilities
    Click here to view a sample YAML script for Linux
    Sample YAML script for Linux
    ---
    - name: Update packages based on a single CVE
     hosts: "{{ target_hosts }}"
     become: yes

     vars:
       cve_id: "{{ cveid }}"

     tasks:
       - name: Show CVE being applied
         ansible.builtin.debug:
           msg: "Updating packages for CVE: {{ cve_id }}"

       - name: Update packages for the CVE
         ansible.builtin.shell: >
           dnf update --cve={{ cve_id }} -y
         args:
           warn: false
    Important: 
    • You must use target_hosts as the hostname parameter. However, you can change it for the tenant account by using REST API.
    • Select Prompt on Launch to be prompted at launch to choose a job type: run or check.
Ansible User Guide

2.

Configure the Ansible Automation Platform connector

BMC Helix Intelligent Automation

Automation engineer

Configure the Ansible Automation Platform cloud or on-premises connector to establish a connection between BMC Helix Intelligent Automation and Ansible Automation Platform.

Important: Make sure you sync actions after configuring the Ansible Platform connector.

3.

Enable integration with BMC Helix Intelligent Automation

BMC Helix Automation Console

 

Administrator

Enable Intelligent Automation integration from the BMC Helix Automation Console UI

4.Create a notification webhookAnsible Automation PlatformAutomation engineer

Configure a project-level notification webhook triggered on the success or failure of the Ansible job template.

To create a notification webhook in Ansible
5.Enable notificationsAnsible Automation PlatformAutomation engineerEnable the notification webhook to notify you when a specific job succeeds or fails at the end of the job run.

6. 

Map the vulnerabilities against a vulnerability remediation script

BMC Helix Automation Console

Operator

Manually map the vulnerabilities against the vulnerability remediation script created in Task 1

7.

Create a vulnerability remediation operation

BMC Helix Automation Console

Operator

Create a vulnerability remediation operation that uses the Ansible job template to remediate vulnerabilities.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Intelligent Automation 26.1