Manage Ongoing Vulnerability Scans
Conducting one scan shows you the basics of how to detect and remediate vulnerabilities. Next, consult the strategies presented here to learn how to (1) extract just the valid vulnerabilities of real concern from your scan results, and (2) maintain the most secure stance for your servers going forward.
Execute Regularly Scheduled Scans
To maintain a high level of security, it is important to establish a schedule of regular scans of your servers. As the software on your servers changes through updates and new installations, and as new vulnerabilities are discovered and added to the NIST database, frequent automatic scanning will allow you to capture any recently added vulnerabilities.
You can conduct vulnerability scans manually or automatically. For automatic scans, decide whether and how frequently you want to conduct them. Then, from the Site Administrator menu ( ) in the Halo Portal, select Site Administration and click the Scanner Settings tab.
Under Scanner Scheduling, in the line for "Software Vulnerability Assessment", select Enable Automatic Scanning, then choose a scan frequency from once per hour to once per week. Leave Execute scan on daemon start selected if you want to run an initial scan on each server as soon as it starts up.
Under Scanner Options and Software Vulnerability Assessment, optionally enter a new value for the CVSS score threshold, depending on what score values you think should indicate critical vulnerabilities. See Adjust the Vulnerability Threshold for more information.
The next scheduled scan will occur in as little as one hour or as much as 24 hours later, depending on the frequency you have specified. All active servers, regardless of what server groups they may be in, are scanned at each automatic scan.
Adjust the Vulnerability Threshold
The Software Vulnerability Assessment Settings page lists the CVSS score threshold (default = 5.00). Any vulnerability with a CVSS score at or higher than the threshold will be marked as critical on a server's Software Scan Details page. In general, you should remediate critical events as soon as possible, whereas you might schedule remediation of non-critical events as your workload permits.
You can adjust the threshold downward if you feel that too many events of high severity (in terms of your organization's security requirements) are not being categorized as critical; likewise, you can adjust it upward if you feel that too many events of lesser severity are being unnecessarily classified as critical.
Remediate or Eliminate Vulnerabilities
Following a scan that reveals potential software vulnerabilities in your servers, your first task is usually to apply all known patches, bringing your servers up to date. Then you can take further steps to identify and remove any apparent issues that do not constitute a real threat.
Apply the Latest Patches and Re-Scan
To address the reported software-vulnerability issues in your servers, first upgrade your operating systems and critical applications to include all the latest patches. The recommended practice is to patch your gold master servers and then re-instantiate all your cloud servers from the masters. Alternatively, you could use automation tools such as Chef, Puppet, or RightScale to re-provision all your servers with the latest software.
After patching, re-scan your servers to learn what vulnerabilities remain. Then analyze them as described next, to separate the true unpatchable vulnerabilities from issues that are false positives or that may not be of concern to your particular server installation.
Delete Unnecessary Packages
Some of the software vulnerabilities detected by Halo may occur in packages that your organization does not use. For example, common administrative tools supplied with many distributions may have vulnerabilities; if you do not use those tools on the server, you should remove them.
One way to address such a vulnerability might be to define a vulnerability exception for it, so that it does not appear in future scans. But a simpler and more secure solution is to simply remove the file from your servers.
If your servers never execute such a file and have no need for it, delete it from all affected servers and from any gold-master server templates that you use for creating new server instances.
Halo may detect software vulnerabilities in certain software packages that you do not need to remediate at the present time. For example:
- You may have scheduled an upgrade or patch in the near future, but you do not wish to or cannot perform that upgrade immediately.
- You may have a compensating control, in that you have circumvented or blocked the vulnerability in another way. For example, if a vulnerability were reported in
httpd, but your firewalls already disallow any HTTP traffic to or from the outside, the vulnerability is not a concern for you.
- The vulnerability may appear to be valid based on the package version number, but in reality it already has been patched with an updated package. (This situation can occur because vendors sometimes update a package without actually changing its version number.)
- You may have recently upgraded your kernel or some other package for which the installer does not remove the older, vulnerable version when it installs the newer one. Subsequent scans will continue to detect that vulnerable package, even if it is not running. You may not wish to delete the older package, but you'd prefer that it not continue to apper in your scan results.
You can keep those events from showing up in your future scans by defining a software exception for that package. The exception temporarily or permanently suppresses the reporting of that event, possibly until a time at which you expect to have remediated the issue by patching or upgrading the package.
To create an exception, click Add Exception in the line describing the event on the Software Scan Details page for a server. The Add Software Scanning Exception dialog opens:
Specify when, if ever, the exception should expire. Decide whether it should apply to just the server on which it was reported, or to all servers in its server group, or to all of your Halo-protected servers. Optionally include a reason for the exception, so you'll have a record of why the exception is justified.
All defined software exceptions are listed on the Software Exceptions page in the Halo Portal, at Policies > Software Exceptions. If you want to delete an exception before it expires on its own, click the Remove icon () for that exception on the page.
Address Remaining Unpatched Vulnerabilities
The purpose of software vulnerability assessment is to allow you to find and fix software vulnerabilities in your cloud servers. Halo will show you where the vulnerabilities are; once you have applied all known patches, removed vulnerable packages that you do not need, and created exceptions to hide issues that do not concern you, what remains—if anything—is some number of vulnerabilities for which no patch is currently available.
You should handle those vulnerabilities by following the recommendations in your organization's security policies. You may decide to stop using the vulnerable packages and remove them from your servers, or you may create compensating controls to protect the packages in other ways. You might even wait for a patch to become available, if you expect one soon. In any case, it is important to take steps to minimize your organization's exposure to vulnerability-related risk, both at the present time and going forward.