In my first blog post, I covered the compliance management aspects of SaltStack SecOps. For this post I will cover how vulnerability management works. The process is very similar to how compliance management works, except Common Vulnerabilities and Exposures (CVE) are used to determine your overall vulnerability posture for operating systems under management. Common operating systems are supported including Windows, Red Hat, SUSE, CentOS, and Ubuntu. The CVEs are obtained directly from vendors and a state file is used for assessment and remediation. I’ll start part 2 connected to my Salt Master in the Vulnerability section of the product.
Resembling the Compliance part of SaltStack SecOps, a summary view is provided which shows you a snapshot of your vulnerability posture, trends, top advisories, and remediations. The policy creation process is also similar on the vulnerability side, but with fewer selection options. You only need to name the policy, choose your targets, and set an assessment schedule or trigger a run now operation. Once the assessment is complete, you will be presented with a view like what is depicted in the screenshot.
Clicking into our Web Servers policy, a more detailed view of the discovered vulnerabilities is displayed. You can choose to filter advisories by severity and click into advisories for more detail on what was found in your environment. From this view, we can remediate or exempt selected advisories across all minions in the selected Target. Additionally, we provide the Common Vulnerability Scoring System (CVSS) score based on v2.0 and v3.0. For many, v3.0’s additional severity ratings and expanded metrics allows better differentiation among vulnerabilities and thus a more accurate picture of vulnerabilities encountered in the environment.
Selecting Minions offers specific information on individual minions. Minions can be remediated or exempted individually, based on your needs, from this view. You also have the ability to run jobs or commands directly from this interface, exactly like the compliance side.
The minions view enables each of the options mentioned previously. Clicking Remediate will initiate a remediation job against the selected minions. All listed vulnerabilities for each minion will be remediated as part of the job.
Navigating to Actions allows you to monitor the job status, examine previous jobs, and view jobs logs to determine what was assessed or remediated.
Clicking Report displays further details about the vulnerability status for minions included in the policy. You can click Download to access a JSON version of the report for external needs.
SaltStack SecOps also includes integrations with 3rd party vulnerability vendors. Choosing the down arrow on the upper right opens a dropdown menu with the option to Upload Vendor Scan Data.
We support the ability to upload/integrate vendor scan data from Tenable, Rapid7, Qualys, and Kenna Security. Once uploaded, the vulnerability assessment details will update based on the 3rd party data to show your assessed posture in the policy.
After the remediation and post-assessment are complete, the policy details will update to show the minions are no longer vulnerable based on the CVEs used during the assessment. SaltStack has changed the configured state to address vulnerabilities identified within your operating systems.
As you can see, SaltStack SecOps offers robust vulnerability management for operating systems using regularly updated CVEs from vendor sources. Many products can claim to assess and offer some level of remediation, such as powering off VMs or taking a snapshot. Very few products offer full continuous vulnerability and comprehensive state management to the level provided by SaltStack SecOps.
For the third blog in this series, I’ll cover roles-based access control and API capabilities in the product, including how to call SecOps from a CI/CD product for DevSecOps scenarios. Thank you for reading my post!