After completing an initial assessment, you can then remediate the advisories that were detected in the assessment. During the remediation, all packages that are part of that advisory are applied to the selected nodes. You can remediate all advisories at once or you can remediate a specific advisory, a specific minion, or set of minions as needed.

SaltStack SecOps Vulnerability always installs the latest available version that is available from a vendor, even if the advisory was fixed by an earlier version.

After remediating an advisory, you must run another assessment to verify the remediation was successful.

Note: Remediating advisories on Windows nodes may require additional configuration steps. See Remediating Windows advisories for more information.

Remediating all advisories

When you run Remediate all, SaltStack SecOps Vulnerability remediates all advisories on all minions in your policy, which may result in long processing times. You can remediate all advisories at once or you can remediate a specific advisory or a specific minion or set of minions as needed.

Note: You can reduce long processing times by using smaller targets or by remediating a selected portion of advisories or minions at a time.

To remediate all advisories for all minions in the policy:

  1. In the Vulnerability workspace, click a policy.

    Clicking a policy opens the selected policy’s dashboard, which also includes the latest assessment results and advisories.

  2. In the upper right of the policy dashboard, click Remediate all.
  3. Click Remediate all in the confirmation dialog.

    You can track the status of your remediation in the policy’s Activity tab.

    Note: Any exempted checks or minions are not remediated when you run Remediate all. See Adding exemptions for more information.

Remediating by advisory

To remediate by specific advisories:

  1. In the Vulnerability workspace, click a policy.

    Clicking a policy opens the selected policy’s dashboard, which also includes the latest assessment results and advisories.

  2. In the policy dashboard, click the checkbox next to all advisories you want to remediate.

    You can filter the advisories by column if needed. For example, you might filter advisories by severity to choose which ones to remediate. If a column header includes a filter icon filter-icon, you can filter the results by that column type. Click the icon and select a filter option from the menu or type the text you want to filter by. You can remove active filters by clicking Clear Filters.

    To see more details about an advisory such as description and CVEs, click the double arrows icon double-arrows-icon to open a detail pane.

    See Running an assessment for more on performing a scan for advisories.

  3. Click Remediate.

Remediating by minion

To remediate a specific node:

  1. In the Vulnerability workspace, click a policy.

    Clicking a policy opens the selected policy’s dashboard, which also includes the latest assessment results and advisories.

  2. In the policy dashboard, go to the Minions tab and click a minion.

  3. Select all advisories you want to remediate for the active minion.

    You can filter the advisories by column if needed. For example, you might filter advisories by severity to choose which ones to remediate. If a column header includes a filter icon filter-icon, you can filter the results by that column type. Click the icon and select a filter option from the menu or type the text you want to filter by. You can remove active filters by clicking Clear Filters.

  4. Click Remediate.

Remediating by both advisory and minion

To remediate a specific advisory for a specific minion or set of minions:

  1. In the Vulnerability workspace, click a policy.

    Clicking a policy opens the selected policy’s dashboard, which also includes the latest assessment results and advisories.

  2. In the policy dashboard, click an advisory ID.

    Clicking an advisory ID opens the advisory’s detail page. A list of the minions affected by this advisory are listed at the bottom of this page.

  3. Click the checkbox next to all the minions you want to remediate for the active advisory.

    You can filter the advisories by column if needed. For example, you might filter advisories by severity to choose which ones to remediate. If a column header has a filter icon filter-icon, you can filter the results by that column type. Click the icon and select a filter option from the menu or type the text you want to filter by. You can remove active filters by clicking Clear Filters.

  4. Click Remediate.

Remediating Windows advisories

SaltStack SecOps Vulnerability triggers Windows nodes to receive the latest advisories from Microsoft. Windows nodes can receive these updates in one of two ways:

  • Windows Update Agent (WUA) - By default, Windows nodes connect directly to Microsoft using the WUA, which is automatically installed on all Windows nodes. The WUA supports automated patch delivery and installation. It scans nodes to determine which security updates are not installed and then searches for and downloads the updates from Microsoft’s update websites.
  • Windows Server Update Services (WSUS) - A WSUS server acts as an intermediary between Microsoft and the minion. WSUS servers allow IT administrators to deploy updates to a network strategically to minimize down time and disruptions. See Windows Server Update Services (WSUS) in the official Microsoft documentation for more information.

Before using SaltStack SecOps Vulnerability on Windows nodes, verify which of these two methods your environment is currently using. If your environment is using the WSUS server method, you must:

  • Ensure that the WSUS is enabled and running. If needed, you can configure the Windows minion to connect to a WSUS using a Salt state file provided by SaltStack. See Enabling Windows Server Update Services (WSUS) for this state file. After running this state file, verify that your minion is successfully connecting to the WSUS server and is receiving updates.
  • Approve updates related to advisories from Microsoft on the WSUS server. - When the WSUS server receives updates from Microsoft, the WSUS administrator must review and approve those updates in order to deploy the updates in the environment. In order for SaltStack SecOps Vulnerability to detect and remediate advisories, any updates that contain advisories must be approved.

If either of these two prerequisites are not met, SaltStack SecOps Vulnerability cannot accurately scan and remediate advisories. For systems that receive Microsoft updates through a WSUS server, assessments could return false positives that indicate Windows minions are secure from all CVEs even though they may not actually be secure.

Note: If a Windows minion is severely out of date or if the WSUS server attempts to send updates to multiple minions, the WSUS server might crash. Follow best practices and consult your WSUS administrator for assistance troubleshooting. See Windows Server Update Services best practices in the official Microsoft documentation for more information.

After configuring either a WSUS server or ensuring WUA is functioning properly on all targeted Windows minions, you can use SaltStack SecOps Vulnerability to remediate Windows nodes. You can remediate Windows nodes using the same process you would use to remediate other advisories or minions. However, some Windows remediations might require a full system reboot in order for the patch or update to take effect. See Rebooting a minion as part of a remediation for more information.

Rebooting a minion as part of a remediation

A remediation might require a full system reboot in order for the patch or update to take effect. Occasionally, a remediation might even require a second reboot.

To determine if an advisory or minion requires a reboot as part of a remediation, first run an assessment. The method for checking whether a reboot is needed depends on whether you want to see if a specific advisory or minion needs a reboot:

For Refer to
Advisory

In the policy dashboard on the Advisories tab, check the Install Behavior column for the advisory’s status. This column has the following possible statuses:

  • Never requires reboot - The advisory does not require a reboot when it is remediated.
  • Always requires reboot - The advisory always requires a reboot when it is remediated.
  • Can require reboot - The advisory could possibly require a reboot under certain conditions as part of the remediation
  • ( – ) - The null value. This status displays for Linux minions. Detecting whether a reboot is required is not currently supported for Linux minions.
Minion

In the policy dashboard on the Minions tab, check the Needs Reboot column for the minion’s status. This column has the following possible statuses:

  • false - The minion either does not need a reboot for remediation or the minion has successfully rebooted.
  • true - The status will be true in three possible situations:
    • The minion needs a reboot and a reboot has not yet been started.
    • The minion is currently rebooting and has not finished rebooting.
    • The minion has rebooted but it will need a second reboot in order to apply additional changes.

If you determine that a reboot is needed as part of a remediation, follow these steps to reboot a minion:

  1. In the policy dashboard in the Minions tab, click the checkbox next to a minion that shows true in the Needs Reboot column.
  2. Click the Run Command button.
  3. In the Function menu, select the system.reboot command.
  4. In the Arguments field, add the necessary arguments.

    For Windows nodes, the system.reboot command needs two arguments: timeout and in_seconds. Set the first argument to 0 and the second argument to true. See the win_system.reboot module documentation for more information about these arguments.

    For Linux nodes, the system.reboot command takes one argument: at_time. See the system.reboot module documentation for more information about these arguments.

  5. (Optional:) If you want to schedule the reboot for a specific time, create a job that reboots the minion and then set that job to run at a scheduled time. See SaltStack Config jobs workflow for more information.
  6. Click Run Command to run this command on the selected minion.

After initiating a reboot, the minion may take several minutes to reboot and come back online. Be aware that the Activity tab in the Vulnerability workspace only indicates whether the reboot command was started. A status of Complete does not necessarily mean that the minion was rebooted and is back online; it only means that the operation was run on the targeted minion.

To check whether the minion is back online after a reboot, refresh the Minions tab in the Vulnerability workspace and check the minion’s presence. See Minion presence for more information.

After rebooting a minion as part of a remediation, you must run another assessment to verify the remediation was successful.