Read this page for reference information about SaltStack SecOps Vulnerability supported file formats, security policy fields, activity statuses, and metrics available on the Vulnerability dashboard.

Supported file formats

The following file formats are supported when importing results from a third-party scan.

Vendor

File type

Tenable

Nessus

Rapid7 InsightVM Export

XML

Qualys

XML

KennaSecurity Export

CSV

See Importing a third-party security scan for more information.

Vulnerability policies

A vulnerability policy is comprised of a target and an assessment schedule. The target determines which minions to include in an assessment and the schedule determines when assessments will be run. A security policy also stores the results of the most recent assessment in SaltStack SecOps Vulnerability. Policies can also include schedules, as well as specifications for handling exemptions.

Each component of a vulnerability policy is described in more detail below.

Component

Description

Target

A target is the group of minions, across one or many Salt masters, that a job’s Salt command applies to. A Salt master can also be managed like a minion and can be a target if it is running the minion service. When you choose a target in SaltStack SecOps Vulnerability, you define the group of assets (referred to as minions) your policy will apply to. You can choose an existing target or create a new one. See Minions for more information.

Schedule

Choose the schedule frequency from Recurring, Repeat Date & Time, Once, or Cron Expression. Additional options are available, depending on the scheduled activity, and on the schedule frequency you choose.

Recurring

Set an interval for repeating the schedule, with optional fields for start or end date, splay, and maximum number of parallel jobs.

Repeat Date & Time

Choose to repeat the schedule weekly or daily, with optional fields for start or end date, and maximum number of parallel jobs.

Once

Specify a date and time to run the job.

Cron

Enter a cron expression to define a custom schedule based on Croniter syntax. See the CronTab editor for syntax guidelines. For best results, avoid scheduling jobs fewer than 60 seconds apart when defining a custom cron expression.

Note:

In the schedule editor, the terms “Job” and “Assessment” are used interchangeably. When you define a schedule for the policy, you are scheduling the assessment only - not the remediation.

Note:

When defining an assessment schedule, you can choose from the additional Not Scheduled (on demand) option. If you select this option, you choose to run only single assessments as needed, and no schedule is defined.

Activity status

In your policy home page, the Activity tab shows a list of completed or in-progress assessments and remediations. It includes the following statuses.

Status

Description

Queued

The operation is ready to run, but minions have not yet picked up the task to begin the operation.

Completed

The operation has finished running.

Partial

The operation is still waiting for some minions to return, though the Salt master has reported that the operation has finished running. Minions are nodes running the minion service, which can listen to commands from a Salt master and perform the requested tasks. The Salt master is a central node used to issue commands to minions.

You can track all activity in SaltStack Config, including assessments and remediations, in the SaltStack Config main Activity workspace. See Activity.

Protect dashboard

Your Vulnerability dashboard shows an overview of your vulnerability status. It includes various metrics, as well as a list of the most common advisories within the most recent assessments across all your current vulnerability policies.

The dashboard is useful for reporting your current vulnerability status. You can share the dashboard by linking to the page URL, or by printing a PDF copy. See Viewing and printing your Vulnerability dashboard for more information.

The dashboard includes the following metrics:

Metric

Description

Vulnerability Summary

The number of assets currently affected by vulnerabilities of different severity levels, ranging from Critical to None.

Remediations

The total number of vulnerabilities remediated through SaltStack SecOps Vulnerability, sorted by severity.

Vulnerability Trend

Graph showing your vulnerability status over the last 30 days.

Top Advisories

List of the most frequently-discovered vulnerabilities across your systems.

Assessment results

SaltStack SecOps Vulnerability assessment results display in your policy home page. The page includes a list of advisories with the following information fields:

Note:

SaltStack SecOps Vulnerability allows you to download assessment results in JSON. See Downloading the assessment report for more information.

Field

Description

Severity

Severity rating ranging from Critical to None. The severity rating is useful for prioritizing remediations.

VPR (only in Tenable imported vulnerabilities)

Vulnerability Priority Rating is an alternative severity rating specific to Tenable. For more on VPR, see the Tenable documentation.

Advisory ID

Official ID associated with the advisory. Click the ID to view advisory details.

Advisory title

Official advisory title recognized by CVE. Click the advisory title to view its details.

CVEs

Common Vulnerabilities and Exposures, a list of common identifiers for publicly known cybersecurity vulnerabilities.

See About CVE for more information.

Packages affected

List of any system packages affected by the advisory

CVSS v3.0

Vulnerability rating according to the Common Vulnerability Scoring System version 3. This might not display for certain advisories as not all advisories have not been scored yet.

See Common Vulnerability Scoring System SIG for more information.

CVSS v2.0

Vulnerability rating according to the Common Vulnerability Scoring System version 2

Install Behavior

Indicates if the advisory might require a full system reboot in order for a patch or update to take effect as part of a remediation.

Minions

Lists the number of minions impacted by that advisory.

Enabling Windows Server Update Services (WSUS)

Remediating advisories on Windows nodes requires additional configuration and remediation steps. If your environment is deploying Windows patches and updates using a WSUS server, you need to ensure that the server is enabled and verify that it can receive regular updates from Microsoft. See Remediating Windows advisories for more information.

You can run the following state file to connect your minion to your WSUS server, replacing the sample IP addresses with your WSUS server’s IP address and port:

configure_windows_update:
  lgpo.set:
    - computer_policy:
        CorpWuURL:
        {% set policy_info = salt["lgpo.get_policy_info"]("CorpWuURL", "machine") %}
        {% for element in policy_info["policy_elements"] %}

          {% if element["element_id"] == "CorpWUContentHost_Name" %}
          CorpWUContentHost_Name: ""
          {% endif %}

          {% if element["element_id"] == "CorpWUFillEmptyContentUrls" %}
          CorpWUFillEmptyContentUrls: False
          {% endif %}

          {% if element["element_id"] == "CorpWUStatusURL_Name" %}
          CorpWUStatusURL_Name: "https://192.0.2.1:8530"
          {% endif %}

          {% if element["element_id"] == "CorpWUURL_Name" %}
          CorpWUURL_Name: "https://192.0.2.1:8530"
          {% endif %}

          {% if element["element_id"] == "SetProxyBehaviorForUpdateDetection" %}
          SetProxyBehaviorForUpdateDetection: Only use system proxy for detecting updates (default)
          {% endif %}

       {% endfor %}

       AutoUpdateCfg: Not Configured

  update_local_policy:
    cmd.run:
      - name: "Gpupdate /Force /Target:Computer"