Generating Vulnerability Service Reports

Red Hat Insights 2020-04

Communicate the Exposure of RHEL Systems to CVE Security Vulnerabilities

Red Hat Customer Content Services

Abstract

Generate Vulnerability service reports to communicate the exposure of RHEL systems to CVE security vulnerabilities.
Providing Feedback: If you have a suggestion to improve this documentation, or find an error, submit a Bugzilla report at http://bugzilla.redhat.com. Select the Cloud Software Services (cloud.redhat.com) product and use the Documentation component.

Chapter 1. Vulnerability service reporting overview

Reporting infrastructure security status is a key aspect of vulnerability management. The ability to convey the security exposure of your infrastructure to different stakeholders needing different levels of information is vital. From your DevOps team, to the security team, to your executive team, you need to be able to provide your stakeholders the information they need.

The Vulnerability service enables you to download reporting for your systems to analyze offline or share with others. The following reporting options are currently supported:

  • Executive Reports. PDF summary and overview of your infrastructure security exposure intended for executive audiences
  • Vulnerability data export. JSON or CSV export of select CVE data, based on filters you have in place when you perform the export
Note

New reporting capabilities are coming soon.

Chapter 2. Executive reports

You can download a high-level report summarizing the security status of your infrastructure and designed for an executive audience. Executive reports are one to two-page PDF files showing the following information:

  • Number of RHEL systems with one or more CVEs
  • Number of CVEs to which your systems are currently exposed
  • Percentage of CVEs, by severity (CVSS base score range)
  • Number of CVEs published in the past 7, 30, or 90-day time frame
  • Top three CVEs in your infrastructure based on highest CVSS base score range (8-10) with the greatest number of systems exposed

2.1. Downloading Vulnerability service executive reports

Use the following steps to download an executive report:

Procedure

  1. Navigate to the Vulnerability service > CVEs tab and log in if necessary.
  2. Click the Download executive report link located in the upper-right corner of the page.

    vuln dl exec report

  3. Click Save File and click OK.

Verification

  1. Verify that the PDF file is in your Downloads folder or other specified location.

2.2. Downloading an executive report using the Vulnerability API

You can download an executive report using the Vulnerability API.

Chapter 3. Exporting select Vulnerability data as JSON or CSV file

The Vulnerability service enables you to export and download reports showing CVEs impacting systems in your RHEL infrastructure. Prefilter CVEs by criticality or CVSS base score, for example, and export a CSV or JSON file with data for those CVEs and impacted systems. Then share that data with other stakeholders in your organization.

3.1. Exporting a Vulnerability service report

Perform the following steps to export select data from the Vulnerability service:

Procedure

  1. Navigate to the Vulnerability service > CVEs tab and log in if necessary.
  2. Apply filters and use the sorting functionality at the top of each column to locate CVEs of interest.
  3. Above the list of CVEs and to the right of the Filters menu, click the more-actions icon (three vertical dots) and select Export as JSON or Export as CSV, based on your download preferences.

    vuln export more actions

  4. Select a download location and click Save.

Chapter 4. Reference materials

To learn more about the Vulnerability service, or other Red Hat Insights services and capabilities, the following resources might also be of interest:

Chapter 5. Important changes with the 2020-04 release of Red Hat Insights

The 2020-04 release of Red Hat Insights includes significant changes to the application features and services.

Changes to the Red Hat Insights application

The Red Hat Insights application now includes the services that were previously bundled with the Cloud Management Services for RHEL application, and were part of the Red Hat Smart Management bundle, along with Red Hat Satellite.

The former cloud management services, plus a couple of new services, are now included in the value that Insights brings to each Red Hat Enterprise Linux (RHEL) subscription.

Insights Advisor

The tools and capabilities that constituted Red Hat Insights prior to this release are now available as the Advisor service. The rules that have always been the currency of Insights are now called Advisor Recommendations.

Insights security rules have moved

The CVE security rules that were previously curated by the Insights rules team are now included with all other Red Hat CVEs in the Vulnerability service. Security rules are high profile CVEs, some of which have been through the Customer Security Awareness Program. They are identifiable in the Vulnerability service by a security rule icon. You can also filter security rules in the Vulnerability service.

Services included with Red Hat Insights

The services included with Red Hat Insights in the 2020-04 release are:

  • Advisor. Identify and fix configuration issues that can negatively impact the availability, performance, stability, and security of RHEL systems.
  • Vulnerability. Assess and monitor the exposure of your RHEL environment to CVEs and security rules.
  • Compliance. Assess and monitor the compliance of your RHEL systems with SCAP security policies.
  • Patch. Enable consistent patch workflows for RHEL systems across the open hybrid cloud.
  • Drift. Compare system configurations of a system over time, or to other systems and baselines, to identify discrepancies in your environment and perform drift analysis.
  • Policies. Evaluate and react to system configuration changes in your environment.

The integrated tools that work with each of the services above are:

  • Inventory. Topological inventory of RHEL systems under Red Hat Insights management
  • Remediations. Repository of Ansible Playbooks that you create and manage using Red Hat Insights
  • Subscription Watch. Comprehensive, product-by-product, account-level subscription reporting service across hybrid cloud deployments

Legal Notice

Copyright © 2020 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.