Generating Vulnerability Service Reports

Red Hat Insights 2020-10

Communicate the Exposure of RHEL Systems to CVE Security Vulnerabilities

Red Hat Customer Content Services

Abstract

Generate Vulnerability service reports to communicate the exposure of RHEL systems to CVE security vulnerabilities.
Providing Feedback: If you have a suggestion to improve this documentation, or find an error, submit a Bugzilla report at http://bugzilla.redhat.com. Select the Cloud Software Services (cloud.redhat.com) product and use the Documentation component.

Chapter 1. Vulnerability service reporting overview

Reporting infrastructure security status is a key aspect of vulnerability management. The ability to convey the security exposure of your infrastructure to different stakeholders needing different levels of information is vital. From your DevOps team, to the security team, to your executive team, you need to be able to provide your stakeholders the information they need.

The Vulnerability service enables you to download reporting for your systems to analyze offline or share with others. The following reporting options are currently supported:

  • Executive Reports. PDF summary and overview of your infrastructure security exposure intended for executive audiences
  • CVE reports. PDF report of select CVEs potentially impacting your infrastructure
  • Vulnerability data export. JSON, CSV, or PDF export of select CVE data, based on filters you have in place when you perform the export, and which can be used in spreadsheets, for example.

Chapter 2. Executive reports

You can download a high-level report summarizing the security status of your infrastructure and designed for an executive audience. Executive reports are one to two-page PDF files showing the following information:

  • Number of RHEL systems with one or more CVEs
  • Number of CVEs to which your systems are currently exposed
  • Percentage of CVEs, by severity (CVSS base score range)
  • Number of CVEs published in the past 7, 30, or 90-day time frame
  • Top three CVEs in your infrastructure based on highest CVSS base score range (8-10) with the greatest number of systems exposed

2.1. Downloading an executive report

Use the following steps to download an executive report:

Procedure

  1. Navigate to the Vulnerability service > Reports tab and log in if necessary.
  2. On the Reports page, click the Download PDF link on the Executive report card.

    vuln report exec report card

  3. Click Save File and click OK.

Verification

  1. Verify that the PDF file is in your Downloads folder or other specified location.

    vuln report exec report download

2.2. Downloading an executive report using the Vulnerability API

You can download an executive report using the Vulnerability API.

Chapter 3. Reports by CVEs

You can create point-in-time PDF reports showing CVEs potentially impacting your systems. Select types of CVEs, filtered by severity or CVSS base score, for example, and present curated, focused data to specific stakeholders. Prior to creating the report, you can make the following customizations to the list of CVEs:

  • Change the default title, Insights Vulnerability CVE Report, to a title you choose.
  • Choose whether to include only CVEs with associated security rules.

    Note

    For more information about security rules, see the Security Rules section in Assessing and Monitoring Security Vulnerabilities on RHEL Systems.

  • Choose which columns to include. The following report columns are selected by default; however, you can clear any as needed, except CVE ID:

    • CVE ID (required)
    • Publish Date
    • Severity
    • CVSS base score
    • Count of exposed systems
    • Business risk
    • Status
  • You can apply the following filters to the columns:

    • Publish Date. Select a range of time.
    • Severity. Select one or more severity ratings.
    • CVSS base score. Specify a minimum score to maximum score range.
    • Business risk. Select one or more business risk ratings.
    • Status. Select the status of review and resolution.

The resulting PDF lists the CVEs and link to the respective CVE page in the Red Hat CVE database so you can learn more about each one. The list is ordered primarily by the publish date of the CVE, with the most recently published CVEs at the top of the list.

3.1. Exporting a CVE report to PDF

Use the following procedure to create a point-in-time snapshot of CVEs potentially impacting your systems.

Procedure

  1. Navigate to Vulnerability service > Reports in the Insights application. Log in if necessary.
  2. On the Report by CVEs card, click Create report.
  3. Make selections as needed in the pop-up card:

    vuln report report by cves modal

    1. Customize the report title.
    2. Choose whether to Only include CVEs with associated security rules.

      Note

      For more information about security rules, see the Security Rules section in Assessing and Monitoring Security Vulnerabilities on RHEL Systems.

    3. Select from the Columns to include options.
    4. From the Filter data by dropdown lists, select ranges for the available parameters.
    5. Add optional User notes to provide needed context for stakeholders.
  4. Click Export report and allow the application a minute to generate the report.
  5. Select to Open or Save file and click OK.

Verification

  1. Navigate to the saved PDF location and view the CVEs report.

Chapter 4. Exporting Vulnerability data as JSON, CSV, or PDF file

The Vulnerability service enables you to export data for active CVE hits on systems in your RHEL infrastructure. After applying filters in the Vulnerability UI to view a specific set of CVEs or systems, you can export data for those criteria, allowing you to filter which CVE data is shown. You can prefilter CVEs by criticality or CVSS base score, for example, and generate a report that shows only those relevant CVEs.

These reports are accessible through the UI and can be exported and downloaded as .csv, .json, or PDF files.

4.1. Exporting a Vulnerability service report

Perform the following steps to export select data from the Vulnerability service:

Procedure

  1. Navigate to the Vulnerability service > CVEs page and log in if necessary.
  2. Apply filters and use the sorting functionality at the top of each column to locate CVEs of interest.
  3. Above the list of CVEs and to the right of the Filters menu, click the Export icon, insights export icon , and select Export as JSON, Export as CSV, or Export as PDF based on your download preferences.
  4. Select a download location and click Save.

Chapter 5. Reference materials

To learn more about the Vulnerability service, or other Red Hat Insights services and capabilities, the following resources might also be of interest:

Legal Notice

Copyright © 2020 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.