About Vulnerability Policies
A Vulnerability Scan policy determines the vulnerabilities that should be included or excluded from an incident. Each vulnerability is described by the following attributes:
|CVE Severity||A vulnerability severity level (High, Medium, or Low).|
|CVE ID||The unique identifier for the CVE.|
|Feature||The entity that has the vulnerability (for example, an installed software package).|
|Namespace||The platform in which the vulnerability is found (for example, Ubuntu:18.04).|
You can enter multiple entries for CVE ID, Feature, and Namespace fields separated by commas. Alternatively, you can also use the wildcard (*) for a wide range of selections. The CVE Severity field is also a multi-option checkbox, (High, Medium, or Low).
Create a Vulnerability Policy from a Policy Template
To use the preconfigured Vulnerability Template, High-Severity CVEs, use the following steps:
- Go to Policy > Policy Templates.
- Filter for Policy Type > Vulnerability.
- For High-Severity CVEs, click Create Policy.
- The High-Severity CVEs policy displays on the Policy > Vulnerabilities page.
Create a Vulnerability Policy
You can create a new Vulnerability Policy, or edit an existing policy to customize it for your requirements.
To create a policy, perform the following steps:
- Go to Policy > Vulnerabilities.
- Click Actions > Create Policy.
- Enter the policy name and click Next.
- Select the User Groups to include or exclude.
- Include All User Groups is the default. Click Edit to edit the selected users.
- Then click Add Exclusions to exclude User Groups, if needed.
- Click Next.
- Choose the attributes to set the rule and click Next.
- To add the response to the incident, select the Severity level, and click Next.
- Review your selections and click Save.
Create a Vulnerability Scan
Once your Vulnerability policy is created, configure a Vulnerability Scan to run and generate any possible incidents.
Deny List and Allow Lists
The most useful way to create CVE policies is by creating Deny Lists or Allow Lists. You can create a policy to deny or allow the vulnerabilities based on the attributes. This allows you to prioritize or ignore incidents with attributes specific to your needs. The attributes can be set using:
- is operator to deny
- is not operator to allow
Deny List Policy Rules
In this Deny List policy, you have specified that you ARE interested:
- In a particular CVE regardless of its severity.
- In the feature openssl.
- In the namespace ubuntu:18.04.
So an incident of High severity will always be created whenever these rules match. This allows you to make sure that certain Features, Namespaces, CVE Severities, and CVE IDs are never ignored.
Allow List Policy Rules
In this Allow List policy, you have specified that you ARE NOT interested:
- In a particular CVE.
- In Medium, or Low severity CVEs.
- In the feature eglibc.
- In the namespace debian:9.
So any CVE that matches these rules is assigned an incident severity of Low. Under Responses, you have specified that incidents must be created only for High severities. So no incidents are created that are less than High. This allows you to ignore certain Features, Namespaces, CVE Severities, and CVE IDs.
Severity Filters for Scans Created before 5.0.2
Severity filters remain the same for scans created before MVISION Cloud 5.0.2. This is for backwards compatibility. However, all new scans require a policy to be attached to the scan configuration.
The easy way to migrate to the new paradigm keeping the old behavior is to create a policy and only select the CVE Severity.