I have a CVE console dashboard that was published on the IBM X-Force AppExchange yesterday.
Please check in out - but sorry you have to log in to download.
I created it because the QRadar integration we have is popular for managing vulnerabilities/patches via CVEs. However, QRadar is obviously needed, so this dashboard attempts to provide similar info from within BigFix without the need for QRadar.
I just realized that I have not seen any questions and issues posted on this.
Has anyone tried it with success?
I am always worried about performance, so if you have tried this in your deployment of a few thousand computers, please let me know.
Feel free to let me know of any snags that you might have ran into while setting this up and running it.
@sstrain, I have seen the same error in my environment. For that system, it would fail randomly with this error.
What version of the BigFix Server are you using and on what platform (Windows or Linux)?
We have a bug filed and have not figured out the root cause.
Great tool Lee Wei - definitely brings a lot of added value for our customer who uses BigFix to integrate with their own vulnerability tracking system. Currently, the customer associates fixlet IDâs to CVEs for what they call their VPR Dashboard. The one thing that would be great to see in your dashboard is the fixlet ID and/or source ID when viewing the relevant fixlets. Also, if there was a way where from that view, you could only display fixlets with applicable computers instead of just all fixlets relevant to the CVE.
Loaded this up in our lab environment yesterday and it worked great - going to test in production this week with 125k+ endpoints. Will let you know how that goes.
Using Lee Weiâs approach, we have a BigFix action that downloads all xmlâs from nvd, extracts all the relevant data into a master txt file, which we import back into SQL. We then join by cve id and present the data in our dashboard giving fixlet id and name/cve/cvss/severity/release date etc ⌠pretty slick. Obviously this data is for presentation outside of the console dashboard.
sounds awesome nick - our customer does have their own vulnerability tracking system which is linked to their primary security posture dashboard. they have a unique IDs called VPRs which they want userâs to be able to track in BigFix. hence the correlation of CVE IDs to Fixlets ID. It would be nice to see Fixlet/Source IDs in Lee Weiâs dashboard.
Iâve been having issues running the bigfix_cve_util.exe in Server 2012r2 - I keep getting âthis app canât run on your PCâ error and âaccess deniedâ in the terminal, tried various attempts at fixing but to no avail yet. What environment did you have it working on?
@GwyndafDavies, I donât recognize the errors. It is a .NET app and that should be the only dependency.
I personally developed it on Windows Server 2012R2.
Anyhow, glad you got it to work.
If I was able to specify a specific proxy and port, I should be able to get this to work as we have a configuration to allow some processes to access the internet through the proxy without credentials.
Great work Lee Wei. I was able to get it to work and verifying the data now. One issue that I have is with the âShow Computerâ tab. When clicked nothing shows up.
Sidenote: I used a desktop to import CVEs using bigfix_cve_util.exe and specified our server. Worked like a charm.
@sstrain, engineering has been trying to reproduce the error. At this point, our guess is some resource exhaustion on the BigFix Server side causing the server to become unavailable. Can you please help make sure that the server has enough paging/swap and memory. Or increase that for the purpose of testing this for this error.
This is Awesome Lee! I successfully installed the dashboard and reviewed the data. Is there any way to have the CVSS score show on the relevant Fixlets? Also, where in the database is the CVE data stored?
@arionda - There is not an easy way for me to show CVSS score for the relevant Fixlets for 2 reasons.
The first main screen with the CVEs that you are looking at is generated and then stored in the system. It is being generated by the bigfix_cve_util.
The util does not update existing Fixlets to include the CVSS scores.
Furthermore, a Fixlet might reference multiple CVEs, so there might be more than one CVSS scores. Of course arguably we should show the highest score.
@mmangan, the best I can determine thus far is resource (memory) constrains for Web Reports. Is the Server a VM and can we allocated more resources? The application is doing REST API calls and obviously successful most of the time until the server stops processing with 503.