1. Documentation
    2. history bug_report picture_as_pdf
×

Vulnerability reporting

You can create and download an on-demand image vulnerability report from the Vulnerability ManagementVulnerability Reporting menu in the RHACS web portal. This report contains a comprehensive list of common vulnerabilities and exposures in images and deployments, referred to as workload CVEs in RHACS.

To share this report with auditors or internal stakeholders, you can schedule emails in RHACS or download the report and share it by using other methods.

Reporting vulnerabilities to teams

As organizations must constantly reassess and report on their vulnerabilities, some organizations find it helpful to have scheduled communications to key stakeholders to help in the vulnerability management process.

You can use Red Hat Advanced Cluster Security for Kubernetes to schedule these reoccurring communications through e-mail. These communications should be scoped to the most relevant information that the key stakeholders need.

For sending these communications, you must consider the following questions:

  • What schedule would have the most impact when communicating with the stakeholders?

  • Who is the audience?

  • Should you only send specific severity vulnerabilities in your report?

  • Should you only send fixable vulnerabilities in your report?

Creating vulnerability management report configurations

RHACS guides you through the process of creating a vulnerability management report configuration. This configuration determines the information that will be included in a report job that runs at a scheduled time or that you run on demand.

Procedure

  1. In the RHACS portal, click Vulnerability ManagementVulnerability Reporting.

  2. Click Create report.

  3. Enter a name for your report configuration in the Report name field.

  4. Optional: Enter text describing the report configuration in the Report description field.

  5. In the CVE severity field, select the severity of common vulnerabilities and exposures (CVEs) that you want to include in the report configuration.

  6. Select the CVE status. You can select Fixable, Unfixable, or both.

  7. In the Image type field, select whether you want to include CVEs from deployed images, watched images, or both.

  8. In the CVEs discovered since field, select the time period for which you want CVEs to be included in the report configuration.

  9. In the Configure collection included field, you must configure at least one collection. Complete any of the following actions:

    • Select an existing collection to include. To view the collection information, edit the collection, and get a preview of collection results, click View. When viewing the collection, entering text in the field searches for collections matching that text string.

    • Click Create collection to create a new collection.

      For more information about collections, see "Creating and using deployment collections" in the "Additional resources" section.

  10. Click Next to configure the delivery destinations and optionally set up a schedule for delivery.

Configuring delivery destinations and scheduling

Configuring destinations and delivery schedules for vulnerability reports is optional, unless on the previous page, you selected the option to include CVEs that were discovered since the last scheduled report. If you selected that option, configuring destinations and delivery schedules for vulnerability reports is required.

Procedure

  1. To configure destinations for delivery, in the Configure delivery destinations section, you can add a delivery destination and set up a schedule for reporting.

  2. To email reports, you must configure at least one email notifier. Select an existing notifier or create a new email notifier to send your report by email. For more information about creating an email notifier, see "Configuring the email plugin" in the "Additional resources" section.

    When you select a notifier, the email addresses configured in the notifier as Default recipients appear in the Distribution list field. You can add additional email addresses that are separated by a comma.

  3. A default email template is automatically applied. To edit this default template, perform the following steps:

    1. Click the edit icon and enter a customized subject and email body in the Edit tab.

    2. Click the Preview tab to see your proposed template.

    3. Click Apply to save your changes to the template.

      When reviewing the report jobs for a specific report, you can see whether the default template or a customized template was used when creating the report.

  4. In the Configure schedule section, select the frequency and day of the week for the report.

  5. Click Next to review your vulnerability report configuration and finish creating it.

Reviewing and creating the report configuration

You can review the details of your vulnerability report configuration before creating it.

Procedure

  1. In the Review and create section, you can review the report configuration parameters, delivery destination, email template that is used if you selected email delivery, delivery schedule, and report format. To make any changes, click Back to go to the previous section and edit the fields that you want to change.

  2. Click Create to create the report configuration and save it.

Vulnerability report permissions

The ability to create, view, and download reports depends on the access control settings, or roles and permission sets, for your user account.

For example, you can only view, create, and download reports for data that your user account has permission to access. In addition, the following restrictions apply:

  • You can only download reports that you have generated; you cannot download reports generated by other users.

  • Report permissions are restricted depending on the access settings for user accounts. If the access settings for your account change, old reports do not reflect the change. For example, if you are given new permissions and want to view vulnerability data that is now allowed by those permissions, you must create a new vulnerability report.

Editing vulnerability report configurations

You can edit existing vulnerability report configurations from the list of report configurations, or by selecting an individual report configuration first.

Procedure

  1. In the RHACS web portal, click Vulnerability ManagementVulnerability Reporting.

  2. To edit an existing vulnerability report configuration, complete any of the following actions:

    • Locate the report configuration that you want to edit in the list of report configurations. Click the overflow menu, kebab, and then select Edit report.

    • Click the report configuration name in the list of report configurations. Then, click Actions and select Edit report.

  3. Make changes to the report configuration and save.

Downloading vulnerability reports

You can generate an on-demand vulnerability report and then download it.

You can only download reports that you have generated; you cannot download reports generated by other users.
Procedure

  1. In the RHACS web portal, click Vulnerability ManagementVulnerability Reporting.

  2. In the list of report configurations, locate the report configuration that you want to use to create the downloadable report.

  3. Generate the vulnerability report by using one of the following methods:

    • To generate the report from the list:

      1. Click the overflow menu, kebab, and then select Generate download. The My active job status column displays the status of your report creation. After the Processing status goes away, you can download the report.

    • To generate the report from the report window:

      1. Click the report configuration name to open the configuration detail window.

      2. Click Actions and select Generate download.

  4. To download the report, if you are viewing the list of report configurations, click the report configuration name to open it.

  5. Click All report jobs from the menu on the header.

  6. If the report is completed, click the Ready for download link in the Status column. The report is in .csv format and is compressed into a .zip file for download.

Sending vulnerability reports on-demand

You can send vulnerability reports immediately, rather than waiting for the scheduled send time.

Procedure

  1. In the RHACS web portal, click Vulnerability ManagementVulnerability Reporting.

  2. In the list of report configurations, locate the report configuration for the report that you want to send.

  3. Click the overflow menu, kebab, and then select Send report now.

Cloning vulnerability report configurations

You can make copies of vulnerability report configurations by cloning them. This is useful when you want to reuse report configurations with minor changes, such as reporting vulnerabilities in different deployments or namespaces.

Procedure

  1. In the RHACS web portal, click Vulnerability ManagementVulnerability Reporting.

  2. Locate the report configuration that you want to clone in the list of report configurations.

  3. Click Clone report.

  4. Make any changes that you want to the report parameters and delivery destinations.

  5. Click Create.

Deleting vulnerability report configurations

Deleting a report configuration deletes the configuration and any reports that were previously run using this configuration.

Procedure

  1. In the RHACS web portal, click Vulnerability ManagementVulnerability Reporting.

  2. Locate the report configuration that you want to delete in the list of reports.

  3. Click the overflow menu, kebab, and then select Delete report.

Configuring vulnerability management report job retention settings

You can configure settings that determine when vulnerability report job requests expire and other retention settings for report jobs.

These settings do not affect the following vulnerability report jobs:

  • Jobs in the WAITING or PREPARING state (unfinished jobs)

  • The last successful scheduled report job

  • The last successful on-demand emailed report job

  • The last successful downloadable report job

  • Downloadable report jobs for which the report file has not been deleted by either manual deletion or by configuring the downloadable report pruning settings
Procedure

  1. In the RHACS web portal, go to Platform ConfigurationSystem Configuration. You can configure the following settings for vulnerability report jobs:

    • Vulnerability report run history retention: The number of days that a record is kept of vulnerability report jobs that have been run. This setting controls how many days that report jobs are listed in the All report jobs tab under Vulnerability ManagementVulnerability Reporting when a report configuration is selected. The entire report history after the exclusion date is deleted, with the exception of the following jobs:

      • Unfinished jobs.

      • Jobs for which prepared downloadable reports still exist in the system.

      • The last successful report job for each job type (scheduled email, on-demand email, or download). This ensures users have information about the last run job for each type.

    • Prepared downloadable vulnerability reports retention days: The number of days that prepared, on-demand downloadable vulnerability report jobs are available for download on the All report jobs tab under Vulnerability ManagementVulnerability Reporting when a report configuration is selected.

    • Prepared downloadable vulnerability reports limit: The limit, in MB, of space allocated to prepared downloadable vulnerability report jobs. After the limit is reached, the oldest report job in the download queue is removed.

  2. To change these values, click Edit, make your changes, and then click Save.

Additional resources