You can create and download an on-demand image vulnerability report from the Vulnerability Management → Vulnerability Reporting menu in the RHACS web portal. This report contains a comprehensive list of common vulnerabilities and exposures in images and deployments, referred to as workload CVEs in RHACS.
To share this report with auditors or internal stakeholders, you can schedule emails in RHACS or download the report and share it by using other methods.
As organizations must constantly reassess and report on their vulnerabilities, some organizations find it helpful to have scheduled communications to key stakeholders to help in the vulnerability management process.
You can use Red Hat Advanced Cluster Security for Kubernetes to schedule these reoccurring communications through e-mail. These communications should be scoped to the most relevant information that the key stakeholders need.
For sending these communications, you must consider the following questions:
What schedule would have the most impact when communicating with the stakeholders?
Who is the audience?
Should you only send specific severity vulnerabilities in your report?
Should you only send fixable vulnerabilities in your report?
RHACS guides you through the process of creating a vulnerability management report configuration. This configuration determines the information that will be included in a report job that runs at a scheduled time or that you run on demand.
In the RHACS portal, click Vulnerability Management → Vulnerability Reporting.
Click Create report.
In the Configure report parameters page, provide the following information:
Report name: Enter a name for your report configuration.
Report description: Enter a text describing the report configuration. This is optional.
CVE severity: Select the severity of common vulnerabilities and exposures (CVEs) that you want to include in the report configuration.
CVE status: Select one or more CVE statuses.
The following values are associated with the CVE status:
Fixable
Unfixable
Image type: Select one or more image types.
The following values are associated with image types:
Deployed images
Watched images
CVEs discovered since: Select the time period for which you want to include the CVEs in the report configuration.
Optional: Select the Include NVD CVSS checkbox, if you want to include the NVD CVSS column in the report configuration.
Configure collection included: To configure at least one collection, do any of the following tasks:
Select an existing collection that you want to include.
To view the collection information, edit the collection, and get a preview of collection results, click View.
When viewing the collection, entering text in the field searches for collections matching that text string.
To create a new collection, click Create collection.
For more information about collections, see "Creating and using deployment collections". |
To configure the delivery destinations and optionally set up a schedule for delivery, click Next.
Configuring destinations and delivery schedules for vulnerability reports is optional, unless on the previous page, you selected the option to include CVEs that were discovered since the last scheduled report. If you selected that option, configuring destinations and delivery schedules for vulnerability reports is required.
To configure destinations for delivery, in the Configure delivery destinations section, you can add a delivery destination and set up a schedule for reporting.
To email reports, you must configure at least one email notifier. Select an existing notifier or create a new email notifier to send your report by email. For more information about creating an email notifier, see "Configuring the email plugin" in the "Additional resources" section.
When you select a notifier, the email addresses configured in the notifier as Default recipients appear in the Distribution list field. You can add additional email addresses that are separated by a comma.
A default email template is automatically applied. To edit this default template, perform the following steps:
Click the edit icon and enter a customized subject and email body in the Edit tab.
Click the Preview tab to see your proposed template.
Click Apply to save your changes to the template.
When reviewing the report jobs for a specific report, you can see whether the default template or a customized template was used when creating the report. |
In the Configure schedule section, select the frequency and day of the week for the report.
Click Next to review your vulnerability report configuration and finish creating it.
You can review the details of your vulnerability report configuration before creating it.
In the Review and create section, you can review the report configuration parameters, delivery destination, email template that is used if you selected email delivery, delivery schedule, and report format. To make any changes, click Back to go to the previous section and edit the fields that you want to change.
Click Create to create the report configuration and save it.
The ability to create, view, and download reports depends on the access control settings, or roles and permission sets, for your user account.
For example, you can only view, create, and download reports for data that your user account has permission to access. In addition, the following restrictions apply:
You can only download reports that you have generated; you cannot download reports generated by other users.
Report permissions are restricted depending on the access settings for user accounts. If the access settings for your account change, old reports do not reflect the change. For example, if you are given new permissions and want to view vulnerability data that is now allowed by those permissions, you must create a new vulnerability report.
You can edit existing vulnerability report configurations from the list of report configurations, or by selecting an individual report configuration first.
In the RHACS web portal, click Vulnerability Management → Vulnerability Reporting.
To edit an existing vulnerability report configuration, complete any of the following actions:
Locate the report configuration that you want to edit in the list of report configurations. Click the overflow menu, , and then select Edit report.
Click the report configuration name in the list of report configurations. Then, click Actions and select Edit report.
Make changes to the report configuration and save.
You can generate an on-demand vulnerability report and then download it.
You can only download reports that you have generated; you cannot download reports generated by other users. |
In the RHACS web portal, click Vulnerability Management → Vulnerability Reporting.
In the list of report configurations, locate the report configuration that you want to use to create the downloadable report.
Generate the vulnerability report by using one of the following methods:
To generate the report from the list:
Click the overflow menu, , and then select Generate download. The My active job status column displays the status of your report creation. After the Processing status goes away, you can download the report.
To generate the report from the report window:
Click the report configuration name to open the configuration detail window.
Click Actions and select Generate download.
To download the report, if you are viewing the list of report configurations, click the report configuration name to open it.
Click All report jobs from the menu on the header.
If the report is completed, click the Ready for download link in the Status column. The report is in .csv
format and is compressed into a .zip
file for download.
You can send vulnerability reports immediately, rather than waiting for the scheduled send time.
In the RHACS web portal, click Vulnerability Management → Vulnerability Reporting.
In the list of report configurations, locate the report configuration for the report that you want to send.
Click the overflow menu, , and then select Send report now.
You can make copies of vulnerability report configurations by cloning them. This is useful when you want to reuse report configurations with minor changes, such as reporting vulnerabilities in different deployments or namespaces.
In the RHACS web portal, click Vulnerability Management → Vulnerability Reporting.
Locate the report configuration that you want to clone in the list of report configurations.
Click Clone report.
Make any changes that you want to the report parameters and delivery destinations.
Click Create.
Deleting a report configuration deletes the configuration and any reports that were previously run using this configuration.
In the RHACS web portal, click Vulnerability Management → Vulnerability Reporting.
Locate the report configuration that you want to delete in the list of reports.
Click the overflow menu, , and then select Delete report.
You can configure settings that determine when vulnerability report job requests expire and other retention settings for report jobs.
These settings do not affect the following vulnerability report jobs:
|
In the RHACS web portal, go to Platform Configuration → System Configuration. You can configure the following settings for vulnerability report jobs:
Vulnerability report run history retention: The number of days that a record is kept of vulnerability report jobs that have been run. This setting controls how many days that report jobs are listed in the All report jobs tab under Vulnerability Management → Vulnerability Reporting when a report configuration is selected. The entire report history after the exclusion date is deleted, with the exception of the following jobs:
Unfinished jobs.
Jobs for which prepared downloadable reports still exist in the system.
The last successful report job for each job type (scheduled email, on-demand email, or download). This ensures users have information about the last run job for each type.
Prepared downloadable vulnerability reports retention days: The number of days that prepared, on-demand downloadable vulnerability report jobs are available for download on the All report jobs tab under Vulnerability Management → Vulnerability Reporting when a report configuration is selected.
Prepared downloadable vulnerability reports limit: The limit, in MB, of space allocated to prepared downloadable vulnerability report jobs. After the limit is reached, the oldest report job in the download queue is removed.
To change these values, click Edit, make your changes, and then click Save.