I am currently reviewing ticketing options in MVM for remediation, and Im pondering the best way to handle vulnerabilities that are known, and that have temporary exceptions in place.
They obviously arent false positive, and ignoring isnt the best solution either. I am considering using the "Export" function. Export in the documentation has the following info:
"Future scans that find this vulnerability on this host will see that this ticket was exported, and will not generate another ticket for it."
So if I export the ticket, (presumeably into our Exception tracking system) It will not create additional tickets, but it will show up on a scan as a discovered vulnerability - is this correct?
Also, once it has been exported and "solved" in that external system (or if it were to go into a seperate reporting system like Remedy) - is there anyway to then create additional tickets on this vulnerability in the future? Once it is "solved" in the external system, can I go back into MVM, then mark it as solved so it will reopen that ticket if the issue is rediscovered?
Example - Bob has an SMTP open relay and a ticket is created in September for it. The ticket is exported and in that external exported system it is marked as "fixed". Bob however, is a lazy individual who claimed it is now fixed, but didnt do anything. It SHOULD be resolved, but in November it is still an open relay. I would like a new ticket after that (since it is now an issue again)
if there are better solutions for my issue, please provide suggestions, I am all ears.
You're right, and exporting the ticket will still flag the target as Vulnerable (but not generate a new Ticket for it), until the ticket is managed/closed (Marked "Complete", then "Acknowledged" by an administrator).
For example... you find Vulnerabilty "Bad Stuff" on your Weekly Scan "Boo" on May 3rd. Ticket 123 is generated.
On May 5th you export Ticket 123
Boo runs on May 10th, and you still see Bad Stuff, but you don't get a new Ticket.
Bob the Lazy network dude tells the Administrator that he's solved the Bad Stuff on May 11th, and Administrator (being on top of it) marks the ticket as "Complete" / "Acknowledged" that same day.
But the scan runs again on the 17th, only to notice that Bob lied = so he gets a new ticket to deal with!!
If Admin was lazy too, and left the ticket as complete but not Acknowledged - no new ticket would have been generated on the 17th. The "Acknowledged" is the key here.
I hope that helps!