Configuring QRadar Vulnerability Manager to send vulnerability data to BigFix

Install and configure the BigFix adapter on the QRadar Console to enable IBM QRadar Vulnerability Manager to send vulnerability data with risk scores to HCL BigFix.

Procedure

  1. Log in to the QRadar Console as the root user.
  2. Configure the BigFix adapter setup:
    1. Go to the /opt/qvm/adaptor/config directory and run the setup script: ./setup-adaptor.sh
    2. Enter a new password to create the truststore that stores theBigFix server certificate.

      The truststore is created in /opt/qvm/adaptor/truststore.jks

      The following property files are created in the /opt/qvm/adaptor/config directory.
      • adaptor.properties
      • adaptor-bigfix.properties
      • plugin-bigfix.properties
    3. Verify that the plugin-bigfix.properties file has a TLS entry, for example, TLSv1.2 or a comma separated TLS list TLSv1.2,TLSv1.1,SSLv1.3

      The first entry in the list is used to create the security context: bes.rest.allowed.protocols=TLSv1.2

    4. At the prompts, provide details for the BigFix REST API server by entering the host name or IP address, user name, and password for the BigFix server.

      The user name and password that you enter are the same as the credentials that are used for the BigFix REST API. The REST API is used to send vulnerability data to BigFix.

    5. Restart the asset profiler by typing the following command:

      /opt/qradar/init/assetprofiler restart

      To ensure optimum performance, don't restart the asset profiler when QRadar Vulnerability Manager scans are running, or when you are expecting vulnerability imports from a third-party scanner.

      The adaptor.properties is created. This file contains the configuration parameters for the vulnerability data that is sent to BigFix.

  3. Verify that the setup process completed successfully:
    1. In the /opt/qvm/adaptor/config/adaptor.properties file, verify that these properties are set:

      qvm.adaptor.listener.enabled=true

      qvm.adaptor.process.daemon=false

    2. Set the risk score and asset update granularity in the adaptor.properties file by editing the following properties:
      Table 1. Adaptor properties and descriptions
      Property name (API) Description
      qvm.adaptor.minimum.vuln.riskscore=n

      Defines the threshold for each vulnerability risk score. Those vulnerabilities equal to or above the set value are sent to BigFix. For example, if you set the value to 5, vulnerabilities with risk scores equal to or above 5 only are sent to BigFix.
      qvm.adaptor.minimum.asset.riskscore=n

      The cumulative risk score of all the vulnerabilities that are on that asset.

      Vulnerabilities on assets that have a score less than this value are not sent to BigFix, unless the asset has vulnerabilities equal to, or above the set value for minimum.vuln.riskscore.

      Note: The minimum.vuln.riskscore overrides the minimum.asset.riskscore. If the minimum.vuln.riskscore is set to 0, then all vulnerabilities are sent to BigFix, regardless of the minimum.asset.riskscore value.

      Use the minimum.asset.riskscore parameter to capture vulnerabilities on assets with multiple low-risk vulnerabilities that result in a high cumulative risk score for an asset. When you set this value, you must be aware of the impact of the minimum.vuln.riskscore value on this setting.
      qvm.adaptor.assetupdate.limit=n

      Defines how the BigFix dashboard data resource is split. A split does not occur until all CVE IDs are populated for the last asset.

      • For example, qvm.adaptor.assetupdate.limit=20, asset 1 has 19 CVE IDs, and asset 2 has 30 CVE IDs. One data resource is generated and contains both assets, with a total of 49 CVE IDs.
      • For example, qvm.adaptor.assetupdate.limit=19, asset 1 has 19 CVE IDs, and asset 2 has 30 CVE IDs. Two data resources are generated, each containing an asset.
      qvm.adaptor.source.data.delay=n

      Defines how often data is sent to BigFix. For example, when n=15, then vulnerability data is sent to BigFix every 15 minutes, if there is vulnerability data available to send to BigFix.

      By editing the adaptor.properties file, the vulnerability data that you're sending to BigFix is filtered.

    3. Verify that the BigFix plugin configuration creates the following directories:
      • /store/qvm/adaptor/data
      • /store/qvm/adaptor/bigfix
    4. Verify that logging is enabled in the /opt/qvm/adaptor/log4j.xml file.

      Log files are in the: /var/log/qvm-integration-adaptor.log and the /var/log/qvm-adaptor-cron.log files.

      Note: If you don't download the certificate because the BigFix server is unreachable, the setup does not fail. You can download the certificate later by running the following command:

      ./install-cert.sh <truststore_location> <truststore_password><truststore_IP_address: port>

      For example, use the following command format:

      ./install-cert.sh /opt/qvm/adaptor/truststore.jks <abc3password> <192.0.2.0>:<63455>