I built a closed-loop vulnerability management cycle that schedules OpenVAS scans, prioritizes findings by CVSS 3.1 and business context, opens Jira tickets via API, and remediates with Ansible. The pipeline cut the critical-vulnerability exposure window from 7 days to 4 hours across 15+ Linux nodes.

Context & Standards Alignment

The workflow implements the NIST SP 800-40 patch management lifecycle and CIS Control 7 (Continuous Vulnerability Management), turning ad-hoc scanning into a measurable, auditable process.

  • T1190 Exploit Public-Facing Application – prioritized remediation of internet-reachable CVEs.
  • T1203 Exploitation for Client Execution – endpoint patch orchestration via Ansible.

Environment & Prerequisites

  • OpenVAS/GVM 22.4 scanner with daily feed sync; Nessus Professional for cross-validation.
  • Ansible control node with inventory of 15+ RHEL 9 / Ubuntu 22.04 hosts.
  • Jira Cloud project + API token; Grafana dashboard fed from a PostgreSQL results store.

Step-by-Step Execution

1. Launch an authenticated scan via the GVM CLI [PRIVILEGED]

gvm-cli --gmp-username admin socket --xml "<start_task task_id='UUID'/>"

2. Export and prioritize by CVSS 3.1

gvm-script --gmp-username admin socket get_results.py --severity 9.0 | tee critical.csv
CVE-2024-3094  10.0  CRITICAL  xz-utils backdoor      host=192.168.20.31
CVE-2023-4911  7.8   HIGH      glibc CVE-2023-4911    host=192.168.20.18

3. Remediate with Ansible

ansible-playbook -i inventory patch-critical.yml --limit critical_hosts
PLAY RECAP
192.168.20.31 : ok=6 changed=3 unreachable=0 failed=0
192.168.20.18 : ok=6 changed=2 unreachable=0 failed=0

Validation & Testing

Trigger an automated rescan of the patched hosts and confirm the previously critical CVEs no longer appear. The Grafana dashboard should show the open-critical count drop to zero (alt text: Grafana panel trending open critical CVEs to zero after Ansible remediation).

Advanced: Troubleshooting
  • Authenticated scan returns few results: verify SSH credentials and that the scan target uses a credentialed config.
  • Feed out of date: run greenbone-feed-sync and check /var/log/gvm/.
  • Ansible patch reboot loops: gate reboots behind a reboot_required fact check.

Key Results

  • Orchestrated patching across 15+ Linux servers with a 99.2% success rate.
  • Prioritized 200+ CVEs by CVSS 3.1 and business criticality each cycle.
  • Reduced the critical-vulnerability exposure window from 7 days to 4 hours.
  • Automated Jira ticket creation for 100% of high/critical findings.