search

Cingulara / openrmf-docs

Documentation on the OpenRMF application, including scripts to run the whole stack as well as just infrastructure with documentation on using the tool.
https://www.openrmf.io/
GNU General Public License v3.0
124 stars 26 forks source link

[BUG] Nessus scap result is always labeled Not Reviewed #291

Closed dj4n60 closed 2 years ago

dj4n60 commented 2 years ago

Describe the bug I am trying to upload the nessus scap result. But all the checklist that I upload is labeled as "Not Reviewed" Furthermore nessus on it on dashboard show the results.

To Reproduce Steps to reproduce the behavior:

  1. Go to Upload
  2. Click on Choose Files and upload the nessus result ( SCAP XML Results xccdf-res.xml )
  3. Wait to upload and for the success message
  4. Go to the system and find that is Not the same as the nessus

Expected behavior Having the Same Result as nessus

Screenshots image

Desktop (please complete the following information):

Cingulara commented 2 years ago

The tenable XCCDF xml file looks something like this below at the top of the file. The https://github.com/Cingulara/openrmf-api-read/blob/develop/src/Classes/SCAPScanResultLoader.cs file looks for the xccdd: for Nessus and then just pdf: for DISA SCAP. OpenSCAP does not add XML tags at all. But they all are SCAP "compliant". So the file there looks for that. 

<xccdf:TestResult  id="xccdf_mil.disa.stig_testresult_Windows_2012_MS_STIG" test-system="cpe:/a:tenable:nessus" 
    start-time="2019-12-03T15:34:19.000-00:00" end-time="2019-12-03T15:36:54.000-00:00" 
    xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd" version="1.0">
    <xccdf:benchmark href="U_MS_Windows_2012_and_2012_R2_MS_V2R17_STIG_SCAP_1-2_Benchmark.xml"
             id="xccdf_mil.disa.stig_benchmark_Windows_2012_MS_STIG"/>

If your XCCDF xml file looks different than the above it may not match correctly possibly. The results look like this below with the "pass" or "fail" as well to show Not a Finding or Open. By default all are the Not Reviewed:


    <xccdf:rule-result idref="xccdf_mil.disa.stig_rule_SV-53010r3_rule" version="WN12-GE-000019" weight="10.0" severity="medium" role="full" >
        <xccdf:result>pass</xccdf:result>
        <xccdf:ident system="http://iase.disa.mil/cci">CCI-000366</xccdf:ident>
        <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false">
            <xccdf:check-content-ref href="#oval1" name="oval:mil.disa.fso.windows:def:5160"/>
        </xccdf:check>
    </xccdf:rule-result>
    <xccdf:rule-result idref="xccdf_mil.disa.stig_rule_SV-52894r1_rule" version="WN12-SO-000068" weight="10.0" severity="medium" role="full" >
        <xccdf:result>pass</xccdf:result>
        <xccdf:ident system="http://cce.mitre.org">CCE-25245-2</xccdf:ident>
        <xccdf:ident system="http://iase.disa.mil/cci">CCI-000366</xccdf:ident>
        <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false">
            <xccdf:check-content-ref href="#oval1" name="oval:mil.disa.fso.windows:def:4594"/>
        </xccdf:check>
    </xccdf:rule-result>

(An example is here as a TXT file, just rename to .XML only. )

1-2_windows-4-xccdf-res-cleaned.xml.txt

So we need to see why yours are not parsing right. There are a few questions that pop to the top of my mind below that may help:

I do not want to ask on sharing sensitive company information. However, if there is a sanitized version you can email as a possibility to test locally and trap in code we can go that route as well.

dj4n60 commented 2 years ago

First of all, thank you for the response starting from the nessus version currently I am using 10.1.2 LINUX.

The XML is very similar. I have used both the "save as" method when it opens on the browser but I have tried to download it with wget command, maybe the download method is wrong because in general, I cannot download the XML on windows based workstation. This is the result:

<?xml version="1.0" encoding="UTF-8"?>
<xccdf:TestResult  id="xccdf_mil.disa.stig_testresult_Windows_10_STIG" test-system="cpe:/a:tenable:nessus" start-time="2022-05-19T07:39:16.000-00:00" end-time="2022-05-19T07:40:14.000-00:00" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd" version="1.0">
    <xccdf:benchmark href="U_MS_Windows_10_V2R3_STIG_SCAP_1-2_Benchmark.xml" id="xccdf_mil.disa.stig_benchmark_Windows_10_STIG"/>
    <xccdf:identity authenticated="1" privileged="1">user</xccdf:identity>
    <xccdf:profile idref="xccdf_mil.disa.stig_profile_MAC-1_Classified"/>
    <xccdf:target>Desktop</xccdf:target>
    <xccdf:target-address>x.x.x.x</xccdf:target-address>
    <xccdf:target-facts>
        <xccdf:fact type="string" name="urn:xccdf:fact:asset:identifier:host_name">Desktop</xccdf:fact>
        <xccdf:fact type="string" name="urn:xccdf:fact:asset:identifier:mac">x.x.x.x</xccdf:fact>
        <xccdf:fact type="string" name="urn:xccdf:fact:asset:identifier:ipv4">x.x.x.x</xccdf:fact>
    </xccdf:target-facts>

Also, there is an example of the result

<xccdf:rule-result idref="xccdf_mil.disa.stig_rule_SV-220829r569187_rule" version="WN10-CC-000190" weight="10.0" severity="high" role="full" >
        <xccdf:result>fail</xccdf:result>
        <xccdf:ident system="http://cyber.mil/legacy">V-63673</xccdf:ident>
        <xccdf:ident system="http://cyber.mil/legacy">SV-78163</xccdf:ident>
        <xccdf:ident system="http://cyber.mil/cci">CCI-001764</xccdf:ident>
        <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false">
            <xccdf:check-content-ref href="#oval1" name="oval:mil.disa.fso.windows:def:4044"/>
        </xccdf:check>
    </xccdf:rule-result>

The scap i am using is this one "Microsoft Windows 10 STIG Benchmark - Ver 2, Rel 3"

Also the version of the scap is 1.2

Finally, I want to mention that I find a workaround: First I am adding the result to Stig Viewer then i export the checklist and then i am adding the checklist to the OPENRMF

Cingulara commented 2 years ago

Ok, the one I sent you the title it searches for in the templates is "U_MS_Windows_2012_and_2012_R2_MS_V2R17" based on the benchmark entry "<xccdf:benchmark href="U_MS_Windows_2012_and_2012_R2_MS_V2R17_STIG_SCAP_1-2_Benchmark.xml".

The one you sent would search for "U_MS_Windows_10_V2R3" based on that benchmark entry I think. I will hav etc pull down that benchmark and then run that in my Nessus Pro SCAP scanner 1.2 and see what results I get on a local Win10 VM.

Cingulara commented 2 years ago

I d/l that ZIP file and I am running this scan with 1.2, data stream ID I found, SCAP benchmark ID I found and the MAC-3 sensitive profile. With proper credentials, blah blah blah as below.

image

I will test and see what I get in the next day or so.

Cingulara commented 2 years ago

The test we did late last night had 2 issues with the nessus XCCDF XML file it exported.

  1. It had a bunch of extra text at the top before the test result, not proper XML
  2. It did not have the normal <?xml version="1.0" encoding="UTF-8"?> at the top like all other XML files

We need to see why the one exported did not have all that in there. I am going to test this in a few spots and step through the latest 1.8 code to see what works.

The one we exported: image

Cleaned Up Data image

Cingulara commented 2 years ago

@dj4n60 you won't believe this... after removing the extra information from the XML file, adding the starting XML tag (check to see if you have the same issue, may be a stylesheet thing on my end), I tested it and it failed...

Because in this code section below I was missing the ":". It took me a little bit as it was not finding the hostname, vulnerabilities, pass/fail, etc. so I figured parsing was incorrect. And it was...

image

Now with that local fix in I can at least get proper data from this Nessus SCAP we just ran last night, my DISA SCAP examples, and my OpenSCAP examples. image

It even puts in the finding details as it is supposed to. image

Cingulara commented 2 years ago

https://github.com/Cingulara/openrmf-api-read/blob/develop/src/Classes/SCAPScanResultLoader.cs is the issue in question. I will fix, test, package up 1.8.1 a day after we released 1.8.0, and we can release this update.

Cingulara commented 2 years ago

https://github.com/Cingulara/openrmf-docs/releases/tag/v1.8.1

This is the latest and has that fix in there and a problem I found with the scoring engine. D/L this one and try it. If you are upgrading from 1.7.2 or earlier please see the note about updating the MongoDB compatibility

dj4n60 commented 2 years ago

Nice. That is amazing, thank you for your fast reaction. So now i am closing the Issus/Bug

Cingulara commented 2 years ago

Does it work for you now? I put info on our Slack also.

On Fri, May 20, 2022 at 2:55 PM Elias K @.***> wrote:

Closed #291 https://github.com/Cingulara/openrmf-docs/issues/291 as completed.

— Reply to this email directly, view it on GitHub https://github.com/Cingulara/openrmf-docs/issues/291#event-6652849195, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK776OOAZEQICKATNEGD57TVK7NZRANCNFSM5WMDJ5DQ . You are receiving this because you were assigned.Message ID: @.***>

-- Dale Bingham CTO and Chief Technology Evangelist Cingulara https://www.cingulara.com 410-984-0001