Closed dj4n60 closed 2 years ago
The tenable XCCDF xml file looks something like this below at the top of the file. The https://github.com/Cingulara/openrmf-api-read/blob/develop/src/Classes/SCAPScanResultLoader.cs file looks for the xccdd: for Nessus and then just pdf: for DISA SCAP. OpenSCAP does not add XML tags at all. But they all are SCAP "compliant". So the file there looks for that.
<xccdf:TestResult id="xccdf_mil.disa.stig_testresult_Windows_2012_MS_STIG" test-system="cpe:/a:tenable:nessus"
start-time="2019-12-03T15:34:19.000-00:00" end-time="2019-12-03T15:36:54.000-00:00"
xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd" version="1.0">
<xccdf:benchmark href="U_MS_Windows_2012_and_2012_R2_MS_V2R17_STIG_SCAP_1-2_Benchmark.xml"
id="xccdf_mil.disa.stig_benchmark_Windows_2012_MS_STIG"/>
If your XCCDF xml file looks different than the above it may not match correctly possibly. The results look like this below with the "pass" or "fail" as well to show Not a Finding or Open. By default all are the Not Reviewed:
<xccdf:rule-result idref="xccdf_mil.disa.stig_rule_SV-53010r3_rule" version="WN12-GE-000019" weight="10.0" severity="medium" role="full" >
<xccdf:result>pass</xccdf:result>
<xccdf:ident system="http://iase.disa.mil/cci">CCI-000366</xccdf:ident>
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false">
<xccdf:check-content-ref href="#oval1" name="oval:mil.disa.fso.windows:def:5160"/>
</xccdf:check>
</xccdf:rule-result>
<xccdf:rule-result idref="xccdf_mil.disa.stig_rule_SV-52894r1_rule" version="WN12-SO-000068" weight="10.0" severity="medium" role="full" >
<xccdf:result>pass</xccdf:result>
<xccdf:ident system="http://cce.mitre.org">CCE-25245-2</xccdf:ident>
<xccdf:ident system="http://iase.disa.mil/cci">CCI-000366</xccdf:ident>
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false">
<xccdf:check-content-ref href="#oval1" name="oval:mil.disa.fso.windows:def:4594"/>
</xccdf:check>
</xccdf:rule-result>
(An example is here as a TXT file, just rename to .XML only. )
1-2_windows-4-xccdf-res-cleaned.xml.txt
So we need to see why yours are not parsing right. There are a few questions that pop to the top of my mind below that may help:
I do not want to ask on sharing sensitive company information. However, if there is a sanitized version you can email as a possibility to test locally and trap in code we can go that route as well.
First of all, thank you for the response starting from the nessus version currently I am using 10.1.2 LINUX.
The XML is very similar. I have used both the "save as" method when it opens on the browser but I have tried to download it with wget command, maybe the download method is wrong because in general, I cannot download the XML on windows based workstation. This is the result:
<?xml version="1.0" encoding="UTF-8"?>
<xccdf:TestResult id="xccdf_mil.disa.stig_testresult_Windows_10_STIG" test-system="cpe:/a:tenable:nessus" start-time="2022-05-19T07:39:16.000-00:00" end-time="2022-05-19T07:40:14.000-00:00" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd" version="1.0">
<xccdf:benchmark href="U_MS_Windows_10_V2R3_STIG_SCAP_1-2_Benchmark.xml" id="xccdf_mil.disa.stig_benchmark_Windows_10_STIG"/>
<xccdf:identity authenticated="1" privileged="1">user</xccdf:identity>
<xccdf:profile idref="xccdf_mil.disa.stig_profile_MAC-1_Classified"/>
<xccdf:target>Desktop</xccdf:target>
<xccdf:target-address>x.x.x.x</xccdf:target-address>
<xccdf:target-facts>
<xccdf:fact type="string" name="urn:xccdf:fact:asset:identifier:host_name">Desktop</xccdf:fact>
<xccdf:fact type="string" name="urn:xccdf:fact:asset:identifier:mac">x.x.x.x</xccdf:fact>
<xccdf:fact type="string" name="urn:xccdf:fact:asset:identifier:ipv4">x.x.x.x</xccdf:fact>
</xccdf:target-facts>
Also, there is an example of the result
<xccdf:rule-result idref="xccdf_mil.disa.stig_rule_SV-220829r569187_rule" version="WN10-CC-000190" weight="10.0" severity="high" role="full" >
<xccdf:result>fail</xccdf:result>
<xccdf:ident system="http://cyber.mil/legacy">V-63673</xccdf:ident>
<xccdf:ident system="http://cyber.mil/legacy">SV-78163</xccdf:ident>
<xccdf:ident system="http://cyber.mil/cci">CCI-001764</xccdf:ident>
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false">
<xccdf:check-content-ref href="#oval1" name="oval:mil.disa.fso.windows:def:4044"/>
</xccdf:check>
</xccdf:rule-result>
The scap i am using is this one "Microsoft Windows 10 STIG Benchmark - Ver 2, Rel 3"
Also the version of the scap is 1.2
Finally, I want to mention that I find a workaround: First I am adding the result to Stig Viewer then i export the checklist and then i am adding the checklist to the OPENRMF
Ok, the one I sent you the title it searches for in the templates is "U_MS_Windows_2012_and_2012_R2_MS_V2R17" based on the benchmark entry "<xccdf:benchmark href="U_MS_Windows_2012_and_2012_R2_MS_V2R17_STIG_SCAP_1-2_Benchmark.xml".
The one you sent would search for "U_MS_Windows_10_V2R3" based on that benchmark entry I think. I will hav etc pull down that benchmark and then run that in my Nessus Pro SCAP scanner 1.2 and see what results I get on a local Win10 VM.
I d/l that ZIP file and I am running this scan with 1.2, data stream ID I found, SCAP benchmark ID I found and the MAC-3 sensitive profile. With proper credentials, blah blah blah as below.
I will test and see what I get in the next day or so.
The test we did late last night had 2 issues with the nessus XCCDF XML file it exported.
We need to see why the one exported did not have all that in there. I am going to test this in a few spots and step through the latest 1.8 code to see what works.
The one we exported:
Cleaned Up Data
@dj4n60 you won't believe this... after removing the extra information from the XML file, adding the starting XML tag (check to see if you have the same issue, may be a stylesheet thing on my end), I tested it and it failed...
Because in this code section below I was missing the ":".
Now with that local fix in I can at least get proper data from this Nessus SCAP we just ran last night, my DISA SCAP examples, and my OpenSCAP examples.
It even puts in the finding details as it is supposed to.
https://github.com/Cingulara/openrmf-api-read/blob/develop/src/Classes/SCAPScanResultLoader.cs is the issue in question. I will fix, test, package up 1.8.1 a day after we released 1.8.0, and we can release this update.
https://github.com/Cingulara/openrmf-docs/releases/tag/v1.8.1
This is the latest and has that fix in there and a problem I found with the scoring engine. D/L this one and try it. If you are upgrading from 1.7.2 or earlier please see the note about updating the MongoDB compatibility
Nice. That is amazing, thank you for your fast reaction. So now i am closing the Issus/Bug
Does it work for you now? I put info on our Slack also.
On Fri, May 20, 2022 at 2:55 PM Elias K @.***> wrote:
Closed #291 https://github.com/Cingulara/openrmf-docs/issues/291 as completed.
— Reply to this email directly, view it on GitHub https://github.com/Cingulara/openrmf-docs/issues/291#event-6652849195, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK776OOAZEQICKATNEGD57TVK7NZRANCNFSM5WMDJ5DQ . You are receiving this because you were assigned.Message ID: @.***>
-- Dale Bingham CTO and Chief Technology Evangelist Cingulara https://www.cingulara.com 410-984-0001
Describe the bug I am trying to upload the nessus scap result. But all the checklist that I upload is labeled as "Not Reviewed" Furthermore nessus on it on dashboard show the results.
To Reproduce Steps to reproduce the behavior:
Expected behavior Having the Same Result as nessus
Screenshots
Desktop (please complete the following information):