In order for us to update the JAB on our compliance in a consistent way, we need to deliver a Continuous Monitoring report on 2023-01-02. (our standard due date is the 2nd of the month. If these dates fall on a weekend or federal holiday, adjust to the last business day before the date.)
Depending on scan results, we sometimes also have to do these tasks:
For any items that require a monthly checkin with a vendor, Cloud Operations needs to make the appropriate support request to the vendor.
Write Deviation Requests for operational requirements, risk adjustments, and false positives.
Update our boards with current info about vulnerabilities and open POAM items and any necessary followup stories about compliance work and related technical work to prepare for the next month's report.
Set up Google FileStream - Use from GSA SelfService, the upstream version doesn't seem to work for GSA.
Have cg-scripts in your $PATH
PIP install nessus-file-reader
I keep everything in ~/Documents/ConMon, so
cd ~/Documents
git clone file:///Volumes/GoogleDrive/My Drive/cloud.gov/Security and Compliance/Compliance/conmon_project.git ConMon
cd ConMon
source conmon.sh
That sets up a bunch of shell functions that we run, then copy/paste if they look correct.
setup_dirs YYYY MM DD - Set up the correct names and places for our copies of the scan
Open the new target folders and ZAP and Nessus results folders
Drag scans from /Volumes/GoogleDrive/My Drive/18F_ISSO/FedRAMP JAB - cloud.gov - 3PAO Access/ZAP and Nessus results the
ZAP both XML and HTML
RDS *.nessus into the RDS folders
Compliance and Vuln *.nessus scans into folders. End result
Run nessus_log4j. This generates a table something like this:
------- Log4J REPORT ------
Log4j plugin: 155999
Log4J violations on Diego cells on phantom paths (safe): 0
Log4J violations on Diego cells in customer path (safe): 6
Log4J violations on Logstash nodes at known path (safe): 27
Log4J violations of unknown origins found (UNSAFE) : 0
Immediately assign to CloudOps and discuss with them
Run nessus_daemons
Review any findings, if they're legitimate daemon, open an issue in cg-scripts to patch parse-nessus-xml.py.
Link to the issue, or PR, in the comments below
If they're suspicious, follow our IR processes.
Run prep_nessus function
This generates MM.nessus_summary and MM.nessus_work - This month's summary is compared, using comm to last month's summary.
Review MM.nessus_summary, and Git add/commit it if it's OK.
The file MM.nessus_work looks like this:
LAST MONTH (fixed)
THIS MONTH (new)
BOTH (persisting)
147163, Risk: Medium, Plugin Name: Apache Tomcat 7.0.0 < 7.0.108 RCE, https://www.tenable.com/plugins/nessus/147163
..hostnames or number of impacted hosts
The items left-aligned are ones that we're in last months' report but are now fixed, the next indent are those that are new (present now, absent last month), and the third indent are present in both months' scans (persisting issues)
Move the fixed items to Done in the vulnerability tracker, updating the status date
Add the new items
run function (from conmon.sh) nessus_csv
paste CSV output into vulnerability tracker, then use the Data menu to convert to Split Text to Columns
fix up the entry
copy down the formula for Column M, "Scheduled Completion Date", to generate the due date based on severity
Use the prep_zap function for ZAP scan consolidation
Likewise, work through the MM.zap_work file
Mostly ignore the Low findings
Move fixed issues from Open to Closed tabs. Be sure to
Update the Status Date
Update the Supporting Documents, unless routine stemcell patch covered by the scan output
Be sure to
Review the RDS scans:
cd to the directory with the RDS compliance scans,
In order for us to update the JAB on our compliance in a consistent way, we need to deliver a Continuous Monitoring report on 2023-01-02. (our standard due date is the 2nd of the month. If these dates fall on a weekend or federal holiday, adjust to the last business day before the date.)
For context, see our Continuous Monitoring Strategy, including the monthly reporting summary explanation.
We need to process our scan results and prepare documentation for any updated or new items, including updating the vulnerability tracker and POA&M.
We always have to do these tasks:
Depending on scan results, we sometimes also have to do these tasks:
Rough notes on Peter's hacky tracking
cg-scripts
in your$PATH
nessus-file-reader
I keep everything in
~/Documents/ConMon
, soThat sets up a bunch of shell functions that we run, then copy/paste if they look correct.
setup_dirs YYYY MM DD
- Set up the correct names and places for our copies of the scanZAP and Nessus results
folders/Volumes/GoogleDrive/My Drive/18F_ISSO/FedRAMP JAB - cloud.gov - 3PAO Access/ZAP and Nessus results
thenessus_log4j
. This generates a table something like this:nessus_daemons
parse-nessus-xml.py
.prep_nessus
functionMM.nessus_summary
andMM.nessus_work
- This month's summary is compared, usingcomm
to last month's summary.MM.nessus_summary
, and Git add/commit it if it's OK.MM.nessus_work
looks like this:The items left-aligned are ones that we're in last months' report but are now fixed, the next indent are those that are new (present now, absent last month), and the third indent are present in both months' scans (persisting issues)
conmon.sh
)nessus_csv
Data
menu to convert toSplit Text to Columns
prep_zap
function for ZAP scan consolidationMM.zap_work
fileBe sure to
Review the RDS scans:
../../../parse-rds.sh
Review the Compliance scans:
Address all gravely late POA&Ms
Manage the container scans:
Review the Inventory
Acceptance criteria