Parsing ACAS SCAP Scans Generated as *.nessus Files

[akajeremy]

Prerequisites

Before submitting a new issue, please ensure you have completed the following (replace the space in the box with an "x" to denote that it has been completed)

• [x] I have ensured that I am running the latest release
• [x] The issue is repeatable
• [x] The issue has not already been reported

Category

Please select a category for the item being created

• [ ] Bug
• [ ] Enhancement
• [x] Assistance Request

Description

Please provide a brief synopsis of the feature request or issue; if the item being created is due to a bug, please complete the "Expected Outcome", "Actual Outcome", and "Reproduction Steps" sections as well, otherwise, check the boxes to show that it doesn't apply

Synopsis

When importing .nessus file into vulnerator, only one plugin (Plugin ID: 66756) is populated 263 times in the excel document. If I open the .nessus file using a text editor, it contains all the STIG output, so I'm not sure whats happening. The machine I'm running vulnerator on is not hardened and I'm using admin rights.

Expected Outcome

• [ ] N/A (Non-Bug Issue)

The "ACAS Output and Review" tab should have all STIG findings.

Actual Outcome

• [ ] N/A (Non-Bug Issue)

Only one finding was found in the ACAS output tab (plugin id: 66756)

Reproduction Steps

• [ ] N/A (Non-Bug Issue) Run SCAP scan with ACAS on target system, download scap zip, extract .nessus file, import .nessus file into Vulnerator, execute.

Attachments

Please provide any relevant attachments, as you see fit (e.g. screenshots); if supplying vulnerability data (e.g. CKL/Nessus files or reports), please ensure that they are sanitized of IP addresses and host names and email them to [email protected] - DO NOT POST VULNERABILITY FILES HERE

• [x] Vulnerator Log (Required for bugs) - "2017-08-07 15:24:06,234 INFO 0 Initializing application. 2017-08-07 15:24:06,254 INFO 0 Initializing DIACAP to RMF conversion dictionaries. 2017-08-07 15:24:06,256 INFO 0 DIACAP to RMF conversion dictionaries initialize successfully. 2017-08-07 15:24:06,261 INFO 0 Verifying XML configuration file is current. 2017-08-07 15:24:06,263 INFO 0 XML configuration file created successfully. 2017-08-07 15:24:06,264 INFO 0 Creating settings dictionary. 2017-08-07 15:25:52,939 INFO 0 Refreshing findings database. 2017-08-07 15:25:53,114 INFO 0 Findings database refeshed successfully. 2017-08-07 15:25:53,114 INFO 0 Begin processing of R_7_SCAP_C 2017-08-07 15:25:53,217 INFO 0 R_7_SCAP_C successfully processed; Elapsed time: 00:00:00.1030655 2017-08-07 15:25:55,977 INFO 0 Begin creation of C:\Users\XXXX\vuln.xlsx 2017-08-07 15:25:55,978 INFO 0 Creating workbook framework. 2017-08-07 15:25:56,066 INFO 0 Creating ACAS Output tab. 2017-08-07 15:25:56,093 INFO 0 Creating STIG Details tab. 2017-08-07 15:25:56,097 INFO 0 Finalizing workbook. 2017-08-07 15:25:56,124 INFO 0 C:\Users\XXXX\vuln.xlsx created successfully; Elapsed time: 00:00:00.1463428 2017-08-07 15:25:56,143 INFO 0 Processing complete; Excel report created successfully; PDF report not required; Elapsed time: 00:00:06.5067829"

[amkuchta]

@akajeremy I haven't properly written the application to import *.nessus scan files for compliance checks - try exporting the compliance output as a SCAP output, then ingest that into the application.

I will leave this open for now, as it may be something I consider incorporating into a later release. However, I am also considering dropping ACAS SCAP support, as the output is not very verbose. I wish there was a way to poll the user base effectively to see how many people are running their SCAP scans this way...

@Vulnerator/user-reps any thoughts on the above?

[CyberSecDef]

I know that at NSWC DD (Dahlgren) we basically never use ACAS for SCAP. We only use SCC for SCAP. That’s almost by direction from command (they wont officially say that but they also wont accept a package for review without SCC generated SCAP files).

-----Original Message----- From: Alex Kuchta [mailto:[email protected]] Sent: Wednesday, August 09, 2017 9:41 AM To: Vulnerator/Vulnerator Cc: Subscribed Subject: [Non-DoD Source] Re: [Vulnerator/Vulnerator] .nessus file output (#124)

@akajeremy https://github.com/akajeremy I haven't properly written the application to import *.nessus scan files for compliance checks - try exporting the compliance output as a SCAP output, then ingest that into the application.

I will leave this open for now, as it may be something I consider incorporating into a later release. However, I am also considering dropping ACAS SCAP support, as the output is not very verbose. I wish there was a way to poll the user base effectively to see how many people are running their SCAP scans this way...

@Vulnerator/user-reps https://github.com/orgs/Vulnerator/teams/user-reps any thoughts on the above?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Vulnerator/Vulnerator/issues/124#issuecomment-321258467 , or mute the thread https://github.com/notifications/unsubscribe-auth/AQyCjNWTLosbudLT_hcoBkGkOA4A9stsks5sWbb7gaJpZM4Ov14b . https://github.com/notifications/beacon/AQyCjBSZeYY6rmOU36YJRy0AilbAvbsyks5sWbb7gaJpZM4Ov14b.gif

[vanerj1996]

@CyberSecDef

We only use SCC for SCAP. That’s almost by direction from command

Same here. Nobody wants to see SCAP results from ACAS or HBSS... only from SCC.

[vanerj1996]

@amkuchta

haven't properly written the application to import *.nessus scan files for compliance checks

Huh? I've been importing *.nessus files for a while. Is there something I'm losing or isn't correct?

[akajeremy]

Thanks for everyone's input! Yeah, this ACAS SCAP business is new to me too, but they've just started requesting it in addition to the SCC results.. so now I'm in an interesting predicament.

@amkuchta I'll try your suggestion! Thank you for taking the time to respond.

[brjones3]

I have heard the Navy SCA will not accept SCAP scan results from ACAS for RMF testing. Also some of the SCAP benchmarks on the IASE site state they are only supported with SCC, e.g. MS Office products.

The Navy Testing Guidance says, "The NQV must import XCCDF results of an SCC scan into the STIG Viewer for integration with the complete STIG." So I don't think there's a lot of value in importing any SCAP STIG results directly into Vulnerator.

Bruce

-----Original Message----- From: Robert Weber [mailto:[email protected]] Sent: Wednesday, August 09, 2017 4:02 AM To: Vulnerator/Vulnerator Cc: Jones, Bruce R CTR NCTAMS PAC, N00SM33; Team mention Subject: [Non-DoD Source] Re: [Vulnerator/Vulnerator] Parsing ACAS SCAP Scans Generated as *.nessus Files (#124)

I know that at NSWC DD (Dahlgren) we basically never use ACAS for SCAP. We only use SCC for SCAP. That’s almost by direction from command (they wont officially say that but they also wont accept a package for review without SCC generated SCAP files).

-----Original Message----- From: Alex Kuchta [mailto:[email protected]] Sent: Wednesday, August 09, 2017 9:41 AM To: Vulnerator/Vulnerator Cc: Subscribed Subject: [Non-DoD Source] Re: [Vulnerator/Vulnerator] .nessus file output (#124)

@akajeremy https://github.com/akajeremy I haven't properly written the application to import *.nessus scan files for compliance checks - try exporting the compliance output as a SCAP output, then ingest that into the application.

I will leave this open for now, as it may be something I consider incorporating into a later release. However, I am also considering dropping ACAS SCAP support, as the output is not very verbose. I wish there was a way to poll the user base effectively to see how many people are running their SCAP scans this way...

@Vulnerator/user-reps https://github.com/orgs/Vulnerator/teams/user-reps any thoughts on the above?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Vulnerator/Vulnerator/issues/124#issuecomment-321258467 , or mute the thread https://github.com/notifications/unsubscribe-auth/AQyCjNWTLosbudLT_hcoBkGkOA4A9stsks5sWbb7gaJpZM4Ov14b . https://github.com/notifications/beacon/AQyCjBSZeYY6rmOU36YJRy0AilbAvbsyks5sWbb7gaJpZM4Ov14b.gif

— You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub https://github.com/Vulnerator/Vulnerator/issues/124#issuecomment-321263935 , or mute the thread https://github.com/notifications/unsubscribe-auth/AbT3SQgkEXO35BRf-dgSjwKdA4eKgcPlks5sWbuDgaJpZM4Ov14b . https://github.com/notifications/beacon/AbT3Sf9U90de11cV-Z4daCMjvCKMhoulks5sWbuDgaJpZM4Ov14b.gif

[CyberSecDef]

I think the applicable word in Alex's comment was 'compliance'....as in XCCDF/SCAP compliance.

-----Original Message----- From: Jeff Vanerwegen [mailto:[email protected]] Sent: Wednesday, August 09, 2017 11:24 AM To: Vulnerator/Vulnerator Cc: Weber, Robert Jr CTR NSWCDD, B0I; Mention Subject: [Non-DoD Source] Re: [Vulnerator/Vulnerator] Parsing ACAS SCAP Scans Generated as *.nessus Files (#124)

@amkuchta https://github.com/amkuchta

haven't properly written the application to import *.nessus scan files for compliance checks

Huh? I've been importing *.nessus files for a while. Is there something I'm losing or isn't correct?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Vulnerator/Vulnerator/issues/124#issuecomment-321289429 , or mute the thread https://github.com/notifications/unsubscribe-auth/AQyCjJFm4bOcn85KYIuvcmTmvhC9N1deks5sWc8sgaJpZM4Ov14b . https://github.com/notifications/beacon/AQyCjAZBHKFs3-uKL0rGIdBFLHqaKcRBks5sWc8sgaJpZM4Ov14b.gif

[amkuchta]

@brjones3 The upside to ingesting the SCAP files into Vulnerator directly is that Vulnerator allows you to do a discrepancies comparison between what SCC says ("Ongoing", "Completed") vs. what the SA / person completing the manual STIG says ("Ongoing", "Completed"). DISA STIG Viewer simply overwrites whatever the analyst put in the manual check, which doesn't give a lot of insight into mitigations, etc.

[amkuchta]

@vanerj1996 I completely looked over your comment - sorry! As @CyberSecDef stated, the operative word is "compliance"; while *.nessus files parse fine, if the *.nessus is an export of ran SCAP content, it is going to parse like a *.nessus, not a SCAP file, which means that data is not going to be where users may expect it to be.

[akajeremy]

@amkuchta Now I'm confused! haha. Vulnerator does work with .nessus files? Because when I try to vulnerate my .nessus file of a ACAS-SCAP scan, it only gives me one finding repeated ~260 times. Does this make sense? The screen shot I added above should provide some clarity as to what the vulnerated .nessus file looks like. I'm guessing the client wants this type of scan done in order to cross-check our work?.. Even tho we can just alter the vulerated output .. Thanks for your time

[amkuchta]

@akajeremy *.nessus files can be generated for two types of scans within ACAS:

1. Vulnerability Scans: These are the scans that contain non-compliance plugins and provide feedback as to a system's patch currency (e.g. if there are any outstanding IAVMs, missing OS or application level patches, etc.)
2. Compliance Scans: These scans enumerate the results of a scan conducted using a XCCDF file input. In addition to being exported as a *.nessus file, these results can also be exported to a SCAP file.

Vulnerator natively supports parsing of *.nessus outputs for both types of scans, as the file structure is the same, but only the first one will provide any meaningful data (affected plugin ID, plugin title, output, etc.). The second type of *.nessus file can be imported, but because of how compliance scans are run and reported in ACAS, the output is basically useless. For an XCCDF scan (the second type), it is more beneficial to export the results to a SCAP-based output than a *.nessus file.

I hope this helps clarify any confusion!

[Prymal]

There is a 3rd way to run STIGS scan with acas though...and that is using the Nessus Audit files. We have been doing that here and started to test Vulnerator for PO&AM generation but importing the .nessus files with Audit base compliance checks does not produce any compliance results in the output. Any idea why that may be?

[mrgreyhair]

I don't agree with "Nobody wants to see SCAP results from ACAS or HBSS... only from SCC." I think the "only from SCC" general statement is because Vulnerator is unable to parse Compliance from Nessus (ACAS) ".nessus" output.

I can't code this but, from my limited (under educated) understanding of .nessus output, xml and parsing. A modification to AcasNessusReader.cs could be... If pluginFamily="Policy Compliance" in the .nessus file Then the VulnTitle is "cm:compliance-check-name" and the description may be better served by "cm:compliance-info"

It is exasperating to use a Second tool when you know the First tool contains the information you need.

[DaBrownClown]

We have been told by SCA representatives that they will accept SCAP from ACAS now. One issue we are running into is pulling the html summary report that you can get with the SCC tool. We would still import the SCAP results into a checklist before importing the results into Vulnerator, but it would be nice if you could import SCAP directly to Vulnerator if you needed to generate a quick report of the automated results.

[johnmyers2]

You should be able to import the SCAP XCCDF files. There is an option for that.

V/R, John F Myers, CISSP, CCFE, C|EH, MCITP Phone: 214-918-9238 E-mail: [email protected]

On Tue, Apr 30, 2019 at 1:48 PM DaBrownClown [email protected] wrote:

We have been told by SCA representatives that they will accept SCAP from ACAS now. One issue we are running into is pulling the html summary report that you can get with the SCC tool. We would still import the SCAP results into a checklist before importing the results into Vulnerator, but it would be nice if you could import SCAP directly to Vulnerator if you needed to generate a quick report of the automated results.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Vulnerator/Vulnerator/issues/124#issuecomment-488070082, or mute the thread https://github.com/notifications/unsubscribe-auth/AHATPG6Z6KL6A65F2VEKZQLPTCH7PANCNFSM4DV7LYNQ .

[CyberSecDef]

I can’t speak to vulnerators internal processing specifically, but I do know the ACAS version of the XCCDF file is formatted in a completely different way than the SCAP scanner….so there might be some issues importing the ACAS SCAP results.

From: John Myers [email protected] Sent: Tuesday, April 30, 2019 8:23 PM To: Vulnerator/Vulnerator [email protected] Cc: Weber, Robert F Jr CIV NSWCDD, B0I [email protected]; Mention [email protected] Subject: [Non-DoD Source] Re: [Vulnerator/Vulnerator] Parsing ACAS SCAP Scans Generated as *.nessus Files (#124)

You should be able to import the SCAP XCCDF files. There is an option for that.

V/R, John F Myers, CISSP, CCFE, C|EH, MCITP Phone: 214-918-9238 E-mail: [email protected]

On Tue, Apr 30, 2019 at 1:48 PM DaBrownClown [email protected] wrote:

We have been told by SCA representatives that they will accept SCAP from ACAS now. One issue we are running into is pulling the html summary report that you can get with the SCC tool. We would still import the SCAP results into a checklist before importing the results into Vulnerator, but it would be nice if you could import SCAP directly to Vulnerator if you needed to generate a quick report of the automated results.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Vulnerator/Vulnerator/issues/124#issuecomment-488070082, or mute the thread https://github.com/notifications/unsubscribe-auth/AHATPG6Z6KL6A65F2VEKZQLPTCH7PANCNFSM4DV7LYNQ .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Vulnerator/Vulnerator/issues/124#issuecomment-488160808 , or mute the thread https://github.com/notifications/unsubscribe-auth/AEGIFDA7DFA2LGN5IW5RDCTPTDPFDANCNFSM4DV7LYNQ .

[Zeluha]

@amkuchta Version 6.1.9 export of ACAS XCCDF's are failing. Error log here: 2019-10-03 09:48:02,356 INFO 0 Begin processing of 6-2_windows-0-xccdf-res 2019-10-03 09:48:02,861 ERROR 0 Unable to parse ACAS XCCDF. 2019-10-03 09:48:02,933 ERROR 0 Unable to parse XCCDF using XML reader. 2019-10-03 09:48:02,946 ERROR 0 Unable to process XCCDF file. 2019-10-03 09:48:02,957 ERROR 0 6-2_windows-0-xccdf-res processing failed; Elapsed time: 00:00:00.6006907

I've been digging for a solution/change within ACAS that could allow us to properly export (even using maybe the OVAL or .nessus) unsuccessfully. Am I missing a potential update post of something similar?

[amkuchta]

@Zeluha please take a look at #172 - I think that the comment that I just posted should answer your question!