cybersecdef / scans2reports Goto Github PK
View Code? Open in Web Editor NEWAn ACAS/SCAP/CKL scan parser and report generator
License: GNU Lesser General Public License v3.0
An ACAS/SCAP/CKL scan parser and report generator
License: GNU Lesser General Public License v3.0
change status "Open" to "Ongoing"
change the word "SELECT" to "IMPORT"
change "Skip Informationals" to "Skip CAT IV (Informational)"
"Prefill SCD" to "Prefill (whatever that abbreviation is written out) (SCD)"
Add "(enter 0 to disable)" on the 30 day widget
add tooltips
filter has two entries for a given hostname if CKL and ACAS is ingested.
Scan type CKL: Hostname = HOSTNAME
Scan type ACAS: Hostname = hostname.fqdn.mil
Recommend to grab FQDN instead of hostname from CKL file, so hostname filter returns 1 host with both scan types. Also force to lower case?
CAT I, CAT II, etc. doesn't sum correctly for CKL.
Change "Score" and "Credentialed" to say "N/A" if scan type is "CKL"
Ensure the gui doesn't lockup while processing parse functions and report functions
With cursor in the "Command" field, tabbing skips the rest of the text inputs and goes to the "Selected Scan FIles" table.
Once in the table, tabbing is trapped to the table columns. Since these aren't modifiable, suggest changing tab behavior to cycle through all of the major inputs/action buttons in order.
Add Extra line break after title, family and description
Add missing text (description stops after first line break)
<ReportItem port="445" svc_name="cifs" protocol="tcp" severity="2" pluginID="128416" pluginName="McAfee DLPe Agent 11.x < 11.1.210.32 / 11.2.x / 11.3.x < 11.3.2.8 Multiple Vulnerabilities (SB10295)" pluginFamily="Windows">
<cpe>cpe:/a:mcafee:data_loss_prevention_endpoint</cpe>
<cve>CVE-2019-3633</cve>
<cve>CVE-2019-3634</cve>
<cvss3_base_score>5.5</cvss3_base_score>
<cvss3_temporal_score>4.8</cvss3_temporal_score>
<cvss3_temporal_vector>CVSS:3.0/E:U/RL:O/RC:C</cvss3_temporal_vector>
<cvss3_vector>CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</cvss3_vector>
<cvss_base_score>4.9</cvss_base_score>
<cvss_score_source>CVE-2019-3633</cvss_score_source>
<cvss_temporal_score>3.6</cvss_temporal_score>
<cvss_temporal_vector>CVSS2#E:U/RL:OF/RC:C</cvss_temporal_vector>
<cvss_vector>CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C</cvss_vector>
<description>The version of the McAfee Data Loss Prevention Endpoint (DLPe) Agent installed on the remote Windows host is 11.x prior to 11.1.210.32, 11.2.x, or 11.3.x prior to 11.3.2.8. It is, therefore, affected by multiple vulnerabilities:
Buffer overflow in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.2.8 allows local user to cause the Windows operating system to 'blue screen' via a carefully constructed message sent to DLPe which bypasses DLPe internal checks and results in DLPe reading unallocated memory. (CVE-2019-3633)
Buffer overflow in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.2.8 allows local user to cause the Windows operating system to 'blue screen' via an encrypted message sent to DLPe which when decrypted results in DLPe reading unallocated memory. (CVE-2019-3634)
<exploitability_ease>No known exploits are available</exploitability_ease>
mcafee_dlpe_SB10295.nasl
2019-A-0308
SB10295
<patch_publication_date>2019/08/21</patch_publication_date>
<plugin_modification_date>2019/10/17</plugin_modification_date>
<plugin_name>McAfee DLPe Agent 11.x < 11.1.210.32 / 11.2.x / 11.3.x < 11.3.2.8 Multiple Vulnerabilities (SB10295)</plugin_name>
<plugin_publication_date>2019/08/30</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>Medium</risk_factor>
<script_version>1.3</script_version>
<see_also>https://kc.mcafee.com/corporate/index?page=content&id=SB10295</see_also>
Upgrade to McAfee DLPe 11.1.210.32 or 11.3.2.8 or later.
<stig_severity>I</stig_severity>
The remote host is affected by multiple vulnerabilities.
<vuln_publication_date>2019/08/21</vuln_publication_date>
MCAFEE-SB:SB10295
IAVA:2019-A-0308
<plugin_output>
Path : C:\Program Files\McAfee\DLP\Agent
Installed version : 11.3.0.17
Fixed version : 11.3.2.8
</plugin_output>
After parsing the scans for a large data set, the application crashed while populating the scan summary table.
Issue is on line 93 of the ui_addons.py file.
keyError: 'filename'
recommend adding catch to ensure the for loop only executes when data is confirmed valid.
table doesn't extend to Resources (blank) and comments fields, so there is no drop down auto filter
The fix Id column is blank when parsing only CKLs
Optimize the RAR/POAM/RAW reports to make them more efficient for large loads.
if you haven't yet, write yourself a verbose python logger.dictConfig
https://stackoverflow.com/questions/7507825/where-is-a-complete-example-of-logging-config-dictconfig
add detailed ACAS version data to "Source Identifying Vulnerability"
Assured Compliance Assessment Solution (ACAS) Nessus Scanner :: 7.2.2.201910032130
Add a column that will show the number of requirements per CKL that have blank entries for the Finding Details and Comments fields.
The tweaks to improve the gui functionality have removed the logging capability from the console mode of operation.
Top - justify text on POAM tab.
All tables should be sortable by column
Change "raw severity value" to "raw severity"
scans2reports on disconnected system it failed because it can't reach cyber.trackr (check STIG Tab)
Scans must be run within 5 days of the plugin feed date. The plugin feed and scan dates are already on the "Automated Scan Info" tab, please add another column which calculates the number of days between the two. Could be combined with conditional formatting to highlight problematic scans.
Create a GUI based auxiliary option that will take a single nessus scan and split it into multiple per host scans named: hostname_scandate_scantime.nessus
Create a GUI based auxiliary option that will take a multiple nessus scans and merge them into a single that only takes the most recent scan results per host. (Deduplication)
The scan policy name is included in the Automated Scan Info tab but doesn't enumerate the port range that was configured in the scan policy. Useful for validation.
<plugin_modification_date>2019/12/03</plugin_modification_date>
<plugin_publication_date>2019/10/18</plugin_publication_date>
Maybe the option in report generation to exclude Plugins Published X Days ago and Plugins Modified X Days ago.
Plugins observed within 30 days of their published/modified (not sure which) date don't need to be included on the POAM.
report.py#lines~269-295 could be merged somewhwat?
like, when I see 3x loops in a row with a similar signiture (ie for scan_file in filter(lambda x: x['type'] == 'ACAS', self.scan_results):
)
my gut tells me those might should be combined
create a tab that shows where scans are duplicated or overlapping for hosts.
Each relevant scan should only be executed once on each host. If a host shows up more than once in an ACAS scan or in a specific platform for CKL/SCAP, there might be a scan traceability issue.
The button to select the scan files says "Select Scan Fiiles"
All parsed hostnames and fqdns should be lowercased.
The application appears to crash when a path (surrounded with quotes) is used that contains spaces.
.\scans2reports.exe --input-folder "C:/path to scan files/" --scd --lower-risk
ends with
OSError: [WinError 123] The filename, directory name, or volume label syntax is incorrect: 'C:\Users\595415\Documents\Work\testing data\all test files" --scd --lower-risk'
[16460] Failed to execute script scans2reports
Traceback has errors on scans2reports.py lines 499 and 329
Make all cells vertically aligned to the top instead of the bottom for POAM and RAR
dont output CAT IV's
The description field is just not showing up in the POAM.....completely unrelated to any merge or split process
The applet tends to crash when it is parsing and reporting on thousands of files.
extract Test Results history from eMASS Export XML files
TRextract.v8.txt
Change Severity to "Raw Severity" on report
Change values to just say the number, not CAT I
All technical findings should be "relevance of threat" = high
Add an option to ignore CAT IV and Information findings for large loads.
add new feature in between "parse" and "generate report" to "Import Mitigation Statements from Previous POAM". Select existing POAM, find matching V-IDs and copy mitigation statements into new POAM report.
Add option to allow merge to group nessus files by file size:
1mb
5mb
15mb
25mb
50mb
worksheet.set_column('A:A', 50)
worksheet.set_column('B:B', 25)
worksheet.set_column('C:C', 25)
worksheet.set_column('D:D', 50)
worksheet.set_column('E:E', 15)
...
to
for col,width in { 'A': 50, 'B': 25, ...}.items():
worksheet.set_column(f'{col}:{col}', width)
Credentialed Checks seems to always return true, even when the scan was not credentialed and the scan user is NONE.
int(str(scap['version']))
type(scap['version'])
etc.
minimize these as much as possible.
Create a way to deduplicate the 'hosts' parsed on the OS tab. Similiar to the hardware list tab.
Create a robust logging platform for script execution.
Create a way to automatically create 10,000+ scans to run through for testing pruposes.
When publicationDate doesn't exist the poam report crashes
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.