heimdall_tools 1.3.25 → 1.3.26

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4df7bca9817498eb093beeb713b5d421e5b9be3f2bbc3660acfedf8cf2ebc1c
-  data.tar.gz: 6425078310c5715719e97aa14986d68f660193ecb9b4a62e06cedd8883b72ee6
+  metadata.gz: 9f56dbda2e34eb3d1f7377fe8cd0c496fc954c16396462f968cbf701fef4b11c
+  data.tar.gz: 0ea42e897e8917ac936ff1fc1772913bf5f1784e61525957dfda400345e527c3
 SHA512:
-  metadata.gz: 58f8e947227ffe8f7140e4c02c35a451c92009c83bd1df4a2cdde6f08ec8ae746515301ffa3eb625bffbf460fa814f1d6517360e7a77dea12a30abf81a560cee
-  data.tar.gz: fb20d39c219c61bc045c5480eb6dab99a53609a993757f3c78f57993559fdc1d2642bd1166ce1df397664c1d97dfb2b342b3617767c1b9a26fbfa7acbc5b40fd
+  metadata.gz: 52ee2ddabcc9e2856e1170970267f07ca74c8eb99ab1ea5d2a6533eb7cb13cd7fc0ad32ae0e0d3dee1fd95bc95f08801cc68afa5541c60958977606cf7d36d30
+  data.tar.gz: e7b5ed794eb99fb31c07615c5aca117538cc636fa221d540fc21a509f59f669d98a819a762815fd26c574d3236d9dafe3e8eaaa9b6c48eeccde4622a058c02a4

data/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 ## [Unreleased](https://github.com/mitre/heimdall_tools/tree/HEAD)
 
-[Full Changelog](https://github.com/mitre/heimdall_tools/compare/v1.3.24...HEAD)
+[Full Changelog](https://github.com/mitre/heimdall_tools/compare/v1.3.25...HEAD)
+
+**Implemented enhancements:**
+
+- Converter: Nessus Transform for Audit results and vulnerability scan results  [\#29](https://github.com/mitre/heimdall_tools/issues/29)
+
+**Merged pull requests:**
+
+- Nessus Mapper  [\#45](https://github.com/mitre/heimdall_tools/pull/45) ([rx294](https://github.com/rx294))
+
+## [v1.3.25](https://github.com/mitre/heimdall_tools/tree/v1.3.25) (2020-04-16)
+
+[Full Changelog](https://github.com/mitre/heimdall_tools/compare/v1.3.24...v1.3.25)
 
 **Closed issues:**
 

data/README.md

@@ -113,13 +113,32 @@ burpsuite_mapper translates an BurpSuite Pro exported XML results file into HDF
 USAGE: heimdall_tools burpsuite_mapper [OPTIONS] -x <burpsuite-xml> -o <scan-results.json>
 
 FLAGS:
-    -x --json <zap-json>             : path to BurpSuitePro exported XML results file.
+    -x <burpsuite_xml>               : path to BurpSuitePro exported XML results file.
     -o --output <scan-results>       : path to output scan-results json.
     -V --verbose                     : verbose run [optional].
 
 example: heimdall_tools burpsuite_mapper -x burpsuite_results.xml -o scan_results.json
 ```
 
+## nessus_mapper
+
+nessus_mapper translates an Nessus exported XML results file into HDF format json to be viewable in Heimdall
+
+The current iteration maps all plugin families except 'Policy Compliance'
+
+A separate HDF JSON is generated for each host reported in the Nessus Report.
+
+```
+USAGE: heimdall_tools nessus_mapper [OPTIONS] -x <nessus-results-xml> -o <hdf-file-prefix>
+
+FLAGS:
+    -x <nessus-results-xml>          : path to BurpSuitePro exported XML results file.
+    -o --output_prefix <prefix>      : path to output scan-results json.
+    -V --verbose                     : verbose run [optional].
+
+example: heimdall_tools nessus_mapper -x nessus-results.xml -o test-env
+```
+
 ## version  
 
 Prints out the gem version

data/lib/data/nessus-plugins-nist-mapping.csv

@@ -0,0 +1,108 @@
+pluginFamily,pluginID,NIST-ID,Rev
+AIX Local Security Checks,*,SI-2|RA-5,4
+Amazon Linux Local Security Checks,*,SI-2|RA-5,4
+CentOS Local Security Checks,*,SI-2|RA-5,4
+Debian Local Security Checks,*,SI-2|RA-5,4
+F5 Networks Local Security Checks,*,SI-2|RA-5,4
+Fedora Local Security Checks,*,SI-2|RA-5,4
+FreeBSD Local Security Checks,*,SI-2|RA-5,4
+Gentoo Local Security Checks,*,SI-2|RA-5,4
+HP-UX Local Security Checks,*,SI-2|RA-5,4
+Huawei Local Security Checks,*,SI-2|RA-5,4
+Junos Local Security Checks,*,SI-2|RA-5,4
+MacOS X Local Security Checks,*,SI-2|RA-5,4
+Mandriva Local Security Checks,*,SI-2|RA-5,4
+NewStart CGSL Local Security Checks,*,SI-2|RA-5,4
+Oracle Linux Local Security Checks,*,SI-2|RA-5,4
+OracleVM Local Security Checks,*,SI-2|RA-5,4
+Palo Alto Local Security Checks,*,SI-2|RA-5,4
+PhotonOS Local Security Checks,*,SI-2|RA-5,4
+Red Hat Local Security Checks,*,SI-2|RA-5,4
+Scientific Linux Local Security Checks,*,SI-2|RA-5,4
+Slackware Local Security Checks,*,SI-2|RA-5,4
+Solaris Local Security Checks,*,SI-2|RA-5,4
+SuSE Local Security Checks,*,SI-2|RA-5,4
+Ubuntu Local Security Checks,*,SI-2|RA-5,4
+VMware ESX Local Security Checks,*,SI-2|RA-5,4
+Virtuozzo Local Security Checks,*,SI-2|RA-5,4
+Backdoors,,,
+Brute force attacks,,,
+CGI abuses,,,
+CGI abuses : XSS,,,
+CISCO,,,
+DNS,,,
+Databases,,,
+Default Unix Accounts,,,
+Denial of Service,,,
+FTP,,,
+Firewalls,56310,SC-7,4
+Gain a shell remotely,,,
+General,133964,AC-3(4),4
+General,117530,UM-1,4
+General,110483,CM-7,4
+General,95928,AC-2,4
+General,90191,CM-8,4
+General,86420,CM-8,4
+General,70544,AC-17(2)|SC-13,4
+General,66334,SI-2|RA-5,4
+General,64582,CM-8,4
+General,57582,SC-12,4
+General,57041,AC-17(2)|SC-13,4
+General,56984,AC-17(2)|SC-13,4
+General,56468,CM-8,4
+General,55472,CM-8,4
+General,54615,CM-8,4
+General,51192,SC-12,4
+General,45590,CM-8,4
+General,45432,CM-8,4
+General,45410,SC-12,4
+General,39520,SI-2|RA-5,4
+General,35351,CM-8,4
+General,34098,CM-8,4
+General,33276,CM-8,4
+General,25220,SC-8,4
+General,25203,CM-8,4
+General,25202,CM-8,4
+General,22869,CM-8,4
+General,21643,AC-17(2)|SC-13,4
+General,12053,CM-8,4
+General,11936,CM-8,4
+General,10881,AC-17(2)|SC-13,4
+General,10863,SC-12,4
+General,10287,CM-8,4
+General,10114,CM-6,4
+Misc.,118237,CM-8,4
+Misc.,97993,CM-8,4
+Misc.,90707,CM-8,4
+Misc.,84821,AC-17(2)|SC-13,4
+Misc.,83875,AC-17(2)|SC-13,4
+Misc.,70657,AC-17(2)|SC-13,4
+Misc.,58651,AC-17,4
+Mobile Devices,,,
+Netware,,,
+Peer-To-Peer File Sharing,,,
+Policy Compliance,,,
+Port scanners,14272,CM-8,4
+RPC,53335,CM-8,4
+RPC,10223,CM-8,4
+SCADA,,,
+SMTP problems,,,
+SNMP,,,
+Service detection,121010,AC-17(2)|SC-13,4
+Service detection,104743,AC-17(2)|SC-13,4
+Service detection,25221,CM-8,4
+Service detection,22964,CM-8,4
+Service detection,11111,CM-8,4
+Service detection,10884,AU-8(1),4
+Service detection,10267,AC-17(2),4
+Settings,117887,UM-1,4
+Settings,110095,UM-1,4
+Settings,19506,UM-1,4
+Web Servers,85805,SC-8|SC-13,4
+Web Servers,84502,AC-17(2)|SC-13,4
+Web Servers,43111,CM-8,4
+Web Servers,24260,CM-8,4
+Web Servers,10107,CM-8,4
+Windows,,,
+Windows : Microsoft Bulletins,,,
+Windows : User management,,,

data/lib/heimdall_tools/cli.rb

@@ -45,6 +45,21 @@ module HeimdallTools
       File.write(options[:output], hdf)
     end
 
+    desc 'nessus_mapper', 'nessus_mapper translates nessus xml report to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:nessus_mapper)
+    option :xml, required: true, aliases: '-x'
+    option :output_prefix, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def nessus_mapper
+      hdfs = HeimdallTools::NessusMapper.new(File.read(options[:xml])).to_hdf
+
+      hdfs.keys.each do | host |
+        File.write("#{options[:output_prefix]}-#{host}.json", hdfs[host])
+        puts "HDF Generated: #{options[:output_prefix]}-#{host}.json"
+      end
+      
+    end
+
     desc 'version', 'prints version'
     def version
       puts VERSION

data/lib/heimdall_tools/hdf.rb

@@ -28,12 +28,14 @@ module HeimdallTools
                    depends: NA_ARRAY,
                    groups: NA_ARRAY,
                    status: 'loaded',
-                   controls: NA_TAG)
+                   controls: NA_TAG,
+                   target_id: NA_TAG)
 
       @results_json = {}
       @results_json['platform'] = {}
       @results_json['platform']['name'] = 'Heimdall Tools'
       @results_json['platform']['release'] = HeimdallTools::VERSION
+      @results_json['platform']['target_id'] = target_id.to_s
       @results_json['version'] = HeimdallTools::VERSION
 
       @results_json['statistics'] = {}

data/lib/heimdall_tools/help/nessus_mapper.md

@@ -0,0 +1,9 @@
+  nessus_mapper translates an Nessus exported XML results file into HDF format json to be viewable in Heimdall
+
+  The current iteration maps all plugin families except 'Policy Compliance'
+  
+  A separate HDF JSON is generated for each host reported in the Nessus Report.
+
+Examples:
+
+  heimdall_tools nessus_mapper -x nessus_results.xml -o file-prefix

data/lib/heimdall_tools/nessus_mapper.rb

@@ -0,0 +1,176 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+require 'utilities/xml_to_hash'
+
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+
+NESSUS_PLUGINS_NIST_MAPPING_FILE =   File.join(RESOURCE_DIR, 'nessus-plugins-nist-mapping.csv')
+
+IMPACT_MAPPING = {
+  Info: 0.0,
+  Low: 0.3,
+  Medium: 0.5,
+  High: 0.7,
+  Critical: 0.9,
+}.freeze
+
+DEFAULT_NIST_TAG = ["unmapped"].freeze
+
+NA_PLUGIN_OUTPUT = "This Nessus Plugin does not provide output message.".freeze
+
+# rubocop:disable Metrics/AbcSize
+
+module HeimdallTools
+  class NessusMapper
+    def initialize(nessus_xml, verbose = false)
+      @nessus_xml = nessus_xml
+      @verbose = verbose
+
+      begin
+        @cwe_nist_mapping = parse_mapper
+        @data = xml_to_hash(nessus_xml)
+
+        @reports = extract_report
+        @scaninfo = extract_scaninfo
+      rescue StandardError => e
+        raise "Invalid Nessus XML file provided Exception: #{e}"
+      end
+
+    end
+
+    def extract_report
+      begin
+        # When there are multiple hosts in the nessus report ReportHost field is an array
+        # When there is only one host in the nessus report ReportHost field is a hash
+        # Array() converts ReportHost to array in case there is only one host
+        reports = @data['NessusClientData_v2']['Report']['ReportHost']
+        reports.kind_of?(Array) ? reports : [reports]
+      rescue StandardError => e
+        raise "Invalid Nessus XML file provided Exception: #{e}"
+      end
+    end
+
+    def extract_scaninfo
+      begin
+        policy = @data['NessusClientData_v2']['Policy']
+        info = {}
+
+        info['policyName'] = policy['policyName']
+        info['version'] = policy['Preferences']['ServerPreferences']['preference'].select {|x| x['name'].eql? 'sc_version'}.first['value']
+        info
+      rescue StandardError => e
+        raise "Invalid Nessus XML file provided Exception: #{e}"
+      end
+    end
+
+    def extract_timestamp(report)
+      begin
+        timestamp = report['HostProperties']['tag'].select {|x| x['name'].eql? 'HOST_START'}.first['text']
+      rescue StandardError => e
+        raise "Invalid Nessus XML file provided Exception: #{e}"
+      end
+    end
+
+    def format_desc(issue)
+      desc = ''
+      desc += "Plugin Family: #{issue['pluginFamily']}; "
+      desc += "Port: #{issue['port']}; "
+      desc += "Protocol: #{issue['protocol']};"
+      desc
+    end
+
+    def finding(issue, timestamp)
+      finding = {}
+      finding['status'] = 'failed'
+      finding['code_desc'] = issue['plugin_output'] || NA_PLUGIN_OUTPUT
+      finding['run_time'] = NA_FLOAT
+      finding['start_time'] = timestamp
+      [finding]
+    end
+
+    def nist_tag(pluginfamily, pluginid)
+      entries = @cwe_nist_mapping.select { |x| (x[:pluginfamily].eql?(pluginfamily) && (x[:pluginid].eql?('*') || x[:pluginid].eql?(pluginid.to_i)) ) }
+      tags = entries.map { |x| [x[:nistid].split('|'), "Rev_#{x[:rev]}"] }
+      tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
+    end
+
+    def impact(severity)
+      case severity
+      when "0"
+        IMPACT_MAPPING[:Info]
+      when "1"
+        IMPACT_MAPPING[:Low]
+      when "2"
+        IMPACT_MAPPING[:Medium]
+      when "3"
+        IMPACT_MAPPING[:High]
+      when "4"
+        IMPACT_MAPPING[:Critical]
+      else
+        -1
+      end
+    end
+
+    def parse_mapper
+      csv_data = CSV.read(NESSUS_PLUGINS_NIST_MAPPING_FILE, { encoding: 'UTF-8',
+                                                   headers: true,
+                                                   header_converters: :symbol,
+                                                   converters: :all })
+      csv_data.map(&:to_hash)
+    end
+
+    def desc_tags(data, label)
+      { "data": data || NA_STRING, "label": label || NA_STRING }
+    end
+
+    # Nessus report could have multiple issue entries for multiple findings of same issue type.
+    # The meta data is identical across entries 
+    # method collapse_duplicates return unique controls with applicable findings collapsed into it.
+    def collapse_duplicates(controls)
+      unique_controls = []
+
+      controls.map { |x| x['id'] }.uniq.each do |id|
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map {|x| x['results']}
+        unique_control = controls.find { |x| x['id'].eql?(id) }
+        unique_control['results'] = collapsed_results.flatten
+        unique_controls << unique_control
+      end
+      unique_controls
+    end
+
+    def to_hdf
+      host_results = {}
+      @reports.each do | report|
+        # Under current version of the converter `Policy Compliance` items are ignored
+        report_items = report['ReportItem'].select {|x| !x['pluginFamily'].eql? 'Policy Compliance'}
+
+        controls = []
+        report_items.each do | item |
+          @item = {}
+          @item['id']                 = item['pluginID'].to_s
+          @item['title']              = item['pluginName'].to_s
+          @item['desc']               = format_desc(item).to_s
+          @item['impact']             = impact(item['severity'])
+          @item['tags']               = {}
+          @item['descriptions']       = []
+          @item['refs']               = NA_ARRAY
+          @item['source_location']    = NA_HASH
+          @item['tags']['nist']       = nist_tag(item['pluginFamily'],item['pluginID'])
+          @item['code']               = ''
+          @item['results']            = finding(item, extract_timestamp(report))
+          controls << @item
+        end
+        controls = collapse_duplicates(controls)
+        results = HeimdallDataFormat.new(profile_name: "Nessus #{@scaninfo['policyName']}",
+                                         version: @scaninfo['version'],
+                                         title: "Nessus #{@scaninfo['policyName']}",
+                                         summary: "Nessus #{@scaninfo['policyName']}",
+                                         controls: controls,
+                                         target_id: report['name'])
+        host_results[report['name']] = results.to_hdf
+      end
+      host_results
+    end
+  end
+end

data/lib/heimdall_tools.rb

@@ -9,4 +9,5 @@ module HeimdallTools
   autoload :ZapMapper, 'heimdall_tools/zap_mapper'
   autoload :SonarQubeMapper, 'heimdall_tools/sonarqube_mapper'
   autoload :BurpSuiteMapper, 'heimdall_tools/burpsuite_mapper'
+  autoload :NessusMapper, 'heimdall_tools/nessus_mapper'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: heimdall_tools
 version: !ruby/object:Gem::Version
-  version: 1.3.25
+  version: 1.3.26
 platform: ruby
 authors:
 - Robert Thew
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-04-28 00:00:00.000000000 Z
+date: 2020-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -211,6 +211,7 @@ files:
 - exe/heimdall_tools
 - lib/data/cwe-nist-mapping.csv
 - lib/data/gitkeep
+- lib/data/nessus-plugins-nist-mapping.csv
 - lib/data/owasp-nist-mapping.csv
 - lib/heimdall_tools.rb
 - lib/heimdall_tools/burpsuite_mapper.rb
@@ -221,8 +222,10 @@ files:
 - lib/heimdall_tools/help.rb
 - lib/heimdall_tools/help/burpsuite_mapper.md
 - lib/heimdall_tools/help/fortify_mapper.md
+- lib/heimdall_tools/help/nessus_mapper.md
 - lib/heimdall_tools/help/sonarqube_mapper.md
 - lib/heimdall_tools/help/zap_mapper.md
+- lib/heimdall_tools/nessus_mapper.rb
 - lib/heimdall_tools/sonarqube_mapper.rb
 - lib/heimdall_tools/version.rb
 - lib/heimdall_tools/zap_mapper.rb