heimdall_tools 1.3.25 → 1.3.30

data/lib/data/nessus-plugins-nist-mapping.csv

@@ -0,0 +1,108 @@
+pluginFamily,pluginID,NIST-ID,Rev
+AIX Local Security Checks,*,SI-2|RA-5,4
+Amazon Linux Local Security Checks,*,SI-2|RA-5,4
+CentOS Local Security Checks,*,SI-2|RA-5,4
+Debian Local Security Checks,*,SI-2|RA-5,4
+F5 Networks Local Security Checks,*,SI-2|RA-5,4
+Fedora Local Security Checks,*,SI-2|RA-5,4
+FreeBSD Local Security Checks,*,SI-2|RA-5,4
+Gentoo Local Security Checks,*,SI-2|RA-5,4
+HP-UX Local Security Checks,*,SI-2|RA-5,4
+Huawei Local Security Checks,*,SI-2|RA-5,4
+Junos Local Security Checks,*,SI-2|RA-5,4
+MacOS X Local Security Checks,*,SI-2|RA-5,4
+Mandriva Local Security Checks,*,SI-2|RA-5,4
+NewStart CGSL Local Security Checks,*,SI-2|RA-5,4
+Oracle Linux Local Security Checks,*,SI-2|RA-5,4
+OracleVM Local Security Checks,*,SI-2|RA-5,4
+Palo Alto Local Security Checks,*,SI-2|RA-5,4
+PhotonOS Local Security Checks,*,SI-2|RA-5,4
+Red Hat Local Security Checks,*,SI-2|RA-5,4
+Scientific Linux Local Security Checks,*,SI-2|RA-5,4
+Slackware Local Security Checks,*,SI-2|RA-5,4
+Solaris Local Security Checks,*,SI-2|RA-5,4
+SuSE Local Security Checks,*,SI-2|RA-5,4
+Ubuntu Local Security Checks,*,SI-2|RA-5,4
+VMware ESX Local Security Checks,*,SI-2|RA-5,4
+Virtuozzo Local Security Checks,*,SI-2|RA-5,4
+Backdoors,,,
+Brute force attacks,,,
+CGI abuses,,,
+CGI abuses : XSS,,,
+CISCO,,,
+DNS,,,
+Databases,,,
+Default Unix Accounts,,,
+Denial of Service,,,
+FTP,,,
+Firewalls,56310,SC-7,4
+Gain a shell remotely,,,
+General,133964,AC-3(4),4
+General,117530,UM-1,4
+General,110483,CM-7,4
+General,95928,AC-2,4
+General,90191,CM-8,4
+General,86420,CM-8,4
+General,70544,AC-17(2)|SC-13,4
+General,66334,SI-2|RA-5,4
+General,64582,CM-8,4
+General,57582,SC-12,4
+General,57041,AC-17(2)|SC-13,4
+General,56984,AC-17(2)|SC-13,4
+General,56468,CM-8,4
+General,55472,CM-8,4
+General,54615,CM-8,4
+General,51192,SC-12,4
+General,45590,CM-8,4
+General,45432,CM-8,4
+General,45410,SC-12,4
+General,39520,SI-2|RA-5,4
+General,35351,CM-8,4
+General,34098,CM-8,4
+General,33276,CM-8,4
+General,25220,SC-8,4
+General,25203,CM-8,4
+General,25202,CM-8,4
+General,22869,CM-8,4
+General,21643,AC-17(2)|SC-13,4
+General,12053,CM-8,4
+General,11936,CM-8,4
+General,10881,AC-17(2)|SC-13,4
+General,10863,SC-12,4
+General,10287,CM-8,4
+General,10114,CM-6,4
+Misc.,118237,CM-8,4
+Misc.,97993,CM-8,4
+Misc.,90707,CM-8,4
+Misc.,84821,AC-17(2)|SC-13,4
+Misc.,83875,AC-17(2)|SC-13,4
+Misc.,70657,AC-17(2)|SC-13,4
+Misc.,58651,AC-17,4
+Mobile Devices,,,
+Netware,,,
+Peer-To-Peer File Sharing,,,
+Policy Compliance,,,
+Port scanners,14272,CM-8,4
+RPC,53335,CM-8,4
+RPC,10223,CM-8,4
+SCADA,,,
+SMTP problems,,,
+SNMP,,,
+Service detection,121010,AC-17(2)|SC-13,4
+Service detection,104743,AC-17(2)|SC-13,4
+Service detection,25221,CM-8,4
+Service detection,22964,CM-8,4
+Service detection,11111,CM-8,4
+Service detection,10884,AU-8(1),4
+Service detection,10267,AC-17(2),4
+Settings,117887,UM-1,4
+Settings,110095,UM-1,4
+Settings,19506,UM-1,4
+Web Servers,85805,SC-8|SC-13,4
+Web Servers,84502,AC-17(2)|SC-13,4
+Web Servers,43111,CM-8,4
+Web Servers,24260,CM-8,4
+Web Servers,10107,CM-8,4
+Windows,,,
+Windows : Microsoft Bulletins,,,
+Windows : User management,,,

data/lib/heimdall_tools.rb

@@ -9,4 +9,5 @@ module HeimdallTools
   autoload :ZapMapper, 'heimdall_tools/zap_mapper'
   autoload :SonarQubeMapper, 'heimdall_tools/sonarqube_mapper'
   autoload :BurpSuiteMapper, 'heimdall_tools/burpsuite_mapper'
+  autoload :NessusMapper, 'heimdall_tools/nessus_mapper'
 end

data/lib/heimdall_tools/cli.rb

@@ -45,6 +45,22 @@ module HeimdallTools
       File.write(options[:output], hdf)
     end
 
+    desc 'nessus_mapper', 'nessus_mapper translates nessus xml report to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:nessus_mapper)
+    option :xml, required: true, aliases: '-x'
+    option :output_prefix, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def nessus_mapper
+      hdfs = HeimdallTools::NessusMapper.new(File.read(options[:xml])).to_hdf
+
+      puts "\nHDF Generated:"
+      hdfs.keys.each do | host |
+        File.write("#{options[:output_prefix]}-#{host}.json", hdfs[host])
+        puts "#{options[:output_prefix]}-#{host}.json"
+      end
+      
+    end
+
     desc 'version', 'prints version'
     def version
       puts VERSION

data/lib/heimdall_tools/hdf.rb

@@ -28,12 +28,14 @@ module HeimdallTools
                    depends: NA_ARRAY,
                    groups: NA_ARRAY,
                    status: 'loaded',
-                   controls: NA_TAG)
+                   controls: NA_TAG,
+                   target_id: NA_TAG)
 
       @results_json = {}
       @results_json['platform'] = {}
       @results_json['platform']['name'] = 'Heimdall Tools'
       @results_json['platform']['release'] = HeimdallTools::VERSION
+      @results_json['platform']['target_id'] = target_id.to_s
       @results_json['version'] = HeimdallTools::VERSION
 
       @results_json['statistics'] = {}

data/lib/heimdall_tools/help/nessus_mapper.md

@@ -0,0 +1,9 @@
+  nessus_mapper translates an Nessus exported XML results file into HDF format json to be viewable in Heimdall
+
+  The current iteration maps all plugin families except 'Policy Compliance'
+  
+  A separate HDF JSON is generated for each host reported in the Nessus Report.
+
+Examples:
+
+  heimdall_tools nessus_mapper -x nessus_results.xml -o file-prefix

data/lib/heimdall_tools/nessus_mapper.rb

@@ -0,0 +1,258 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+require 'utilities/xml_to_hash'
+require 'nokogiri'
+require 'pp'
+
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+
+NESSUS_PLUGINS_NIST_MAPPING_FILE =   File.join(RESOURCE_DIR, 'nessus-plugins-nist-mapping.csv')
+U_CCI_LIST =   File.join(RESOURCE_DIR, 'U_CCI_List.xml')
+
+IMPACT_MAPPING = {
+  Info: 0.0,
+  Low: 0.3,
+  Medium: 0.5,
+  High: 0.7,
+  Critical: 0.9,
+}.freeze
+
+DEFAULT_NIST_TAG = ["unmapped"].freeze
+
+# Nessus results file 800-53 refs does not contain Nist rev version. Using this default
+# version in that case
+DEFAULT_NIST_REV = 'Rev_4'.freeze
+
+NA_PLUGIN_OUTPUT = "This Nessus Plugin does not provide output message.".freeze
+
+# rubocop:disable Metrics/AbcSize
+
+# Loading spinner sign
+$spinner = Enumerator.new do |e|
+  loop do
+    e.yield '|'
+    e.yield '/'
+    e.yield '-'
+    e.yield '\\'
+  end
+end
+
+module HeimdallTools
+  class NessusMapper
+    def initialize(nessus_xml, verbose = false)
+      @nessus_xml = nessus_xml
+      @verbose = verbose
+      read_cci_xml
+      begin
+        @cwe_nist_mapping = parse_mapper
+        @data = xml_to_hash(nessus_xml)
+        @reports = extract_report
+        @scaninfo = extract_scaninfo
+      rescue StandardError => e
+        raise "Invalid Nessus XML file provided Exception: #{e}"
+      end
+
+    end
+
+    def extract_report
+      begin
+        # When there are multiple hosts in the nessus report ReportHost field is an array
+        # When there is only one host in the nessus report ReportHost field is a hash
+        # Array() converts ReportHost to array in case there is only one host
+        reports = @data['NessusClientData_v2']['Report']['ReportHost']
+        reports.kind_of?(Array) ? reports : [reports]
+      rescue StandardError => e
+        raise "Invalid Nessus XML file provided Exception: #{e}"
+      end
+    end
+
+    def parse_refs(refs, key)
+      refs.split(',').map { |x| x.split('|')[1] if x.include?(key) }.compact
+    end
+
+    def extract_scaninfo
+      begin
+        policy = @data['NessusClientData_v2']['Policy']
+        info = {}
+
+        info['policyName'] = policy['policyName']
+        info['version'] = policy['Preferences']['ServerPreferences']['preference'].select {|x| x['name'].eql? 'sc_version'}.first['value']
+        info
+      rescue StandardError => e
+        raise "Invalid Nessus XML file provided Exception: #{e}"
+      end
+    end
+
+    def extract_timestamp(report)
+      begin
+        timestamp = report['HostProperties']['tag'].select {|x| x['name'].eql? 'HOST_START'}.first['text']
+      rescue StandardError => e
+        raise "Invalid Nessus XML file provided Exception: #{e}"
+      end
+    end
+
+    def format_desc(issue)
+      desc = ''
+      desc += "Plugin Family: #{issue['pluginFamily']}; "
+      desc += "Port: #{issue['port']}; "
+      desc += "Protocol: #{issue['protocol']};"
+      desc
+    end
+
+    def finding(issue, timestamp)
+      finding = {}
+      # if compliance-result field, this is a policy compliance result entry
+      # nessus policy compliance result provides a pass/fail data
+      # For non policy compliance  results are defaulted to failed
+      if issue['compliance-result']
+        finding['status'] = issue['compliance-result'].eql?('PASSED') ? 'passed' : 'failed'
+      else
+        finding['status'] = 'failed'
+      end
+
+      if issue['description']
+        finding['code_desc'] = issue['description'].to_s || NA_PLUGIN_OUTPUT
+      else
+        finding['code_desc'] = issue['plugin_output'] || NA_PLUGIN_OUTPUT
+      end
+      finding['run_time'] = NA_FLOAT
+      finding['start_time'] = timestamp
+      [finding]
+    end
+
+    def read_cci_xml
+      cci_list_path = File.join(File.dirname(__FILE__), '../data/U_CCI_List.xml')
+      @cci_xml = Nokogiri::XML(File.open(cci_list_path))
+      @cci_xml.remove_namespaces!
+    rescue StandardError => e
+      puts "Exception: #{e.message}"
+    end
+
+    def cci_nist_tag(cci_refs)
+      nist_tags = []
+      cci_refs.each do | cci_ref |
+        item_node = @cci_xml.xpath("//cci_list/cci_items/cci_item[@id='#{cci_ref}']")[0] unless @cci_xml.nil?
+        unless item_node.nil?
+          nist_ref = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@index').text
+          nist_ver = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@version').text
+        end
+        nist_tags << nist_ref
+        nist_tags << "Rev_#{nist_ver}"
+      end
+      nist_tags
+    end
+
+    def plugin_nist_tag(pluginfamily, pluginid)
+      entries = @cwe_nist_mapping.select { |x| (x[:pluginfamily].eql?(pluginfamily) && (x[:pluginid].eql?('*') || x[:pluginid].eql?(pluginid.to_i)) ) }
+      tags = entries.map { |x| [x[:nistid].split('|'), "Rev_#{x[:rev]}"] }
+      tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
+    end
+
+    def impact(severity)
+      # Map CAT levels and Plugin severity to HDF impact levels
+      case severity
+      when "0"
+        IMPACT_MAPPING[:Info]
+      when "1","III"
+        IMPACT_MAPPING[:Low]
+      when "2","II"
+        IMPACT_MAPPING[:Medium]
+      when "3","I"
+        IMPACT_MAPPING[:High]
+      when "4"
+        IMPACT_MAPPING[:Critical]
+      else
+        -1
+      end
+    end
+
+    def parse_mapper
+      csv_data = CSV.read(NESSUS_PLUGINS_NIST_MAPPING_FILE, { encoding: 'UTF-8',
+                                                   headers: true,
+                                                   header_converters: :symbol,
+                                                   converters: :all })
+      csv_data.map(&:to_hash)
+    end
+
+    def desc_tags(data, label)
+      { "data": data || NA_STRING, "label": label || NA_STRING }
+    end
+
+    # Nessus report could have multiple issue entries for multiple findings of same issue type.
+    # The meta data is identical across entries 
+    # method collapse_duplicates return unique controls with applicable findings collapsed into it.
+    def collapse_duplicates(controls)
+      unique_controls = []
+
+      controls.map { |x| x['id'] }.uniq.each do |id|
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map {|x| x['results']}
+        unique_control = controls.find { |x| x['id'].eql?(id) }
+        unique_control['results'] = collapsed_results.flatten
+        unique_controls << unique_control
+      end
+      unique_controls
+    end
+
+    def to_hdf
+      host_results = {}
+      @reports.each do | report|
+        controls = []
+        report['ReportItem'].each do | item |
+          printf("\rProcessing: %s", $spinner.next)
+          @item = {}
+          @item['tags']               = {}
+          @item['descriptions']       = []
+          @item['refs']               = NA_ARRAY
+          @item['source_location']    = NA_HASH
+
+          # Nessus results field set are different for 'Policy Compliance' plug-in family vs other plug-in families
+          # Following if conditions capture compliance* if it exists else it will default to plugin* fields
+          # Current version covers STIG based 'Policy Compliance' results
+          # TODO Cover cases for 'Policy Compliance' results based on CIS
+          if item['compliance-reference']
+            @item['id']                 = parse_refs(item['compliance-reference'],'Vuln-ID').join.to_s
+          else
+            @item['id']                 = item['pluginID'].to_s
+          end
+          if item['compliance-check-name']
+            @item['title']              = item['compliance-check-name'].to_s
+          else
+            @item['title']              = item['pluginName'].to_s
+          end
+          if item['compliance-info']
+            @item['desc']              = item['compliance-info'].to_s
+          else
+            @item['desc']              = format_desc(item).to_s
+          end
+          if item['compliance-reference']
+            @item['impact']            = impact(parse_refs(item['compliance-reference'],'CAT').join.to_s)
+          else
+            @item['impact']            = impact(item['severity']) 
+          end
+          if item['compliance-reference']
+            @item['tags']['nist']     = cci_nist_tag(parse_refs(item['compliance-reference'],'CCI'))
+          else
+            @item['tags']['nist']     = plugin_nist_tag(item['pluginFamily'],item['pluginID'])
+          end
+          if item['compliance-solution']
+            @item['descriptions']       <<  desc_tags(item['compliance-solution'], 'check')
+          end
+
+          @item['code']               = ''
+          @item['results']            = finding(item, extract_timestamp(report))
+          controls << @item
+        end
+        controls = collapse_duplicates(controls)
+        results = HeimdallDataFormat.new(profile_name: "Nessus #{@scaninfo['policyName']}",
+                                         version: @scaninfo['version'],
+                                         title: "Nessus #{@scaninfo['policyName']}",
+                                         summary: "Nessus #{@scaninfo['policyName']}",
+                                         controls: controls,
+                                         target_id: report['name'])
+        host_results[report['name']] = results.to_hdf
+      end
+      host_results
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: heimdall_tools
 version: !ruby/object:Gem::Version
-  version: 1.3.25
+  version: 1.3.30
 platform: ruby
 authors:
 - Robert Thew
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-04-28 00:00:00.000000000 Z
+date: 2020-06-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -116,14 +116,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: 0.17.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: 0.17.2
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -209,8 +209,9 @@ files:
 - README.md
 - Rakefile
 - exe/heimdall_tools
+- lib/data/U_CCI_List.xml
 - lib/data/cwe-nist-mapping.csv
-- lib/data/gitkeep
+- lib/data/nessus-plugins-nist-mapping.csv
 - lib/data/owasp-nist-mapping.csv
 - lib/heimdall_tools.rb
 - lib/heimdall_tools/burpsuite_mapper.rb
@@ -221,8 +222,10 @@ files:
 - lib/heimdall_tools/help.rb
 - lib/heimdall_tools/help/burpsuite_mapper.md
 - lib/heimdall_tools/help/fortify_mapper.md
+- lib/heimdall_tools/help/nessus_mapper.md
 - lib/heimdall_tools/help/sonarqube_mapper.md
 - lib/heimdall_tools/help/zap_mapper.md
+- lib/heimdall_tools/nessus_mapper.rb
 - lib/heimdall_tools/sonarqube_mapper.rb
 - lib/heimdall_tools/version.rb
 - lib/heimdall_tools/zap_mapper.rb