nfr scan --plugin-severity is counting all compliance checks as "High"/failed for Postgres (plugin 148944)

[awilmo8]

👋 I am using nfr to automate some STIG compliance checks, and I've run into an issue with using it with our RDS scans. When trying to parse the plugin output for Postgres (plugin 148944), nfr marks all 49 compliance checks as "High" or as Failed regardless of their actual status. All of the other compliance plugins parse properly. Nessus File Analyzer, your GUI tool, parses them correctly. I am using the current version through pypi, version 0.7.1.

The query I am using is this:

nfr scan --plugin-severity rds-scan.nessus -f "[?PID == '148944']"

I've attached the sanitized output from that command. I can parse out specific fields from the .nessus file and sanitize them to give you, if you can point me to what data you need. If you need a full Nessus scan, that'll take a while as I'll need to coordinate with our SRE teams to setup a dummy RDS DB and get our STIGs applied to it.

nfr-rds-compliance-results.txt

Additionally, nfr seems to ignore "Error" results and only count "Failed" and "Warning" results. "Failed" maps to "High", and "Warning" maps to "Medium"; it would be great to have "Error" map to "low". This is consistent across all of the compliance checks.

[damian-krawczyk]

Hi @awilmo8, thank you for using LimberDuck tools! I hope they help make your work easier and faster.

1. Can you find in your .nessus file for Compliance Plugin ID which works fine and for Compliance Plugin ID 148944 these two lines below and share it?

<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="19506" pluginName="Nessus Scan Information" pluginFamily="Settings">

About 20 lines below, you should also see this:

<risk_factor>None</risk_factor>

2. Can you also attach similar output from nfr scan --plugin-severity for Compliance Plugin which returns correct severity?

3. When you say that NFA parses them correctly, do you mean
   A) Severity and Risk Factor in Vulnerabilities tab are correct?
   B) Risk Factor in Noncompliance tab is correct?

4. If you mean that nfr scan --plugin-severity ignores Error take into account that this function was created for plugins severity which plugins detect vulnerabilities, not for particular compliance tests returned within a compliance plugin. As far as I remember Errors in compliance plugins do not return information in the same format. If you would like me to check if this could also cover compliance plugins/checks I will need dummy scan results with compliance results for compliance plugin which work fine and for 148944. You can share it with me via e-mail . In a meantime try to base on NFA, Scan section gives you sum-up for (ALL compliance, Passed compliance, Failed compliance, Warning compliance), Host section as well (ALL compliance, Passed compliance, Failed compliance, Warning compliance) and finally Noncompliance section will give you all details for compliance plugins.

[awilmo8]

👋 @damian-krawczyk As requested:

.nessus file with pluginID 148944 that NFR Fails to output correctly

<ReportItem port="0" svc_name="general" protocol="tcp" severity="3" pluginID="148944" pluginName="PostgreSQL DB Compliance Checks" pluginFamily="Policy Compliance">

<risk_factor>None</risk_factor>

.nessus file with pluginID 21157 that NFR outputs correctly

<ReportItem port="0" svc_name="general" protocol="tcp" severity="3" pluginID="21157" pluginName="Unix Compliance Checks" pluginFamily="Policy Compliance">

<risk_factor>None</risk_factor>

2. Here's the NFR output that correctly returns results (pluginID 21157) - nfr-passing-scan-sanitized.txt

   1. The command I used was nfr scan --plugin-severity passing-scan.nessus -f "[?PID == '21157']"

3. Yes to both A) and B). In particular, NFA parses the Risk Factor for pluginId 148944 correctly in the Noncompliance tab of its outputted file.

4. Understood, I will drop that ask for the time being. Counting Errors in the NFR output is a "nice to have" but not necessary for my needs since NFA covers it. If I have the opportunity to run dummy scans on test infrastructure I will send those your way.