Hi Joris,
I face the same challenge than you do; as my stakeholders regularly ask
me for delta reports which can highlight the efforts made to solve
vulnerabilities. People will simply stop fixing vulnerabilities if the
work done to solve previous ones is not recognized.
So I completely agree with your statement below.
Alas, it seems out of interest of OpenVAS developers. I have raised
this topic on this mailing list already, and never received any
positive answers.
I tried the official way to report delta (because officially, yes, this
is suppose to work ! Look at command "get_reports", you have the
arguments @delta_report_id and @delta_states)
Typically, If I do the following command to get the deltas in a csv
file:
omp -h 127.0.0.1 -u admin -w xxx -iX '<get_reports
report_id="MyLastReportID" levels="hm" format_id="c1645568-627a-11e3-
a660-406186ea4fc5" delta_report_id="MySecondLastReportID"
delta_states="cgns" />' | xmlstarlet sel -t -v
get_reports_response/report/text\(\) | base64 -i -d > deltareport.csv
Then my deltareport.csv won't highlight any delta. Do the same with
format_id=1a60a67e-97d0-4cbf-bc77-f71b08e7043d (PDF) you'll get the
deltas you are looking at.
But obviously, when you are doing vulnerability management programs on
a somewhat large scale, PDF reporting is completely useless....
So in a nutshell; it is suppose to work but it doesn't. :-(
Best, On Thu, 2017-12-07 at 10:12 +0100, Joris wrote:
> Thanks Thijs!
>
> You made me think about past results and not having to care about it:
> It is true that the tickets will be only generated on current
> results. On the other hand, does that mean that you create multiple
> tickets for the same issue if it appears in 2 consecutive scans?
>
> We're interested in differential for 2 other reasons:i Jori
> - from a security culture perspective, it would be interesting to
> report on reduction on vulnerabilities and create some noise about
> who is doing well and who is not.
> - some systems will have issues which cannot be remediated per se. By
> differential reporting, we can look at new stuff and the report would
> not be cluttered by old stuff we already knew about / ticketed.
>
> Best regards
> Joris
>
>
> On Thu, Dec 7, 2017 at 10:05 AM, Thijs Stuurman
> nedservices.nl> wrote:
> > You can schedule the scans to repeat them.
> >
> > Personally I wasn’t happy with the built in scheduler and automated
> > one myself using python talking to the gvm-tools API.
> > (https://github.com/Thijssss/openvas_scheduler which might help you
> > automate things yourself, gvm-tools also has example scripts:
> > https://bitbucket.org/greenbone/gvm-tools)
> >
> > I am not going for differences really; any finding with a CVSS
> > score of > 4 will trigger an alert which sends an email to our
> > ticketing system.
> > Once a month I start my scheduler which will start any job that
> > hasn’t run for 3 weeks or so. (I could leave it running in a screen
> > forever but I still supervise and time it all, when it is not
> > running I got time to update scan systems)
> >
> > If you go to tasks and click on the Reports > Total number you can
> > see an overview of all the reports and quickly see if things
> > improved or not.
> > There is a compare button (underneath Actions, next to ‘delete’ so
> > be careful), click on two and you’ll get a comparison overview.
> >
> > Still, why care about past results; it’s the latest scan result
> > that counts in my book.
> >
> > Thijs Stuurman
> > Security Operations Center | KPN Internedservices B.V.
> > [email protected] | [email protected]
> > T: +31(0)299476185 | M: +31(0)624366778
> > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
> > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
> >
> > W: https://www.internedservices.nl | L:
> > https://nl.linkedin.com/in/thijsstuurman
> >
> > Van: Openvas-discuss [mailto:[email protected]
> > n.org] Namens Joris
> > Verzonden: donderdag 7 december 2017 09:51
> > Aan: [email protected]
> > Onderwerp: [Openvas-discuss] Reporting on delta's between scans on
> > same host
> >
> > Hello list,
> >
> > Using the scanner here and are pretty impressed with the results
> > and the web GUI.
> >
> > Our next move is basically to identify differences between
> > consecutive scans on hosts (was a vulnerability patched? was a new
> > vulnerability introduced on the system?)
> >
> > Based on my understanding, the system does not support this
> > natively but I can be wrong. How do others solve this issue? Do you
> > build automation around it ?
> >
> > Best regards
> > Joris
> >
> _______________________________________________
> Openvas-discuss mailing list
> [email protected]
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-di
> scuss
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
