Re: [Openvas-discuss] Reporting on delta's between scans on same host
What would be the settings to trigger an alert which sends out an email on any finding with a specific CVSS score? Thanks, Helmut "Openvas-discuss" <openvas-discuss-boun...@wald.intevation.org> wrote on 07.12.2017 10:05:16: > From: Thijs Stuurman <thijs.stuur...@internedservices.nl> > To: "openvas-discuss@wald.intevation.org" disc...@wald.intevation.org>, > Date: 07.12.2017 10:05 > Subject: Re: [Openvas-discuss] Reporting on delta's between scans onsame host > Sent by: "Openvas-discuss" <openvas-discuss-boun...@wald.intevation.org> > > You can schedule the scans to repeat them. > > Personally I wasn’t happy with the built in scheduler and automated > one myself using python talking to the gvm-tools API. > (https://github.com/Thij/openvas_scheduler which might help you > automate things yourself, gvm-tools also has example scripts: > https://bitbucket.org/greenbone/gvm-tools) > > I am not going for differences really; any finding with a CVSS score > of > 4 will trigger an alert which sends an email to our ticketing system. > Once a month I start my scheduler which will start any job that > hasn’t run for 3 weeks or so. (I could leave it running in a screen > forever but I still supervise and time it all, when it is not > running I got time to update scan systems) > > If you go to tasks and click on the Reports > Total number you can > see an overview of all the reports and quickly see if things improved or not. > There is a compare button (underneath Actions, next to ‘delete’ so > be careful), click on two and you’ll get a comparison overview. > > Still, why care about past results; it’s the latest scan result that > counts in my book. > > Thijs Stuurman > Security Operations Center | KPN Internedservices B.V. > thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com > T: +31(0)299476185 | M: +31(0)624366778 > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 > > W: https://www.internedservices.nl | L: https://nl.linkedin.com/in/ > thijsstuurman > > Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org ] > Namens Joris > Verzonden: donderdag 7 december 2017 09:51 > Aan: openvas-discuss@wald.intevation.org > Onderwerp: [Openvas-discuss] Reporting on delta's between scans on same host > > Hello list, > > Using the scanner here and are pretty impressed with the results and > the web GUI. > > Our next move is basically to identify differences between > consecutive scans on hosts (was a vulnerability patched? was a new > vulnerability introduced on the system?) > > Based on my understanding, the system does not support this natively > but I can be wrong. How do others solve this issue? Do you build > automation around it ? > > Best regards > Joris ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host
On Fri, 2017-12-15 at 11:14 +0100, Christian Fischer wrote: > Hi, > > On 15.12.2017 10:58, tatooin wrote: > > > > HiOn Thu, 2017-12-14 at 19:05 +0100, Christian Fischer wrote: > > > > > > Hi, > > > > > > On 14.12.2017 18:36, tatooin wrote: > > > > > > > > > > > > However, that still doesn't explain why such an important > > > > native > > > > feature > > > > of OpenVAS just don't work. > > > have you considered that a explanation for this cloud be that > > > there > > > might be no support for delta reports implemented for CSV > > > reports? > > > > > > So it might be just a "is not supported/implemented" rather then > > > a > > > "don't work". > > That's possible, indeed. But the documentation doesn't mention any > > exclusion; I would assume that if this feature is documented > > without > > any exclusion, then it's suppose to work whatever format natively > > supported by OpenVAS. > > Now if delta reports isn't supported by csv then discussion is > > closed; > > this should just be highlighted in the documentation to avoid > > bothering > > the openvas community uselessly. > a documentation about the "Delta" feature is available at: > > http://docs.greenbone.net/GSM-Manual/gos-4/en/reports.html#delta-repo > rts > > which explicitly states the following: > > > > > Subsequently you will receive the delta report. As usual, it can be > displayed in different formats and exported as PDF. > Thanks Christian. I saw that part as well, but I did not understood that as "the only format supported is PDF". The sentence upon is highly confusing. Still, is there any plan to support csv exporting in the future ? Thanks for the clarification. > > > > Thanks ! > > > > > > > > Regards, > > > > > > > > Regards, > > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host
Hi, On 15.12.2017 10:58, tatooin wrote: > HiOn Thu, 2017-12-14 at 19:05 +0100, Christian Fischer wrote: >> Hi, >> >> On 14.12.2017 18:36, tatooin wrote: >>> >>> However, that still doesn't explain why such an important native >>> feature >>> of OpenVAS just don't work. >> have you considered that a explanation for this cloud be that there >> might be no support for delta reports implemented for CSV reports? >> >> So it might be just a "is not supported/implemented" rather then a >> "don't work". > That's possible, indeed. But the documentation doesn't mention any > exclusion; I would assume that if this feature is documented without > any exclusion, then it's suppose to work whatever format natively > supported by OpenVAS. > Now if delta reports isn't supported by csv then discussion is closed; > this should just be highlighted in the documentation to avoid bothering > the openvas community uselessly. a documentation about the "Delta" feature is available at: http://docs.greenbone.net/GSM-Manual/gos-4/en/reports.html#delta-reports which explicitly states the following: > Subsequently you will receive the delta report. As usual, it can be displayed in different formats and exported as PDF. > Thanks ! >> Regards, Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host
HiOn Thu, 2017-12-14 at 19:05 +0100, Christian Fischer wrote: > Hi, > > On 14.12.2017 18:36, tatooin wrote: > > > > However, that still doesn't explain why such an important native > > feature > > of OpenVAS just don't work. > have you considered that a explanation for this cloud be that there > might be no support for delta reports implemented for CSV reports? > > So it might be just a "is not supported/implemented" rather then a > "don't work". That's possible, indeed. But the documentation doesn't mention any exclusion; I would assume that if this feature is documented without any exclusion, then it's suppose to work whatever format natively supported by OpenVAS. Now if delta reports isn't supported by csv then discussion is closed; this should just be highlighted in the documentation to avoid bothering the openvas community uselessly. Thanks ! > Regards, > > -- > > Christian Fischer | PGP Key: 0x54F3CE5B76C597AD > Greenbone Networks GmbH | http://greenbone.net > > Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 > Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host
Hi, On 14.12.2017 18:36, tatooin wrote: > However, that still doesn't explain why such an important native feature > of OpenVAS just don't work. have you considered that a explanation for this cloud be that there might be no support for delta reports implemented for CSV reports? So it might be just a "is not supported/implemented" rather then a "don't work". Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host
(https://github.com/Thij/openvas_scheduler which might > > > > > > help you automate things yourself, gvm-tools also has > > > > > > example scripts: https://bitbucket.org/greenbone/gvm-tools) > > > > > > > > > > > > I am not going for differences really; any finding with a > > > > > > CVSS score of > 4 will trigger an alert which sends an > > > > > > email to our ticketing system. > > > > > > Once a month I start my scheduler which will start any job > > > > > > that hasn’t run for 3 weeks or so. (I could leave it > > > > > > running in a screen forever but I still supervise and time > > > > > > it all, when it is not running I got time to update scan > > > > > > systems) > > > > > > > > > > > > If you go to tasks and click on the Reports > Total number > > > > > > you can see an overview of all the reports and quickly see > > > > > > if things improved or not. > > > > > > There is a compare button (underneath Actions, next to > > > > > > ‘delete’ so be careful), click on two and you’ll get a > > > > > > comparison overview. > > > > > > > > > > > > Still, why care about past results; it’s the latest scan > > > > > > result that counts in my book. > > > > > > > > > > > > Thijs Stuurman > > > > > > Security Operations Center | KPN Internedservices B.V. > > > > > > thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com > > > > > > T: +31(0)299476185 | M: +31(0)624366778 > > > > > > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) > > > > > > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD > > > > > > C048 > > > > > > > > > > > > W: https://www.internedservices.nl | L: > > > > > > https://nl.linkedin.com/in/thijsstuurman > > > > > > > > > > > > Van: Openvas-discuss [mailto:openvas-discuss-bounces@wald.i > > > > > > ntevation.org] Namens Joris > > > > > > Verzonden: donderdag 7 december 2017 09:51 > > > > > > Aan: openvas-discuss@wald.intevation.org > > > > > > Onderwerp: [Openvas-discuss] Reporting on delta's between > > > > > > scans on same host > > > > > > > > > > > > Hello list, > > > > > > > > > > > > Using the scanner here and are pretty impressed with the > > > > > > results and the web GUI. > > > > > > > > > > > > Our next move is basically to identify differences between > > > > > > consecutive scans on hosts (was a vulnerability patched? > > > > > > was a new vulnerability introduced on the system?) > > > > > > > > > > > > Based on my understanding, the system does not support this > > > > > > natively but I can be wrong. How do others solve this > > > > > > issue? Do you build automation around it ? > > > > > > > > > > > > Best regards > > > > > > Joris > > > > > > > > > > > ___ > > > > > Openvas-discuss mailing list > > > > > Openvas-discuss@wald.intevation.org > > > > > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/op > > > > > envas-discuss > > > > ___ > > > > Openvas-discuss mailing list > > > > Openvas-discuss@wald.intevation.org > > > > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/open > > > > vas-discuss > > > > ___ > > Openvas-discuss mailing list > > Openvas-discuss@wald.intevation.org > > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas- > > discuss > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-di > scuss___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host
(jumping in with a blatant ad) Try Seccubus! https://www.seccubus.com/ It specifically designed to handle vulnerability state changes over time. On Thu, Dec 14, 2017 at 11:31 AM, Joris <djm...@gmail.com> wrote: > Hi Tatooin, > > Thanks for the detailed information, I will test it out. No comments yet :) > > best regards > joris > > On Tue, Dec 12, 2017 at 9:58 PM, tatooin <tato...@free.fr> wrote: > >> Hi Joris, >> >> No comments on this ? >> >> Regards, >> >> On Fri, 2017-12-08 at 22:00 +0100, tatooin wrote: >> >> Hi Joris, >> >> I face the same challenge than you do; as my stakeholders regularly ask >> me for delta reports which can highlight the efforts made to solve >> vulnerabilities. People will simply stop fixing vulnerabilities if the work >> done to solve previous ones is not recognized. >> So I completely agree with your statement below. >> >> Alas, it seems out of interest of OpenVAS developers. I have raised this >> topic on this mailing list already, and never received any positive answers. >> >> I tried the official way to report delta (because officially, yes, this >> is suppose to work ! Look at command "*get_reports*", you have the >> arguments @*delta_report_id *and @*delta_states)* >> >> Typically, If I do the following command to get the deltas in a csv file: >> >> *omp -h 127.0.0.1 -u admin -w xxx -iX '> report_id="MyLastReportID" levels="hm" >> format_id="c1645568-627a-11e3-a660-406186ea4fc5" >> delta_report_id="MySecondLastReportID" delta_states="cgns" />' | xmlstarlet >> sel -t -v get_reports_response/report/text\(\) | base64 -i -d > >> deltareport.csv* >> >> Then my deltareport.csv won't highlight any delta. Do the same with >> format_id=1a60a67e-97d0-4cbf-bc77-f71b08e7043d (PDF) you'll get the >> deltas you are looking at. >> >> But obviously, when you are doing vulnerability management programs on a >> somewhat large scale, PDF reporting is completely useless >> >> So in a nutshell; it is suppose to work but it doesn't. :-( >> >> Best, >> >> On Thu, 2017-12-07 at 10:12 +0100, Joris wrote: >> >> Thanks Thijs! >> >> You made me think about past results and not having to care about it: It >> is true that the tickets will be only generated on current results. On the >> other hand, does that mean that you create multiple tickets for the same >> issue if it appears in 2 consecutive scans? >> >> We're interested in differential for 2 other reasons:i Jori >> - from a security culture perspective, it would be interesting to report >> on reduction on vulnerabilities and create some noise about who is doing >> well and who is not. >> - some systems will have issues which cannot be remediated per se. By >> differential reporting, we can look at new stuff and the report would not >> be cluttered by old stuff we already knew about / ticketed. >> >> Best regards >> Joris >> >> >> On Thu, Dec 7, 2017 at 10:05 AM, Thijs Stuurman < >> thijs.stuur...@internedservices.nl> wrote: >> >> You can schedule the scans to repeat them. >> >> >> >> Personally I wasn’t happy with the built in scheduler and automated one >> myself using python talking to the gvm-tools API. >> >> (https://github.com/Thij/openvas_scheduler which might help you >> automate things yourself, gvm-tools also has example scripts: >> https://bitbucket.org/greenbone/gvm-tools) >> >> >> >> I am not going for differences really; any finding with a CVSS score of > >> 4 will trigger an alert which sends an email to our ticketing system. >> >> Once a month I start my scheduler which will start any job that hasn’t >> run for 3 weeks or so. (I could leave it running in a screen forever but I >> still supervise and time it all, when it is not running I got time to >> update scan systems) >> >> >> >> If you go to tasks and click on the Reports > Total number you can see an >> overview of all the reports and quickly see if things improved or not. >> >> There is a compare button (underneath Actions, next to ‘delete’ so be >> careful), click on two and you’ll get a comparison overview. >> >> >> >> Still, why care about past results; it’s the latest scan result that >> counts in my book. >> >> >> >> Thijs Stuurman >> >> Security Operations Center | KPN Internedservices B.V. >> >> th
Re: [Openvas-discuss] Reporting on delta's between scans on same host
Hi Tatooin, Thanks for the detailed information, I will test it out. No comments yet :) best regards joris On Tue, Dec 12, 2017 at 9:58 PM, tatooin <tato...@free.fr> wrote: > Hi Joris, > > No comments on this ? > > Regards, > > On Fri, 2017-12-08 at 22:00 +0100, tatooin wrote: > > Hi Joris, > > I face the same challenge than you do; as my stakeholders regularly ask me > for delta reports which can highlight the efforts made to solve > vulnerabilities. People will simply stop fixing vulnerabilities if the work > done to solve previous ones is not recognized. > So I completely agree with your statement below. > > Alas, it seems out of interest of OpenVAS developers. I have raised this > topic on this mailing list already, and never received any positive answers. > > I tried the official way to report delta (because officially, yes, this is > suppose to work ! Look at command "*get_reports*", you have the arguments > @*delta_report_id *and @*delta_states)* > > Typically, If I do the following command to get the deltas in a csv file: > > *omp -h 127.0.0.1 -u admin -w xxx -iX ' report_id="MyLastReportID" levels="hm" > format_id="c1645568-627a-11e3-a660-406186ea4fc5" > delta_report_id="MySecondLastReportID" delta_states="cgns" />' | xmlstarlet > sel -t -v get_reports_response/report/text\(\) | base64 -i -d > > deltareport.csv* > > Then my deltareport.csv won't highlight any delta. Do the same with > format_id=1a60a67e-97d0-4cbf-bc77-f71b08e7043d (PDF) you'll get the > deltas you are looking at. > > But obviously, when you are doing vulnerability management programs on a > somewhat large scale, PDF reporting is completely useless > > So in a nutshell; it is suppose to work but it doesn't. :-( > > Best, > > On Thu, 2017-12-07 at 10:12 +0100, Joris wrote: > > Thanks Thijs! > > You made me think about past results and not having to care about it: It > is true that the tickets will be only generated on current results. On the > other hand, does that mean that you create multiple tickets for the same > issue if it appears in 2 consecutive scans? > > We're interested in differential for 2 other reasons:i Jori > - from a security culture perspective, it would be interesting to report > on reduction on vulnerabilities and create some noise about who is doing > well and who is not. > - some systems will have issues which cannot be remediated per se. By > differential reporting, we can look at new stuff and the report would not > be cluttered by old stuff we already knew about / ticketed. > > Best regards > Joris > > > On Thu, Dec 7, 2017 at 10:05 AM, Thijs Stuurman <Thijs.Stuurman@ > internedservices.nl> wrote: > > You can schedule the scans to repeat them. > > > > Personally I wasn’t happy with the built in scheduler and automated one > myself using python talking to the gvm-tools API. > > (https://github.com/Thij/openvas_scheduler which might help you > automate things yourself, gvm-tools also has example scripts: > https://bitbucket.org/greenbone/gvm-tools) > > > > I am not going for differences really; any finding with a CVSS score of > > 4 will trigger an alert which sends an email to our ticketing system. > > Once a month I start my scheduler which will start any job that hasn’t run > for 3 weeks or so. (I could leave it running in a screen forever but I > still supervise and time it all, when it is not running I got time to > update scan systems) > > > > If you go to tasks and click on the Reports > Total number you can see an > overview of all the reports and quickly see if things improved or not. > > There is a compare button (underneath Actions, next to ‘delete’ so be > careful), click on two and you’ll get a comparison overview. > > > > Still, why care about past results; it’s the latest scan result that > counts in my book. > > > > Thijs Stuurman > > Security Operations Center | KPN Internedservices B.V. > > thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com > > T: +31(0)299476185 <+31%20299%20476%20185> | M: +31(0)624366778 > <+31%206%2024366778> > > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) > > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 > > > > W: https://www.internedservices.nl | L: https://nl.linkedin.com/in/thi > jsstuurman > > > > *Van:* Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] > *Namens *Joris > *Verzonden:* donderdag 7 december 2017 09:51 > *Aan:* openvas-discuss@wald.intevation.org > *Onderwerp:* [Openvas-discuss] Reporting on delta's betwee
Re: [Openvas-discuss] Reporting on delta's between scans on same host
Hi Joris, No comments on this ? Regards,On Fri, 2017-12-08 at 22:00 +0100, tatooin wrote: > Hi Joris, > > I face the same challenge than you do; as my stakeholders regularly > ask me for delta reports which can highlight the efforts made to > solve vulnerabilities. People will simply stop fixing vulnerabilities > if the work done to solve previous ones is not recognized. > So I completely agree with your statement below. > > Alas, it seems out of interest of OpenVAS developers. I have raised > this topic on this mailing list already, and never received any > positive answers. > > I tried the official way to report delta (because officially, yes, > this is suppose to work ! Look at command "get_reports", you have the > arguments @delta_report_id and @delta_states) > > Typically, If I do the following command to get the deltas in a csv > file: > > omp -h 127.0.0.1 -u admin -w xxx -iX ' > report_id="MyLastReportID" levels="hm" format_id="c1645568-627a-11e3- > a660-406186ea4fc5" delta_report_id="MySecondLastReportID" > delta_states="cgns" />' | xmlstarlet sel -t -v > get_reports_response/report/text\(\) | base64 -i -d > deltareport.csv > > Then my deltareport.csv won't highlight any delta. Do the same with > format_id=1a60a67e-97d0-4cbf-bc77-f71b08e7043d (PDF) you'll get the > deltas you are looking at. > > But obviously, when you are doing vulnerability management programs > on a somewhat large scale, PDF reporting is completely useless > > So in a nutshell; it is suppose to work but it doesn't. :-( > > Best, > > On Thu, 2017-12-07 at 10:12 +0100, Joris wrote: > > Thanks Thijs! > > > > You made me think about past results and not having to care about > > it: It is true that the tickets will be only generated on current > > results. On the other hand, does that mean that you create multiple > > tickets for the same issue if it appears in 2 consecutive scans? > > > > We're interested in differential for 2 other reasons:i Jori > > - from a security culture perspective, it would be interesting to > > report on reduction on vulnerabilities and create some noise about > > who is doing well and who is not. > > - some systems will have issues which cannot be remediated per se. > > By differential reporting, we can look at new stuff and the report > > would not be cluttered by old stuff we already knew about / > > ticketed. > > > > Best regards > > Joris > > > > > > On Thu, Dec 7, 2017 at 10:05 AM, Thijs Stuurman > > ernedservices.nl> wrote: > > > You can schedule the scans to repeat them. > > > > > > Personally I wasn’t happy with the built in scheduler and > > > automated one myself using python talking to the gvm-tools API. > > > (https://github.com/Thij/openvas_scheduler which might help > > > you automate things yourself, gvm-tools also has example scripts: > > > https://bitbucket.org/greenbone/gvm-tools) > > > > > > I am not going for differences really; any finding with a CVSS > > > score of > 4 will trigger an alert which sends an email to our > > > ticketing system. > > > Once a month I start my scheduler which will start any job that > > > hasn’t run for 3 weeks or so. (I could leave it running in a > > > screen forever but I still supervise and time it all, when it is > > > not running I got time to update scan systems) > > > > > > If you go to tasks and click on the Reports > Total number you > > > can see an overview of all the reports and quickly see if things > > > improved or not. > > > There is a compare button (underneath Actions, next to ‘delete’ > > > so be careful), click on two and you’ll get a comparison > > > overview. > > > > > > Still, why care about past results; it’s the latest scan result > > > that counts in my book. > > > > > > Thijs Stuurman > > > Security Operations Center | KPN Internedservices B.V. > > > thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com > > > T: +31(0)299476185 | M: +31(0)624366778 > > > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) > > > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 > > > > > > W: https://www.internedservices.nl | L: > > > https://nl.linkedin.com/in/thijsstuurman > > > > > > Van: Openvas-discuss [mailto:openvas-discuss-bounces@wald.intevat > > > ion.org] Namens Joris > > > Verzonden: donderdag 7 december 2017 09:
Re: [Openvas-discuss] Reporting on delta's between scans on same host
Hi Joris, I face the same challenge than you do; as my stakeholders regularly ask me for delta reports which can highlight the efforts made to solve vulnerabilities. People will simply stop fixing vulnerabilities if the work done to solve previous ones is not recognized. So I completely agree with your statement below. Alas, it seems out of interest of OpenVAS developers. I have raised this topic on this mailing list already, and never received any positive answers. I tried the official way to report delta (because officially, yes, this is suppose to work ! Look at command "get_reports", you have the arguments @delta_report_id and @delta_states) Typically, If I do the following command to get the deltas in a csv file: omp -h 127.0.0.1 -u admin -w xxx -iX '' | xmlstarlet sel -t -v get_reports_response/report/text\(\) | base64 -i -d > deltareport.csv Then my deltareport.csv won't highlight any delta. Do the same with format_id=1a60a67e-97d0-4cbf-bc77-f71b08e7043d (PDF) you'll get the deltas you are looking at. But obviously, when you are doing vulnerability management programs on a somewhat large scale, PDF reporting is completely useless So in a nutshell; it is suppose to work but it doesn't. :-( Best, On Thu, 2017-12-07 at 10:12 +0100, Joris wrote: > Thanks Thijs! > > You made me think about past results and not having to care about it: > It is true that the tickets will be only generated on current > results. On the other hand, does that mean that you create multiple > tickets for the same issue if it appears in 2 consecutive scans? > > We're interested in differential for 2 other reasons:i Jori > - from a security culture perspective, it would be interesting to > report on reduction on vulnerabilities and create some noise about > who is doing well and who is not. > - some systems will have issues which cannot be remediated per se. By > differential reporting, we can look at new stuff and the report would > not be cluttered by old stuff we already knew about / ticketed. > > Best regards > Joris > > > On Thu, Dec 7, 2017 at 10:05 AM, Thijs Stuurman > nedservices.nl> wrote: > > You can schedule the scans to repeat them. > > > > Personally I wasn’t happy with the built in scheduler and automated > > one myself using python talking to the gvm-tools API. > > (https://github.com/Thij/openvas_scheduler which might help you > > automate things yourself, gvm-tools also has example scripts: > > https://bitbucket.org/greenbone/gvm-tools) > > > > I am not going for differences really; any finding with a CVSS > > score of > 4 will trigger an alert which sends an email to our > > ticketing system. > > Once a month I start my scheduler which will start any job that > > hasn’t run for 3 weeks or so. (I could leave it running in a screen > > forever but I still supervise and time it all, when it is not > > running I got time to update scan systems) > > > > If you go to tasks and click on the Reports > Total number you can > > see an overview of all the reports and quickly see if things > > improved or not. > > There is a compare button (underneath Actions, next to ‘delete’ so > > be careful), click on two and you’ll get a comparison overview. > > > > Still, why care about past results; it’s the latest scan result > > that counts in my book. > > > > Thijs Stuurman > > Security Operations Center | KPN Internedservices B.V. > > thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com > > T: +31(0)299476185 | M: +31(0)624366778 > > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) > > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 > > > > W: https://www.internedservices.nl | L: > > https://nl.linkedin.com/in/thijsstuurman > > > > Van: Openvas-discuss [mailto:openvas-discuss-bounces@wald.intevatio > > n.org] Namens Joris > > Verzonden: donderdag 7 december 2017 09:51 > > Aan: openvas-discuss@wald.intevation.org > > Onderwerp: [Openvas-discuss] Reporting on delta's between scans on > > same host > > > > Hello list, > > > > Using the scanner here and are pretty impressed with the results > > and the web GUI. > > > > Our next move is basically to identify differences between > > consecutive scans on hosts (was a vulnerability patched? was a new > > vulnerability introduced on the system?) > > > > Based on my understanding, the system does not support this > > natively but I can be wrong. How do others solve this issue? Do you > > build automation around it ? > > > > Best regards > > Joris > > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-di > scuss___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host [PUBLIC]
On the post at http://lists.wald.intevation.org/pipermail/openvas-discuss/2017-September/011460.html, some of the XML to do what you want is shown. j This message was classified PUBLIC by CAMPBELL Jeremy on Friday, December 8, 2017 at 11:02:07 AM. From: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] On Behalf Of Shekhar Aryan Sent: Thursday, December 7, 2017 4:12 AM To: openvas-discuss@wald.intevation.org Subject: Re: [Openvas-discuss] Reporting on delta's between scans on same host Perhaps a random question, has anyone in here been able to run scans using openvas cli please? If so please could you guide us? And like me has anyone found using CLi version very cumbersome..? On 7 Dec 2017, at 09:05, Thijs Stuurman <thijs.stuur...@internedservices.nl<mailto:thijs.stuur...@internedservices.nl>> wrote: You can schedule the scans to repeat them. Personally I wasn’t happy with the built in scheduler and automated one myself using python talking to the gvm-tools API. (https://github.com/Thij/openvas_scheduler which might help you automate things yourself, gvm-tools also has example scripts: https://bitbucket.org/greenbone/gvm-tools) I am not going for differences really; any finding with a CVSS score of > 4 will trigger an alert which sends an email to our ticketing system. Once a month I start my scheduler which will start any job that hasn’t run for 3 weeks or so. (I could leave it running in a screen forever but I still supervise and time it all, when it is not running I got time to update scan systems) If you go to tasks and click on the Reports > Total number you can see an overview of all the reports and quickly see if things improved or not. There is a compare button (underneath Actions, next to ‘delete’ so be careful), click on two and you’ll get a comparison overview. Still, why care about past results; it’s the latest scan result that counts in my book. Thijs Stuurman Security Operations Center | KPN Internedservices B.V. thijs.stuur...@internedservices.nl<mailto:thijs.stuur...@internedservices.nl> | thijs.stuur...@kpn.com<mailto:thijs.stuur...@kpn.com> T: +31(0)299476185 | M: +31(0)624366778 PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 W: https://www.internedservices.nl<https://www.internedservices.nl/> | L: https://nl.linkedin.com/in/thijsstuurman Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] Namens Joris Verzonden: donderdag 7 december 2017 09:51 Aan: openvas-discuss@wald.intevation.org<mailto:openvas-discuss@wald.intevation.org> Onderwerp: [Openvas-discuss] Reporting on delta's between scans on same host Hello list, Using the scanner here and are pretty impressed with the results and the web GUI. Our next move is basically to identify differences between consecutive scans on hosts (was a vulnerability patched? was a new vulnerability introduced on the system?) Based on my understanding, the system does not support this natively but I can be wrong. How do others solve this issue? Do you build automation around it ? Best regards Joris ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org<mailto:Openvas-discuss@wald.intevation.org> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss This message, including attachments, is intended for the above-mentioned addressees only. It may contain confidential information the review, dissemination or disclosure of which is strictly prohibited. Should you receive this message in error, please delete it and notify the sender to the e-mail address indicated above. ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host
Joris, Yes, multiple tickets for the same issue will then sit in the queue. (or not if they closed or moved the ticket; it’ll come right back on the next scan) Their tickets are not my responsibility so I do not interfere with what they do with the tickets. If something cannot be fixed, you (or they) can say so using a note on the result in question and override the result. (accepting the situation or explain why it is a false positive or something). You can configure the override to be valid for all future scans of the particular task (or all tasks) (and for some time etc.’) which avoids new tickets being created. I doubt you can or even want to keep track of their tickets. Strange things happen to tickets, some even get set to resolved while the issue is clearly not… I understand you do not want to clutter the ticketing system but it only gets that way (which should make alarm bells ring somewhere) if they don’t do their job. When you do not report a finding because the same finding was there last month and someone threw that ticket away… you’ll get nowhere. (Don’t you have anything written down about how long a certain CVSS score vulnerability may exist when found?) For reporting we make reports manually based on some filters to group certain systems and the result counts. (yes, we put the numbers in excel and make a nice graph) We have too many systems to report on every task separately. Even general reports are not very helpful because systems and vulnerabilities (or non-compliances) come and go. (We named tasks according to groups to filter ‘m out, for example the name would be “domain Linux – system xyz”; you cannot (easily) filter on the comments but we use those to quickly identify if it’s a private or public system and usually we have the target IP in there as well) We can show which groups have the most issues and where improvements are clearly visible. Usually we manually point out the big improvements and not so much do any shaming; the numbers, graph(s) and tickets do enough. From my experience, shaming doesn’t improve much and can be quite devastating in the long run. If you have so many results that it would fill queues instantly and bury people under work (let’s face it, this happens a lot in large organizations when you first start scanning); do not automatically make tickets. (or perhaps only for very high CVSS scores) Make some tickets manually for the major issues which require a resolution asap. Fix the others using a separate (dedicated) security issue team and enforce a baseline to avoid such findings on new systems. Then later when the organization is more in control you can automate the tickets. You can also ease your organization in to it all by not starting to scan everything but make them onboard their systems, get admins involved. Besides the obvious vulnerability it also helps them for example check their firewall and encryption configurations. Tickets and onboarding are not your responsibility, allow their manager do his or her job. Thijs Stuurman Security Operations Center | KPN Internedservices B.V. thijs.stuur...@internedservices.nl<mailto:thijs.stuur...@internedservices.nl> | thijs.stuur...@kpn.com<mailto:thijs.stuur...@kpn.com> T: +31(0)299476185 | M: +31(0)624366778 PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 W: https://www.internedservices.nl<https://www.internedservices.nl/> | L: https://nl.linkedin.com/in/thijsstuurman Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] Namens Joris Verzonden: donderdag 7 december 2017 10:13 CC: openvas-discuss@wald.intevation.org Onderwerp: Re: [Openvas-discuss] Reporting on delta's between scans on same host Thanks Thijs! You made me think about past results and not having to care about it: It is true that the tickets will be only generated on current results. On the other hand, does that mean that you create multiple tickets for the same issue if it appears in 2 consecutive scans? We're interested in differential for 2 other reasons: - from a security culture perspective, it would be interesting to report on reduction on vulnerabilities and create some noise about who is doing well and who is not. - some systems will have issues which cannot be remediated per se. By differential reporting, we can look at new stuff and the report would not be cluttered by old stuff we already knew about / ticketed. Best regards Joris On Thu, Dec 7, 2017 at 10:05 AM, Thijs Stuurman <thijs.stuur...@internedservices.nl<mailto:thijs.stuur...@internedservices.nl>> wrote: You can schedule the scans to repeat them. Personally I wasn’t happy with the built in scheduler and automated one myself using python talking to the gvm-tools API. (https://github.com/Thij/openvas_scheduler which might help you automate things yourself, gvm-tools also has example scripts: https://bit
Re: [Openvas-discuss] Reporting on delta's between scans on same host
Thanks Thijs! You made me think about past results and not having to care about it: It is true that the tickets will be only generated on current results. On the other hand, does that mean that you create multiple tickets for the same issue if it appears in 2 consecutive scans? We're interested in differential for 2 other reasons: - from a security culture perspective, it would be interesting to report on reduction on vulnerabilities and create some noise about who is doing well and who is not. - some systems will have issues which cannot be remediated per se. By differential reporting, we can look at new stuff and the report would not be cluttered by old stuff we already knew about / ticketed. Best regards Joris On Thu, Dec 7, 2017 at 10:05 AM, Thijs Stuurman < thijs.stuur...@internedservices.nl> wrote: > You can schedule the scans to repeat them. > > > > Personally I wasn’t happy with the built in scheduler and automated one > myself using python talking to the gvm-tools API. > > (https://github.com/Thij/openvas_scheduler which might help you > automate things yourself, gvm-tools also has example scripts: > https://bitbucket.org/greenbone/gvm-tools) > > > > I am not going for differences really; any finding with a CVSS score of > > 4 will trigger an alert which sends an email to our ticketing system. > > Once a month I start my scheduler which will start any job that hasn’t run > for 3 weeks or so. (I could leave it running in a screen forever but I > still supervise and time it all, when it is not running I got time to > update scan systems) > > > > If you go to tasks and click on the Reports > Total number you can see an > overview of all the reports and quickly see if things improved or not. > > There is a compare button (underneath Actions, next to ‘delete’ so be > careful), click on two and you’ll get a comparison overview. > > > > Still, why care about past results; it’s the latest scan result that > counts in my book. > > > > Thijs Stuurman > > Security Operations Center | KPN Internedservices B.V. > > thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com > > T: +31(0)299476185 <+31%20299%20476%20185> | M: +31(0)624366778 > <+31%206%2024366778> > > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) > > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 > > > > W: https://www.internedservices.nl | L: https://nl.linkedin.com/in/ > thijsstuurman > > > > *Van:* Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] > *Namens *Joris > *Verzonden:* donderdag 7 december 2017 09:51 > *Aan:* openvas-discuss@wald.intevation.org > *Onderwerp:* [Openvas-discuss] Reporting on delta's between scans on same > host > > > > Hello list, > > > > Using the scanner here and are pretty impressed with the results and the > web GUI. > > > > Our next move is basically to identify differences between consecutive > scans on hosts (was a vulnerability patched? was a new vulnerability > introduced on the system?) > > > > Based on my understanding, the system does not support this natively but I > can be wrong. How do others solve this issue? Do you build automation > around it ? > > > > Best regards > > Joris > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host
Perhaps a random question, has anyone in here been able to run scans using openvas cli please? If so please could you guide us? And like me has anyone found using CLi version very cumbersome..? > On 7 Dec 2017, at 09:05, Thijs Stuurman <thijs.stuur...@internedservices.nl> > wrote: > > You can schedule the scans to repeat them. > > Personally I wasn’t happy with the built in scheduler and automated one > myself using python talking to the gvm-tools API. > (https://github.com/Thij/openvas_scheduler which might help you automate > things yourself, gvm-tools also has example scripts: > https://bitbucket.org/greenbone/gvm-tools) > > I am not going for differences really; any finding with a CVSS score of > 4 > will trigger an alert which sends an email to our ticketing system. > Once a month I start my scheduler which will start any job that hasn’t run > for 3 weeks or so. (I could leave it running in a screen forever but I still > supervise and time it all, when it is not running I got time to update scan > systems) > > If you go to tasks and click on the Reports > Total number you can see an > overview of all the reports and quickly see if things improved or not. > There is a compare button (underneath Actions, next to ‘delete’ so be > careful), click on two and you’ll get a comparison overview. > > Still, why care about past results; it’s the latest scan result that counts > in my book. > > Thijs Stuurman > Security Operations Center | KPN Internedservices B.V. > thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com > T: +31(0)299476185 | M: +31(0)624366778 > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 > > W: https://www.internedservices.nl | L: > https://nl.linkedin.com/in/thijsstuurman > > Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] > Namens Joris > Verzonden: donderdag 7 december 2017 09:51 > Aan: openvas-discuss@wald.intevation.org > Onderwerp: [Openvas-discuss] Reporting on delta's between scans on same host > > Hello list, > > Using the scanner here and are pretty impressed with the results and the web > GUI. > > Our next move is basically to identify differences between consecutive scans > on hosts (was a vulnerability patched? was a new vulnerability introduced on > the system?) > > Based on my understanding, the system does not support this natively but I > can be wrong. How do others solve this issue? Do you build automation around > it ? > > Best regards > Joris > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Reporting on delta's between scans on same host
You can schedule the scans to repeat them. Personally I wasn’t happy with the built in scheduler and automated one myself using python talking to the gvm-tools API. (https://github.com/Thij/openvas_scheduler which might help you automate things yourself, gvm-tools also has example scripts: https://bitbucket.org/greenbone/gvm-tools) I am not going for differences really; any finding with a CVSS score of > 4 will trigger an alert which sends an email to our ticketing system. Once a month I start my scheduler which will start any job that hasn’t run for 3 weeks or so. (I could leave it running in a screen forever but I still supervise and time it all, when it is not running I got time to update scan systems) If you go to tasks and click on the Reports > Total number you can see an overview of all the reports and quickly see if things improved or not. There is a compare button (underneath Actions, next to ‘delete’ so be careful), click on two and you’ll get a comparison overview. Still, why care about past results; it’s the latest scan result that counts in my book. Thijs Stuurman Security Operations Center | KPN Internedservices B.V. thijs.stuur...@internedservices.nl<mailto:thijs.stuur...@internedservices.nl> | thijs.stuur...@kpn.com<mailto:thijs.stuur...@kpn.com> T: +31(0)299476185 | M: +31(0)624366778 PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 W: https://www.internedservices.nl<https://www.internedservices.nl/> | L: https://nl.linkedin.com/in/thijsstuurman Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] Namens Joris Verzonden: donderdag 7 december 2017 09:51 Aan: openvas-discuss@wald.intevation.org Onderwerp: [Openvas-discuss] Reporting on delta's between scans on same host Hello list, Using the scanner here and are pretty impressed with the results and the web GUI. Our next move is basically to identify differences between consecutive scans on hosts (was a vulnerability patched? was a new vulnerability introduced on the system?) Based on my understanding, the system does not support this natively but I can be wrong. How do others solve this issue? Do you build automation around it ? Best regards Joris ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
[Openvas-discuss] Reporting on delta's between scans on same host
Hello list, Using the scanner here and are pretty impressed with the results and the web GUI. Our next move is basically to identify differences between consecutive scans on hosts (was a vulnerability patched? was a new vulnerability introduced on the system?) Based on my understanding, the system does not support this natively but I can be wrong. How do others solve this issue? Do you build automation around it ? Best regards Joris ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss