Graphical User Interface
The user interface is broken into several distinct and logical sections. Each section serves a distinct purpose and the overall application flow is from top to bottom.
-
File
- Select Scans - Used to select multiple scan files. Can be used multiple times to select scan files in different locations. Duplicated by the Blue 'Scan Drop' region of the application.
- Parse Scans - Parses the selected scan file. Can be used multiple times if needed as updated scans are imported. Duplicated by the Green 'Selected Scan Files' region of the application.
- Execute - Generates the report based off the parsed scan. Duplicated by the Red 'Scan Summary' section.
-
Scans
-
Merge Nessus - This will let you select multiple .nessus files and merge them all into a singular file based off of scan policies. This allows you to consolidate hundreds of scans into a single file upload for eMASS artifacts. If file size is an issue, you can choose to merge the files in chunks of between 5 and 50 hosts per file. The scan files can also be used in the Asset Manager section of eMASS.
-
Split Nessus - This is the inverse of the Merge Nessus function. This will take a single .nessus file and split it into multiple .nessus files, one per host. This makes it easy to remove 'bad' hosts in a scan and replace those scans with 'good' host scans.
-
Update CKL - This will let you select an old CKL file and copy all of the statuses, comments and finding details to a new CKL file. This comes in handy when updating from one release (V1R2) to the next (V1R2). The key used for the translation between CKL files is the vulnerability ID (V-12345), so changes between versions are likely not to yield great results.
-
Open Results Folder - This will open the 'results' folder the application uses to store the resulting reports using whatever platform option is available (Windows File Explorer, Nautilus, etc.). Help
-
-
Help
- Help - Shows a basic overview of the steps to use the application.
- About - Shows the current version and release information.
This region of the application allows you to enter information to be outputted on the POAM/RAR tabs of the report. The data fields that accept user input are:
-
Organization Name
The name of the over-arching command or organization the package belongs to. This could be a base, a tenant, a company, etc. When utilizing the command line version of the application, this can be specified using the "-c" or "--command" arguments (e.g. scans2reports.exe --command "Cyber Trackr Live").
-
POC Name
The name for the main point of contact for the package. When utilizing the command line version of the application, this can be specified using the "-n" or "--name" arguments (e.g. scans2reports.exe --name "Robert Weber").
-
POC Phone Number
The phone number for that POC. When utilizing the command line version of the application, this can be specified using the "-p" or "--phone" arguments (e.g. scans2reports.exe --phone "800-555-1212").
-
POC Email
The email address for that POC. When utilizing the command line version of the application, this can be specified using the "-e" or "--email" arguments (e.g. scans2reports.exe --command "[email protected]").
-
Report Execution
This region also allows you to select/deselect the various tabs that will be generated in the resulting Excel file. The check boxes are automatically checked/unchecked based on the scan files that are parsed, but you can update the selections as you need once the parsing is completed. The report details are listed in the 'Generating Reports' section of this document.
This region allows you to change some of the inner workings of the application to suit your needs as a package developer. The details for those options are listed below.
-
Exclude ACAS Plugins Published Less Than X Days Ago
For most eMASS packages, ACAS plugins that are brand new do new have to be included in the final report sent to eMASS. This field allows you to select the number of days allowed in that grace period. This field defaults to 30 days, meaning a plugin that was released by Tenable 20 days ago would not show up on the POAM tab.
When utilizing the command line version of the application, this can be specified using the "-x" or "--exclude-plugins" arguments (e.g. scans2reports.exe -x 25)
-
Skip CAT IV (Informational)
This setting ensures any non-necessary CAT IV findings are not parsed, so they won't impact any of the report tabs. There are certain CAT IV plugins that are required for various functions in this application, such as 10399 which enumerates local users or 22869 which enumerates installed software. The CAT IV plugins that are used to determine those data sets will always be parsed, but any plugins outside this list of requirements will be skipped. This helps ensure the POAM/RAR tabs are not littered with hundreds of rows of unimportant findings.
When utilizing the command line version of the application, this can be specified using the "-i" or "--skip-info" arguments (e.g. scans2reports.exe --skip-info)
-
Automatically Lower Risk
This setting will automatically lower the risk of the open findings one step. For instance, all CAT I findings will be downgraded to CAT II automatically. This option is in place under the assumption a valid mitigation statement will either be imported or created for each open finding.
When utilizing the command line version of the application, this can be specified using the "-l" or "--lower-risk" arguments (e.g. scans2reports.exe --lower-risk)
-
Prefill Scheduled Completion Data
This will automatically fill in the Scheduled Completion Data on the POAM tabs based on the residual risk for each finding. The finding timelines are 3 years for CAT IV findings, 1 year for CAT III findings, 90 days for cat II findings and 30 days for CAT I findings.
When utilizing the command line version of the application, this can be specified using the "-s" or "--scd" arguments (e.g. scans2reports.exe --scd)
-
Include Finding Details
This toggle will populate that RAR and POAM comments column with each finding's "Details" (CKL, SCAP and ACAS). The information will show up at the bottom of the comments cell with the 'Finding Details' header. Some package chains require this information while others don't, so the toggle is available to support as many users as possible.
When utilizing the command line version of the application, this can be specified using the "-fd" or "--finding-details" arguments (e.g. scans2reports.exe -fd)
-
Show Host Details
This will populate additional scan level details for all affected devices for each finding on the POAM and RAR table. If this is unchecked, only the hostname will be displayed in this cell. If this is checked, each host will up as "hostname [CKL - Ver: 1, Rel/Feed: 10]" or "hostname [ACAS - V6.1.2, Rel/Feed: 20200601120000]".
When utilizing the command line version of the application, this can be specified using the "-hd" or "--host-details" arguments (e.g. scans2reports.exe -hd)
-
Test Result Action
If an eMASS export Test Result file is imported along with the scan files, this drop-down menu's action becomes relevant. If "Add All Findings" is selected, all parsed findings will be processed for the various reports. If "Mark As Closed" is selected, findings related to RMF Security Controls that are not part of the package will be automatically marked as closed with the applicable comment automated added to the comment column. If "Convert to CM-6.5" is selected, any findings that not part of the package controls will be added as Open with a comment stating CM-6.5 was selected as the finding security control.
When utilizing the command line version of the application, this can be specified using the "--test-results" argument followed by either 'add', 'convert', or 'close' (e.g. scans2reports.exe --test-results convert).
-
Processing Intensity
This drop-down menu selects how intense the parsing and report generation functions should run on your system. There are three options available in the user interface. You can select "Normal Load", "Light Load", or "Make My CPU Bleed".
From the command line interface, you can set this with the -t or --threads argument, followed by a number from 1 to 3 (e.g. scans2reports.exe --threads 2)
-
Mitigation Statements
This drop-down menu is used to select how the mitigation statement column on the POAM/RAR tabs will be populated. The possible options are:
- Leave Blank - will leave the cell blank for each finding.
- Existing POAM or Answer File CSV - will populate the mitigation statement as it is entered in the applicable file.
- CKL Comments - will populate the cell based on the comments field in the applicable CKL file.
- POAM/CSV, then CKL (Prefer Existing POAM/CSV) - This will populate the mitigation statement first by previously submitted POAMs or CSV Answer files. If there are no applicable mitigation statements in those files, the comments field from the CKL file will be used. If that is also blank, then a blank cell will be used.
When utilizing the command line version of the application, this can be specified using the "--mitigation-statements" argument followed by either 'blank', 'poam', 'ckl', or 'both' (e.g. scans2reports.exe --mitigation-statements poam)
-
Predisposing Conditions
This text area allows you to enter a paragraph or two of text that will pre-populate in the predisposing conditions field of the RAR/POAM tabs. This will be added to every finding populated on those two sheets.
When utilizing the command line version of the application, this can be specified using the "--predisposing-conditions" argument followed by a quoted string of text (e.g. scans2reports.exe --predisposing-conditions "this is a paragraph of text")
This region is where you can drag and drop your scan files and other artifacts onto the application. As you drop them, they will populate in the "Selected Scan Files" below. You can also click the Blue "Import" button to open a file selection dialog to do the same. Any non-supported files will be ignored.
Point to note - Dropping thousands of files on this Blue region can cause the application to freeze for a few seconds. If that happens, just wait until the application unfreezes.
This table populates with scan file data for all the selected scan files. The table is sortable by clicking on the column headers. Individual scan results can be deleted by clicking on the "DEL" button in the specific files row. To clear the entire table of scan files, click on the "CLEAR" button to the left of the table. After reviewing all the selected files populated in this table, click on the Green "Parse" button to begin processing each file.
As the scan files are parsed, the Yellow "Report Options" section will pre-select the applicable report types based on the scans read. For instance, the POAM and RAR check boxes will automatically check for any CKL, ACAS or SCAP files read in. The ACAS Unique IAVM check box will automatically check once an ACAS file is read in. The only report that won't automatically check is the SCAP/CKL Issues report as this report will take an extensive amount of time to render when large numbers of files are submitted.
Depending on the speed of your computer and the "Processing Intensity" selected above, this parsing process can take a while to complete. The overall status and progress will be displayed at the bottom of the application along with an ETA for completion.
Once all the files are parsed, the applicable scan information will be populated in this table. This summary will show a brief list of details for each host per scan file, including information like the number of findings per category and the credential status for each scan. To clear this information, click on the "CLEAR" button to the left of the table. Once you are satisfied with the review of this table, click on the Red "Report" button to begin generating the report file.
This process will also take a fair amount of time to finish, mainly depending on the number of scans selected. The current report being rendered, and the overall status will be displayed in the status bar area at the bottom of the application.
This section displays the current status of the application, as well as the overall progress completed.