Compliance Data Export Plugins
Note: This functionality is not available in Tenable Security Center. If you use Tenable Security Center, you can run scans directly from managed Tenable Nessus scanners to obtain the modified output attachments.
This document describes plugins you can use to format compliance results into data formats that both Tenable and third-party tools can use for integrations.
Available Formats
-
Plugin ID: 174791
-
Plugin Name: Compliance Export Gold Image Audit
This plugin creates a Gold Image Audit file of compliance scanning results.
The Gold Image Audit
The Gold Image Audit uses a known_good feature in the Tenable Audit Language syntax that allows a prior known good value to evaluate as a compliance result, even if the original audit would have failed the check.
Some things to consider:
-
Actual values tend not to be applied to checks that are within the conditional sections of audit if/then/else structures. This was done to maintain consistency with the conditional logic.
-
Any checks that use custom commands, such as CMD_EXEC or SQL_POLICY, may have inconsistent or unsupported output. SQL statements may return values in different orders if not sorted or system commands may output Unicode characters in their output. If you are developing checks, consider sorting the output where possible into a consistent order and sanitizing any non-ASCII characters from the output.
-
Checks that use static report items to post a WARNING or FAILED are not modified by known_good values.
Interpreting the Results
The theory behind the gold image scanning is that if you scan a target that is considered a “gold image," run this script with that audit and results, and rescan the target with the new audit, every item should be a PASSED/info result. But there are a number of factors that do not allow 100% passes on most audits.
Some of the factors include:
-
Some checks in the audit are a direct report of a certain result, most notably with WARNING/medium. If the audit item is a report WARNING, it cannot change in the gold image audit. If the audit is a Tenable-published audit, these items can be identified by having a “NOTE:” in the description that the check was not run. The code inside the audit has an opening tag similar to <report type:"WARNING">.
-
Audits can contain conditional logic that provides results based on a setting on the target being scanned. When rescanning the “gold image” system with a gold image audit, the same conditional logic works, and the results become a PASSED/info. But, when scanning other hosts, they may take a different conditional path that can provide results that were not present in the original “gold image” results.
-
If the output of an audit check includes dynamic data, such as timestamps, a known good value of a gold image does not work. Since the value of a time stamp changes with every execution of the scan, matches against the static known good fail.
-
When creating a gold image audit, the original range or regular expression is abandoned and an absolute value is used in its place. An example would be a benchmark that accepted a password length of greater than 8 characters; the “gold image” had 7 characters set. The new gold image audit fails on anything that is not exactly 7 characters. You can adjust this by adding more known good values, but the end result is always an audit looking for absolute values.
Custom Audit Content
When creating a custom audit for use as a gold image, use the following tips to get quality results:
-
Make the audit relatively flat and use few to no conditionals. Conditionals may change the results presented on different targets.
-
Use items that provide computed results and not static reports. Static reports never change results.
-
Create results that do not contain time-based output. If a time stamp shows in the results, it is impossible to create a known good value.
-
If creating a custom audit item using a command (CMD_EXEC, AUDIT_POWERSHELL), make sure the output is consistently generated. This means that all outputs should be sorted. If the output comes out in a random order, the gold image does not have a consistent known good to compare with.
How To Enable Gold Image Audit
By default, Gold Image audit for Policy Configuration Auditing is disabled. To enable the Gold Image audit feature.
-
Select the Policy Compliance Auditing scan template.
-
From the Settings tab, select Advanced and then Custom from the Scan Type drop-down menu.
-
Select General.
-
Under Compliance Output Settings, select the checkbox next to Generate Gold Image Audit file.
The option is also available for any scan template that allows the selection of audit files and generation of audit results, including the Advanced Scan template.
How to Access Gold Image Audit
The data is provided as attached files to the plugin output. The attached files are named as gold_<host_address>_<audit_file>.json. Each audit used generates a different results file. To retrieve the data, navigate to the scan vulnerabilities, find the Compliance Export Gold Image Audit plugin, and find the file attachments. Click to download the attachments.
Notes:
-
Enabling this plugin increases the storage and size of your scan results.
-
The plugin only runs once per audit per scan.
-
If known good values exist in an audit used to create the Gold Image Audit, no new values are added.
Compliance Export JSON Results
Plugin ID: 174790
Plugin Name: Compliance Export JSON
This plugin creates a JSON-formatted data file of compliance scanning results. The JSON data produced by this plugin represents the same results that would be exported using the “.nessus” XML data format.
The JSON Format
The JSON file contains properties for the following items:
-
audit - Information on the audit file that is used.
-
host - Information on the target that is being audited.
-
results - The compliance results.
-
scan - Information on the scanner in use and the start and stop times of the scan.
Each result contains the following data:
-
check_name - The name of the recommendation that was audited.
-
result - The result that is posted to the Tenable product ("PASSED," "WARNING," "FAILED," or "ERROR").
-
actual_value - The value that the audit check produced.
-
policy_value - A representation to identify the policy used in checking the recommendation.
-
audit_file - The audit file that is in use, as reported by the scanner.
-
benchmark_name - The benchmark name identified by the audit.
-
benchmark_version - Then benchmark version identified by the audit.
-
see_also - Link to source benchmark guidance.
Additional data points may be included based on what audit file is in use.
How To Enable JSON Audit Results
By default, JSON results for Policy Configuration Auditing is disabled. To enable the JSON results feature:
-
Select the Policy Compliance Auditing scan template.
-
From the Settings tab, select Advanced and then Custom from the Scan Type drop-down menu.
-
Select General.
-
Under Compliance Output Settings, select the checkbox next to Generate JSON result file.
The option is also available for any scan template that allows the selection of audit files and generation of audit results, including the Advanced Scan template.
How to Access JSON Audit Results
The data is provided as attached files to the plugin output. The attached files are named as results_<host_address>_<audit_file>.json. Each audit used generates a different results file.
To retrieve the data, navigate to the scan vulnerabilities, find the Compliance Export JSON plugin, and find the file attachments. Click to download the attachments.
Notes:
-
The JSON results may contain additional results that were used in conditional evaluation of audit checks.
-
Enabling this plugin increases the storage and size of your scan results.
Compliance Export XCCDF Results
-
Plugin ID: 174792
-
Plugin Name: Compliance Export XCCDF
A feature available within Tenable Policy Compliance Auditing is the capability of downloading XCCDF results after an audit scan has completed. This feature has always been capable within SCAP and OVAL Auditing but is now available within our Policy Compliance Auditing. The feature is only available with use of our DISA STIG audits.
XCCDF Standard
XCCDF (Extensible Configuration Checklist Description Format) is a standards component that is found within the SCAP (Security Content Automation Protocol) standards family. The XCCDF standard is a language that is used to describe security checklists. The XCCDF standard provides a standardized reporting format for expressing and storing results. The XCCDF XML results file can contain information such as target details, the results of each security check, the XCCDF default score and more. You can import these results with other tools, such as the DISA STIG viewer, where the results can be viewed and modified based on the user’s preferences.
How To Enable XCCDF Audit Results
By default, XCCDF results for Policy Configuration Auditing is disabled (enabled by default with SCAP scanning). To enable the XCCDF results feature:
-
Select the Policy Compliance Auditing scan template.
-
From the Settings tab, select Advanced and then Custom from the Scan Type drop-down menu.
-
Select General.
-
Under Compliance Output Settings, select the checkbox next to Generate XCCDF result file.
The option is also available for any scan template that allows the selection of audit files and generation of audit results, including the Advanced Scan template.
How to Access XCCDF Audit Results
The data is provided as attached files to the plugin output. The attached files are named as xccdf_<host_address>_<audit_file>.json. Each audit used generates a different results file.
To retrieve the data, navigate to the scan vulnerabilities, find the Compliance Export XCCDF plugin, and find the file attachments. Click to download the attachments.
Notes:
-
This capability is only available when scanning using a DISA STIG audit.
-
Enabling this plugin increases the storage and size of your scan results.