Knowledge Base

Ask A Question

Questions

3
ANSWERED

Nexpose: Exceptions by asset group [Chris Brown]

I wrote a quick, menu-driven ruby gem that can request exceptions on an entire asset group. The 2nd one is to approve all pending requests - be careful with that one...make sure you know what's in there first. These work for when you are applying exception for all instances on a specific asset (or group). If looking to except a specific instance, you'll need to add in the port and/or key. Submit exception requests: ```ruby require 'nexpose' require 'yaml' include Nexpose $settings = YAML::load_file 'settings.yml' NexposeIP = $settings[:nexpose][:host] begin puts "Enter your Nexpose username" NexposeUser = gets.chomp puts "Enter your Nexpose password" system 'stty -echo' NexposePW = $stdin.gets.chomp system 'stty echo' rescue NoMethodError, Interrupt system 'stty echo' exit end nsc = Connection.new(NexposeIP, NexposeUser, NexposePW) begin nsc.login rescue end puts "Would you like to get a list of all asset groups and IDs? If you already know the ID, skip this step." puts "Enter 1 for list, 0 to skip: " do_list = gets.chomp.to_i if do_list == 1 groups = nsc.list_asset_groups groups.sort_by! &:name format = "%-10s\t%-60s\t%-30s\t%-30s\n" printf(format, "Asset Group ID", "Asset Group Name", "Number of assets", "Risk Score") printf(format, "-------------", "---------------", "----------------", "----------") groups.each do |x| group = AssetGroup.load(nsc, x.id) printf(format, x.id, x.name, group.assets.count, x.risk_score) end end puts "Enter the ID for the asset group for scope: " ag = gets.chomp.to_i #Get vulnerability ID from clicking the vulnerability under an asset in the UI. Copy and paste that as the response. puts "----------" puts "Enter the Vulnerability ID: " vuln = gets.chomp puts "____________" puts "1 - False Positive" puts "2 - Compensating Control" puts "3 - Acceptable Use" puts "4 - Acceptable Risk" puts "5 - Other" puts "Select a reason for exception (1-5):" rsn = gets.chomp case rsn when "1" rsn = "False Positive" when "2" rsn = "Compensating Control" when "3" rsn = "Acceptable Use" when "4" rsn = "Acceptable Risk" else rsn = "Other" end puts "------------" puts "Enter a comment/justification for exception" reporter_comments = gets.chomp assets = nsc.group_assets(ag) assets.each do |asset| exc = VulnException.new(vuln, VulnException::Scope::ALL_INSTANCES_ON_A_SPECIFIC_ASSET, rsn) exc.asset_id = asset.id exc.save(nsc, reporter_comments) end puts "Exceptions for #{vuln} in asset group ID: #{ag} submitted for approval." logout_success = nsc.logout ``` And to approve ALL that are pending: ```ruby require 'nexpose' require 'yaml' include Nexpose $settings = YAML::load_file 'settings.yml' NexposeIP = $settings[:nexpose][:host] begin puts "Enter your Nexpose username" NexposeUser = gets.chomp puts "Enter your Nexpose password" system 'stty -echo' NexposePW = $stdin.gets.chomp system 'stty echo' rescue NoMethodError, Interrupt system 'stty echo' exit end nsc = Connection.new(NexposeIP, NexposeUser, NexposePW) begin nsc.login rescue end exceptions = nsc.list_vuln_exceptions(VulnException::Status::UNDER_REVIEW) puts "How many days is this exception valid?" duration = gets.chomp.to_i d = Date.today expiration_date = d + duration puts "----------" puts "Enter a comment for approval:" approver_comment = gets.chomp x = exceptions.count if x == 0 puts "There are no exceptions pending approval." else puts "Approving #{x} pending exceptions with expiration date of #{expiration_date}..." end exceptions.each do |ex| ex.approve(nsc,approver_comment) ex.update_expiration_date(nsc, expiration_date) puts "#{x}..." x -= 1 end logout_success = nsc.logout ``` I just copy/paste the Vulnerability ID from the Vulnerability Information "Overview" table -> "Vulnerability ID" column instead of trying to find it with the script.

Posted by Edward Sheehy about a year ago