add policy configurator and OL7 builder + util scripts

Author: explodeo

.gitignore

@@ -36,5 +36,8 @@
 # only keep setup notes
 # !./src/Notes/setup.md
 
+# ignore system-specific SCAP data
+**/SCAP/*
+
 # only keep the example config JSON
 !**example-config.json

install/utils/build_tenablecore.sh

@@ -22,6 +22,8 @@ function install_rpms(){
     rpm -i "$INSTALL_TEMPDIR/install/rpms/acas/CM307352_Nessus-10.7.3-el8.x86_64.rpm" || true
     rpm -i "$INSTALL_TEMPDIR/install/rpms/acas/dialog-1.3-32.20210117.el9.x86_64.rpm" || true
     rpm -i "$INSTALL_TEMPDIR/install/rpms/acas/CM306733_acas_configure-24.03-4.noarch.rpm" || true
+    # install rpm extras
+    rpm -ivh "$INSTALL_TEMPDIR/install/rpms/jdk-11/*.rpm" || true
 }
 
 function configure_nessus(){
@@ -60,9 +62,7 @@ function configure_networking(){
     # install networkctl
     cp "$INSTALL_TEMPDIR/TenableCore/NetworkManager/networkctl.sh" /opt
     chmod 755 /opt/networkctl.sh
-    systemctl restart NetworkManager || true
-    
-    ln -s /opt/networkctl.sh /usr/bin/networkctl || true
+    systemctl restart NetworkManager || true    
 }
 
 function install_notes(){
@@ -84,14 +84,21 @@ function install_api(){
     # cd /opt/NessusAPI/src
     # pyinstaller --onefile --distpath /opt/NessusAPI/bin --workpath /tmp --specpath /tmp
     # cd -
-
     # ln -s /opt/NessusAPI/bin/nessus-configure /usr/bin/nessus-configure
+
     ln -s /opt/NessusAPI/src/nessus-configure.py /usr/bin/nessus-configure || true
+    ln -s /opt/NessusAPI/src/nessus-update-policy.py /usr/bin/nessus-update-policy || true
 }
 
-function install_scap_tools(){
-    # TODO
-    echo "TODO: Install SCAP Automation Tools"
+function install_utility_scripts(){
+    cp -r "$INSTALL_TEMPDIR"/TenableCore/scripts /opt/
+    # force ownership and permissions
+    chmod 755 /opt/scripts/*
+    chown -R root:root /opt/scripts/*
+    # symlink only bins so all users can see it
+    ln -s /opt/scripts/bin/* /usr/bin/
+    # other scripts get stored here
+
 }
 
 ####################### Main #######################
@@ -137,7 +144,6 @@ configure_nessus
 configure_networking
 install_notes
 install_api
-install_scap_tools
 
 echo "Nessus Install Completed"
 

install/vm/.gitkeep

@@ -0,0 +1 @@
+put the VDI here with the TenableCore.sh installer script

src/NessusAPI/nessus-configure.py

@@ -2,28 +2,110 @@
 
 import code
 import argparse
+from argparse import ArgumentError
 import os
+from getpass import getpass
 from nessusapi import NessusAPI
 
-if __name__ == "__main__":
+def interact(nessus: NessusAPI) -> None:
+    n = nessus.Nessus
+    code.interact(local=locals())
+
+def parse_args() -> None:
     parser = argparse.ArgumentParser(description="A command-line interface for nessus. Used to initialize/export a nessus instance or interact with the API.")
-    parser.add_argument('config', metavar="CONFIG")
-    group = parser.add_mutually_exclusive_group(required=True)
-    group.add_argument('-i', "--initialize", action='store_true', help="Initialize Nessus Scans/Policies.")
-    group.add_argument('-e', "--export", nargs='*', metavar=("OUTDIR", "SCANFOLDER"), help="Export all complete scans to this directory. Can limit scans based on folder.")
-    group.add_argument('--interactive', action='store_true', help="Interact directly with the Nessus API. (Use locals() to see vars)")
+    parser.add_argument('-v', '--verbose', help='Add Verbosity')
+    login_group = parser.add_argument_group("Connection Info")
+    login_group.add_argument('-c', '--config', metavar="CONFIG", help='JSON Nessus Credential/Policy/Scan configuration file')
+    login_group.add_argument('-U', '--user', metavar="USERNAME", help='User to authenticate to Nessus')
+    login_group.add_argument('-H', '--host', metavar="HOST", help='IP/hostname of the Nessus instance')
+    login_group.add_argument('-p', '--port', metavar="PORT", help='Port to connect to Nessus')
+
+    subparser = parser.add_subparsers(title='Commands', dest='command')
+
+    export_parser = subparser.add_parser('export', description="Export Nessus Scans to Directory")
+    export_parser.add_argument('-o', '--outdir', metavar="OUTPUT_DIR", help='Directory to export scan results to')
+    export_parser.add_argument('-f', '--format', metavar="FMT", nargs='*', default=['nessus'], required=False, help='Formats for scan exports: nessus, pdf, csv, html (default=nessus)')
+    export_parser.add_argument('--scan_folder', metavar="FOLDER", required=False, help='Export all scans from a folder in Nessus')
+
+    init_parser = subparser.add_parser('init', description='Initialize Nessus Policies/Credentials and Scans')
+    init_parser.add_argument('-e', '--exec', action='store_true', help="Inits Nessus and executes all scans from the config")
+
+    exec_parser = subparser.add_parser('exec', description='Use Python to interact with Nessus')
+    exec_parser.add_argument('-f', '--folder', metavar="SCAN_FOLDER", help='Execute all scans in this folder')
+    exec_parser.add_argument('-s', '--scan', metavar="SCAN_NAME", nargs='*', help='Execute one or more scans with this name')
+
+    subparser.add_parser('interact', description='Use Python to interact with Nessus')
+    
     args = parser.parse_args()
 
-    if not os.path.exists(args.config):
-        raise ValueError("ERROR: Config file does not Exist")
+    if args.verbose:
+        print(args)
+
+    # login error checking
+    if not ((args.user and args.host and args.port) or args.config):
+        raise ArgumentError(message="Must specify either a config file and/or a user with a host/port")
+
+    # check config existence        
+    if args.config:
+        if not os.path.exists(args.config):
+            raise FileNotFoundError("ERROR: Config file does not Exist")
+
+    return args
 
-    nessus = NessusAPI(file=args.config, initialize=args.initialize)
-    if args.export:
-        nessus.export_all_scans(outdir=args.export)
-    if args.interactive:
-        from pprint import pprint
-        printvars = lambda obj: pprint(vars(obj))
-        n = nessus.Nessus
-        code.interact(local=locals())
+def init() -> NessusAPI:
+    args = parse_args()
 
-    nessus.logout()
+    nessus = None
+    if args.config:
+        if args.user:
+            nessus = NessusAPI(file=args.config, initialize=(args.command == 'init'),
+                                host=args.host, port=args.port,
+                                credentials={
+                                    "type": "password",
+                                    "username": args.user,
+                                    "password": getpass("Nessus Password: ")
+                                })
+        else:
+            nessus = NessusAPI(file=args.config, initialize=(args.command == 'init'))
+
+    elif args.host and args.user:
+        if args.command == 'initialize':
+            raise ArgumentError("Cannot initialize Nessus scans/policies without a config file.")
+        if not args.port: 
+            args.port = 8834
+        nessus = NessusAPI(host=args.host,
+                            port=args.port,
+                            credentials={
+                                "type": "password",
+                                "username": "acasuser",
+                                "password": getpass("Nessus Password: ")
+                            })
+    else:
+        pass # this error (lack of connection info) was checked earlier
+
+    if args.command == "init":
+        if args.exec:
+            raise NotImplementedError("Auto execution of scans after init is not implemented")
+    elif args.command == "exec":
+        raise NotImplementedError("CLI execution of nessus scans is not implemented")
+
+    elif args.command == "export":
+        nessus.export_all_scans(outdir=args.outdir, export_formats=[f.lower() for f in args.format], scan_folder=args.scan_folder)
+
+    elif args.command == 'interact':
+        interact(nessus)
+
+    else:
+        raise ArgumentError("Unsupported Command") # control never reaches here
+
+    return nessus
+
+
+if __name__ == "__main__":
+    nessus = None
+    try:
+        nessus = init()
+    except Exception as e:
+        print(e)
+        if nessus:
+            nessus.logout()

src/NessusAPI/nessus-policy-update.py

@@ -0,0 +1,156 @@
+#!/usr/bin/env python3
+
+import argparse
+from argparse import ArgumentError
+import json
+import os
+from getpass import getpass
+from sys import argv
+import textwrap
+import re
+
+def _split_args(argv: list[str], delimiters: list[str]) -> tuple[list, list]:
+    parseable_args = []
+    remaining_args = []
+    for x, arg in enumerate(argv):
+        if arg not in delimiters:
+            parseable_args.append(arg)
+        else:
+            remaining_args = argv[x:]
+            break
+    return parseable_args, remaining_args
+
+def parse_args(argv: list[str]) -> dict:
+    commands = {
+        'setpasswords': None,
+        'configureserver': None,
+        'setscanpolicy': None
+    }
+
+    args = {}
+    parser = argparse.ArgumentParser(
+        description="Update a NessusAPI JSON configuration's core settings.",
+        usage="USAGE: ./nessus-policy-update.py [-vh] CONFIG {-o OUTFILE | --overwrite} COMMAND ...",
+        epilog=textwrap.dedent('''\
+            Commands:
+                setpasswords: Set credentials for a scan policy
+                configureserver: Set server connection settings
+                setscanpolicy: Set path to the Nessus scan policy XML 
+        ''') 
+    )
+    parser.add_argument("config", required=True, metavar="CONFIG", help="NessusAPI Policy JSON config")
+    output_group = parser.add_mutually_exclusive_group(required=True)
+    output_group.add_argument("--overwrite", action="store_true", help="Overwrite the existing config file.")
+    output_group.add_argument("-o", "--outfile", metavar="OUTFILE", help="Path to write the new config to")
+    
+    setpasswords_parser = argparse.ArgumentParser(description="Replace all passwords in a NessusAPI JSON configuration with real system passwords")
+    setpasswords_parser.add_argument("--password_placeholder", required=False, metavar="STRING", default='*', help="Scan config for a custom password placeholder string.")
+
+    configureserver_parser = argparse.ArgumentParser(description="Configure Nessus connection in a NessusAPI JSON configuration with real system passwords")
+    configureserver_parser.add_argument('-H', '--host', metavar="HOST", help='IP or hostname to connect to Nessus')
+    configureserver_parser.add_argument('-P', '--port', metavar="PORT", default=8834, help='Port to connect to Nessus (default=8834)')
+    auth_group = configureserver_parser.add_mutually_exclusive_group()
+    auth_group.add_argument('-p', '--usepassword', required=True, action='store_true', help='Prompt for user/password to authenticate to Nessus')
+    auth_group.add_argument('-k', '--usekeys', required=True, action='store_true', help='Prompt for authentication keys to authenticate to Nessus')
+ 
+    setscanpolicy_parser = argparse.ArgumentParser(description="Update path to the scan policy to use")
+    setscanpolicy_parser.add_argument('policy', metavar="POLICY", required=True, help='Path to the scan policy XML')
+
+    # Parse global args
+    remaining_args = argv
+    while len(remaining_args) > 0:
+        parseable_args, remaining_args = _split_args(argv, commands)
+        if len(parseable_args) == 0:
+            raise ArgumentError(f'Unknown argument: "{remaining_args[0]}"')
+        if parseable_args[0] not in commands:
+            args += vars(parser.parse_args(parseable_args))
+        else:
+            command = parseable_args.pop(0)
+            if args.get(command):
+                raise ArgumentError(f'Duplicate command found: "{command}"')
+            args[command] = vars(parser.parse_args(parseable_args))
+
+    return args
+
+def replace_passwords(dictionary: dict, path: list[str], placeholder_string: str = '*') -> None:
+    current_path = path
+    for key, value in dictionary.items():
+        current_path = path + [key]
+        if 'password' in key.lower(): 
+            if isinstance(value, str) and (placeholder_string == '*' or value == placeholder_string):
+                passwd, confirm_passwd = '', ''
+                while not passwd or passwd != confirm_passwd:
+                    print("Update Password Configuration:")
+                    # print configuration using password (omit nested items)
+                    print('.'.join(current_path), '= {') 
+                    for k,v in dictionary:
+                        if isinstance(k, str) and isinstance(v, str):
+                            print(f"  {k}: {v}")
+                    print('}')
+                    # actually change the password
+                    if (user := dictionary.get('username')):
+                        passwd = getpass(f'New Password for "{user}": ')
+                    else:
+                        passwd = getpass(f'New Password": ')
+                    passwd = passwd.strip()
+                    confirm_passwd = getpass(f'Confirm Password": ')
+                    print('\n') # clear the screen a bit
+                dictionary[key] = passwd
+            elif isinstance(value, dict):
+                replace_passwords(value, current_path, placeholder_string=placeholder_string)
+            elif isinstance(value, list):
+                for x, nested_list in enumerate(value):
+                    replace_passwords(value, current_path + [f'[{x}]'], placeholder_string=placeholder_string)
+
+def is_username_valid(username: str) -> bool:
+    if (3 <= len(username) <= 20) and re.match(r'^[a-zA-Z][a-zA-Z0-9-_]*[a-zA-Z]'):
+        return True
+    return False
+
+if __name__ == '__main__':
+    args = parse_args(argv)
+
+    if not os.path.exists(args['config']):
+        raise OSError("Config file does not exist")
+    
+    config = json.loads(open(args['config'], 'rb').read())
+    
+    if command := args.get('setpasswords'):
+        placeholder_string = command.get('password_placeholder', '*')
+        replace_passwords(config['policies']['credentials'], [], placeholder_string='*')
+
+    elif command := args.get('configureserver'):
+        if command.get('usepassword'):
+            username = ''
+            while not is_username_valid(username):
+                username = input('Server Username: ')
+            passwd, _passwd = None, None
+            while not passwd:
+                passwd = getpass("Server Password: ")
+                _passwd = getpass("Server Password [Confirm]: ")
+                if passwd != _passwd:
+                    passwd = None
+                    print("Error: Passwords do not match!")
+                
+            config['server']['credentials'] = {
+                "type": "password",
+                "username": username,
+                "password": passwd
+            }
+        elif command.get('usekeys'):
+            raise NotImplementedError()
+
+    elif command := args.get('setscanpolicy'):
+        if not os.path.exists(command['policy']):
+            print(f'Cannot find policy file: '{command['policy']}'')
+            confirm = input("Update anyways? [Y/n]: ")
+            if confirm.lower() in ['y', 'yes']:
+                config['policies']['file']= command['policy']
+            else:
+                print('Policy not updated.')
+
+    outfile_name = args.config if args.get('overwrite') else args['outfile']
+    with open(outfile_name, 'w', encoding='ascii') as outfile:
+        outfile.write(json.dumps(config, indent=4))
+
+    print('Config updated successfully.')

src/NessusAPI/nessusapi.py

@@ -179,7 +179,7 @@ def export_all_scans(self, outdir: str, scan_folder: str = None, export_formats:
         if not os.path.exists(outdir):
             os.mkdir(outdir, mode=755)
         if not  os.path.isdir(outdir):
-            raise OSError(f"Cannot use '{outdir}' to store scans")
+            raise FileExistsError(f"Cannot use '{outdir}' to store scans")
 
         for scan in self.list_scans(scan_folder):
             if scan['status'] in "completed imported":