10. Reports and Vulnerability Management

The results of a scan are summarized in a report. Reports can be displayed on the web interface and downloaded in different formats.

The GSM saves all reports of all scans in a local database. Not only is the last report of a scan saved but all reports of all scans ever run. This allows access to information from the past. The reports contain the discovered vulnerabilities and information of a scan.

Once a scan has been started, the report of the results found so far can be viewed. When a scan is completed, the status changes to Done and no more results will be added.

10.1. Managing Report Formats

Report plug-ins are defined as the formats a report is created from, based on the scan results. This ranges from PDF documents as per corporate identity to interactive reports like the Greenbone Security Explorer. The plug-ins can be used to export report information into other document formats so they can be processed by other third party applications (connectors).

The name of the exported report is configurable in the user settings (see section Changing the User Settings). Greenbone Networks supports the creation of additional plug-ins. Requests, suggestions and concrete templates are welcome.

The report plug-in framework has the following properties:

Simple import/export:
A report plug-in is always a single XML file. The import can be performed easily.
Parameterized:
Plug-ins can contain parameters that can be customized to specific requirements in the graphical interface.
Content type:
For every plug-in it is determined of which type the result is. The well-known HTTP descriptors are being used, for example, application/pdf, graphics/png or text/plain. Depending on the content type the plug-ins are displayed in contextual relation. For example, the types text/* for the sending as e-mail inline.
Signature support:
The Greenbone Security Feed provides signatures for trusted plug-ins. By that it can be verified that an imported plug-in was verified by Greenbone Networks.

By default, the following report formats are available:

Anonymous XML
This is the anonymous version of the XML format. IP addresses are replaced by random IP addresses.
ARF: Asset Reporting Format v1.0.0
This format creates a report that represents the NIST Asset Reporting Format.
CPE – Common Enumeration CSV Table
This report selects all CPE tables and creates a single comma-separated file.
CSV hosts
This report creates a comma-separated file containing the systems discovered.
CSV Results
This report creates a comma-separated file with the results of a scan.
GSR HTML – Greenbone Security Report (recommended)
This is the complete Greenbone Security with all vulnerabilities and results. It can be opened with any web browser and contains dynamically sortable lists as known from the web interface. The language of the report is English.
GSR PDF – Greenbone Security Report (recommended)
This is the complete Greenbone Security report with all vulnerabilities in graphical format as a PDF file. The topology graph is not included when more than 100 hosts are covered in the report. The language of the report is English.
GXR PDF – Greenbone Executive Report (recommended)
This is a shortened report with all vulnerabilities in graphical format as a PDF file for management. The topology graph is not included when more than 100 hosts are covered in the report. The language of the report is English.
HTML
This report is in HTML format and can be opened in a web browser. It is a detailed listing containing the complete description of vulnerabilities including note and overrides with all references and cross-references. It is a neutral document without any further references to Greenbone Networks or the Greenbone Security Manager. The report can also be used offline and the language is English.
ITG – IT-Grundschutz catalog
This report is guided by the BSI IT-Grundschutz catalog. It provides an overview of the discovered results in tabular view in CSV format. The language of the report is German.
LaTeX
This report is offered as LaTeX source text. The language of the report is English.
NBE
This is the old OpenVAS/Nessus report format. It does not have support for notes, overrides and some additional information.
PDF
This is a complete report in PDF. Like the HTML format it is neutral. The language of the report is English.
Topology SVG
This presents the results in an SVG picture.
TXT
This creates a text file. This format is especially useful when being sent by e-mail. The language of the report is English.
Verinice ISM
Creates an import file for the ISMS tool Verinice.
Verinice ITG
Creates an import file for the ISMS tool Verinice.
XML
The report is exported in the native XML format. Contrary to the other formats this format contains all results and does not format them at all.

The report plug-ins define the format of the reports to be exported. Many report plug-ins reduce the available data in order to display it in a meaningful way. However, the native GSM XML format contains all data and can be used to import exported reports on another GSM. To do so, use the Container Task (see also section Creating a Container Task).

The available report formats can be displayed by selecting Configuration > Report Formats in the menu bar.

_images/report-plugins.png

Page Report Formats displaying all available report formats

The overview (see figure Page Report Formats displaying all available report formats) shows additional details of the report plug-ins. For every plug-in the following information is displayed:

Extension:
The file name of the downloaded report consists of the UUID (unique internal ID of the report) and this extension. Among others, the extension supports the browser to start a compatible application in case the specified content type is not recognized.
Content Type:

The content type specifies the format in use and is transmitted when being downloaded. By this, a compatible application can directly be launched by the browser.

Additionally, the content type is important internally: It is used to offer suitable plug-ins within its context. For example, when sending a report via e-mail all plug-ins of the type text/\* are offered as they can be embedded in an e-mail in a humanly readable way.

Trust:
Some plug-ins only consist of a data transformation while others execute more complex operations and use support programs as well. To avoid misuse the plug-ins are signed digitally. If the signature is authentic and the publisher is trusted, it is ensured that the plug-in exists in the exact format as certified by the publisher. The verification is done by clicking verify. The date of the verification is saved automatically. Verification is not required for the supplied default plug-ins.
Active:
The plug-ins are only available in the respective selection menus if they are activated. Newly imported plug-ins are always deactivated at first.

Note

Greenbone Networks offers the following additional report format plug-ins:

Note

The report format plug-ins for the verinice connector are already shipped with GOS. They do not need to be manually imported.

A new report format can be imported as follows:

  1. Download the report format plug-in from one of the links mentioned above.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Select Configuration > Report Formats in the menu bar.

  3. Click new.

  4. Click Browse... and select the previously downloaded report format plug-in (see figure Importing a report format plug-in).

  5. Click Create.

    → The imported report format is displayed on the page Report Formats.

    _images/sf-plugin.png

    Importing a report format plug-in

    Note

    The report format plug-in has to be verified and activated before it can be used.

  6. Verify the signature of the report format by clicking verify.

    → The result of the verification is displayed in the column Trust (Last Verified).

  7. In the row of the report format click edit.

  8. For Active select the radiobutton Yes (see figure Activating a new report format plug-in).

  9. Click Save.

    _images/activate-format.png

    Activating a new report format plug-in

10.2. Reading a Report

The report of a scan can be displayed as follows:

  1. Select Scans > Reports in the menu bar.

  2. Click on the date of a report to show the results.

  3. Move the mouse over Report: Results.

    → A drop-down-list is opened (see figure Opening the page Report: Summary and Download).

  4. Click Report: Summary and Download.

    _images/report_dropdownlist_general.png

    Opening the page Report: Summary and Download

The page Report: Summary and Download gives a quick overview over the current state. It shows the name of the corresponding task as well as the starting and the ending time of the scan. The table below displays the found vulnerabilities.

_images/reportsummary.png

Page Report: Summary and Download with overview of found vulnerabilities

The report contains a list of all the vulnerabilities detected by the GSM (see figure Page Report: Results showing a list of discovered vulnerabilities). The results can be displayed as follows:

  1. Select Scans > Reports in the menu bar.

  2. Click on the date of the report.

    or

  1. When another Reports page is opened (e.g. Reports: Summary and Download), move the mouse over the page heading and select Report: Results in the drop-down-list.

    → The page Report: Results is opened.

_images/reportvuln.png

Page Report: Results showing a list of discovered vulnerabilities

Column Vulnerability

The column Vulnerability shows the found vulnerabilities. By clicking unfold details of a vulnerability are shown (see figure Detailed information about the vulnerability and solution options). The details are hidden by clicking fold. Vulnerabilities with an attached note are marked with note.

Note

If the column of the respective vulnerability still appears empty the respective NVT has not been updated yet.

_images/vuln.png

Detailed information about the vulnerability and solution options

Note

Even though the alerts contain a lot of information, external references are always listed in the details.

These refer to web sites on which the vulnerability was already discussed.

Additional background information is available such as who discovered the vulnerability, what effects it could have and how it can be remediated.

Column Solution type solution_type

To simplify the elimination of vulnerabilities every alert offers a solution for problems. In most cases it will be referred to the latest vendor software package. In some cases a configuration change will be mentioned. The column Solution type displays the existence of a solution. The following the solutions are possible:

  • st_vendorfix A vendor patch is available.
  • st_workaround A workaround is available.
  • st_mitigation A mitigation by configuration is available.
  • st_willnotfix No fix is and will be available.
  • st_nonavailable No solution exists.
Column Severity

The column Severity shows the severity of the vulnerability. To support the administrator with the analysis of the results, the severity of a vulnerability (CVSS, see also section CVSS) is displayed as a bar.

By clicking overrides_enabled overrides are enabled (see Chapter Overrides and False Positives). By clicking overrides_disabled overrides are disabled.

Column QoD
QoD is short for Quality of Detection. The column QoD shows how reliable the detection of a vulnerability is. QoD was introduced with OpenVAS 8. Results created with earlier versions are assigned a QoD of 75 % during migration. By default, only NVTs with a QoD of 70% or higher are displayed. The possibility of false positives is thereby lower.
Column Host
The column Host shows the host for which the result was found.
Column Location
The column Location shows the location of the vulnerability.
Column Actions
Notes (see Chapter Using Notes) and overrides (see Chapter Overrides and False Positives) can be added.

To interpret the results note the following information:

  • False Positives false_positives

    A false positive is a finding that describes a problem that does not really exist. Vulnerability scanners often find evidence that point at a vulnerability but a final judgment cannot be made. There are two options available:

    • Reporting of a potentially nonexistent vulnerability (false positive).
    • Ignoring reporting of a potentially existing vulnerability (false negative).

    Since a user can identify, manage and as such deal with false positives compared to false negatives, the GSM Vulnerability Scanner reports all potentially existing vulnerabilities. If the user knows that false positives exist an override can be configured (see section Overrides and False Positives). The AutoFP function (see section Automatic False Positives) can be used as well.

  • Multiple findings can have the same cause.

    If an especially old software package is installed, often multiple vulnerabilities exist. Each of these vulnerabilities is tested by an individual NVT and causes an alert. The installation of a current package will remove a lot of vulnerabilities at once.

  • High high and Medium medium

    Findings of the severity levels High and Medium are most important and should be addressed with priority. Before addressing medium level findings, high level findings should get addressed. Only in exceptional cases this approach should be deviated from, e.g. when it is known that the high alerts need to be less considered because the service cannot be reached through the firewall.

  • Low low and Log log

    Findings of the severity levels Low and Log are mostly interesting for detail understanding. These findings are filtered out by default but can hold very interesting information. Considering them will increase the security of the network and the systems. Often a deeper knowledge of the application is required for their understanding. Typical for an alert of the level Log is that a service uses a banner with its name and version number. This could be useful for an attacker when this version has a known vulnerability.

10.3. Filtering a Report

Since a report often contains a lot of findings, the complete report as well as only filtered results can be displayed and downloaded. By default, only vulnerabilities with severity High or Medium are shown. This can be changed as follows:

  1. Click edit in the filter bar.
  2. For Severity (Class) select the checkboxes of the desired severity categories (see figure Adjusting the filter for the report).
  3. Click Update.
_images/reportfilter.png

Adjusting the filter for the report

10.4. Exporting a Report

For supported formats for downloading see Chapter Managing Report Formats.

A report can be downloaded as follows:

  1. Select Scans > Reports in the menu bar.

  2. Click on the date of a report to show the results.

  3. Move the mouse over Report: Results.

    → A drop-down-list is opened.

  4. Click Report: Summary and Download.

  5. In the row of the desired report, select the desired export format in the drop-down-list.

  6. In the row of the desired report, click download.

A report can also be downloaded on any other Report page as follows:

  1. Select Scans > Reports in the menu bar.

  2. Click on the date of a report to show the results.

  3. Move the mouse over Report: Results.

    → A drop-down-list is opened.

  4. Select the desired presentation of the report.

  5. In the upper left corner of the page, select the desired export format in the drop-down-list.

  6. Click download.

10.5. Displaying the Total Number of Reports for the same Task

If a task has been run multiple times the total number of reports is displayed on the page Tasks.

To get there select Scans > Tasks in the menu bar.

From this page the reports of a specific task can be accessed.

The first number in the column Reports/Total is the total amount of all completed reports. The second number (in brackets) is the total amount of all reports, including the ones not completed yet (see figure Amount of reports saved in total and date of the last report). By clicking on one of the numbers, a list with the respective reports is opened.

By clicking on the date in the column Reports/Last the latest report is displayed.

_images/reports-total.png

Amount of reports saved in total and date of the last report

10.6. Trend of a Vulnerability

If a task has been run multiple times the trend of discovered vulnerabilities is displayed on the page Tasks (see figure Task with trend).

To get there select Scans > Tasks in the menu bar.

The trend describes the change of vulnerabilities between the newest and the second newest report.

_images/trend.png

Task with trend

The following trends are possible:

  • trend_up In the newest report the highest severity is higher than the highest severity in the second newest report.
  • trend_more The highest severity is the same for both reports. However, the newest report contains more security issues of this severity than the second newest report.
  • trend_nochange The highest severity and the amount of security issues are the same for both reports.
  • trend_less The highest severity is the same for both reports. However, the newest report contains less security issues of this severity than the second newest report.
  • trend_down In the newest report the highest severity is lower than the highest severity in the second newest report.

10.7. Creating a Delta Report

If more than one report of a single task is available (see Chapter Displaying the Total Number of Reports for the same Task) a delta report can be created as follows:

  1. Select Scans > Tasks in the menu bar.

  2. Click on the total number of reports in the column Reports/Total.

    Note

    The number in brackets is the total amount of all scans, including the ones not completed yet.

    → The page Reports is opened and shows all reports belonging to the selected task.

  3. Select the first report by clicking delta in the column Actions of the respective report (see figure Selecting the first report).

    → The icon delta is grayed out for the selected report.

    _images/reporttask.png

    Selecting the first report

  4. Select the second report by clicking delta_double in the column Actions of the respective report (see figure Selecting the second report).

    → The delta report with the delta results is displayed and can be exported (see figure Delta results).

_images/compare-second.png

Selecting the second report

_images/delta-report.png

Delta results

There are four types of delta results:

  • Gone
    The result exists in the first report but not in the second report (according to order of selection).
  • New
    The result exists in the second report but not in the first report (according to order of selection).
  • Same
    The result exists in both reports and is equal.
  • Changed
    The result exists in both reports but is different.

Tip

The term delta_states= can be entered into the filter bar to show only a specific type of delta results (see Chapter Filtering the Page Content).

  • delta_states=g show all results of the type Gone.
  • delta_states=n show all results of the type New.
  • delta_states=s show all results of the type Same.
  • delta_states=c show all results of the type Changed.

Multiple types can be displayed at the same time, e.g. delta_states=gs shows all results of the type Gone and Same.

10.8. Displaying Results

While the reports only contain the results of one single run of a task, all results are saved in the internal database and can be viewed by selecting Scans > Results in the menu bar.

By default, the view is sorted by the creation time of the results (see figure Page Results showing all results of all scans). The results can be sorted by all other columns as well.

Additionally, powerfilters (see section Filtering the Page Content) can be used to display only interesting results.

_images/allresults.png

Page Results showing all results of all scans

10.9. Using Notes

Notes allow adding comments to a NVT and are displayed in the reports as well. A note can be added to a specific result, a specific task, a risk level, port or host and as such will only appear in specific reports. A note can be generalized as well so that it will be displayed in all reports.

10.9.1. Creating a Note

To create a new note select the finding in the report that should be added a note to and click new. Alternatively a note can be created without relation to a finding. However, the GSM can not suggest any meaningful values for the different fields in the following dialogue.

A new window opens in which exactly those criteria of the selected vulnerability are pre-set.

_images/newnote-edit.png

Creating a new note

Individual values can be selected and unselected to generalize or the note even further or make it more specific. Additionally, the note can be activated for a specific period of time. This allows adding of information to a note that a security update is uploaded in the next seven days. For the next seven days the note will be displayed in the report that the vulnerability is being worked on.

_images/noteresult.png

Report containing a note

10.9.2. Generalizing Notes

Any note can be generalized. In this example a quite extensive generalization is configured, matching any target host, port and task.

_images/note-generalize.png

Generalizing a note

From this moment on the note is always shown in the results view if this NVT matches.

This applies for all previously created scan reports and for all future scan reports until the note is deleted.

10.9.3. Managing Notes

All created notes can be displayed by selecting Scans > Notes in the menu bar.

_images/note-management.png

Managing notes

New notes can be added by clicking new.

In the list of notes it is displayed if created notes are currently active.

For all notes the following actions are available:

  • trashcan Delete the note.
  • edit Edit the note.
  • clone Clone the note.
  • download Download the note as an XML file.

Note

By clicking trashcan or download below the list of notes more than one note can be deleted or exported at a time. The drop-down-list is used to select which notes are deleted or exported.

10.10. Overrides and False Positives

The severity of a result can be modified. This is called override.

Overrides are especially useful to manage results that are detected as a false positive and that have been given a critical severity but should be given a different severity in the future.

The same applies to results that only have been given the severity Log but should be assigned a higher severity locally. This can be managed with an override as well.

Overrides are also used to manage acceptable risks.

10.10.1. Creating an Override

Overrides can be created in different ways. The simplest way is through the respective scan result in a report:

  1. Select Scans > Reports in the menu bar.

  2. Click on the date of the report to show the results.

  3. In the row of a result click new_override.

  4. Define the override. Select the new severity in the drop-down-list New Severity (see figure Creating a new override).

    Tip

    It is possible to enter ranges of IP addresses and CIDR blocks into the input box Hosts. In that way, overrides for entire subnets can be created without having to specify every host in a comma-separated list.

    _images/new_override.png

    Creating a new override

  5. Click Create.

Note

If several overrides apply to the same NVT in the same report the most recent override is used and applied.

10.10.2. Disabling and Enabling Overrides

When overrides change the display of the results, the overrides can be enabled or disabled. This is done by clicking overrides_enabled in the column Severity on the results page (see figure Disabling and enabling overrides).

_images/enable-overrides.png

Disabling and enabling overrides

10.10.3. Automatic False Positives

The GSM is able to detect false positives and assign an override automatically. However, the target system must be analyzed internally and externally with an authenticated scan.

An authenticated scan can identify vulnerabilities in locally installed software. Vulnerabilities that can be exploited by local users or are available to an attacker if he already gained local access as an unprivileged user can be identified. In many cases an attack occurs in different phases and an attacker exploits multiple vulnerabilities to increase his privileges.

An authenticated scan offers a second more powerful function justifying its execution. By scanning the system externally, it often cannot be properly identified if a vulnerability really exists. The Greenbone Security Manager reports all potential vulnerabilities. With the authenticated scan many potential vulnerabilities can be recognized and filtered as false positives.

Automatic false positives are enabled when filtering a report (see Chapter Filtering a Report). The best results are obtained when using Partial CVE match.