Scan Post-Processing Using Python 3

Published 25 October, 2017

False Positives. We have all been there when scanning a system. The scanner tells you something is wrong, but you go to the offending computer and manually check the finding only to find that it is either set correctly or set even more stringent than the benchmark you are comparing against. Unfortunately, that is a lot of time wasted only to find out the system was configured correctly.

The Xylok Scanner has two benefits to help you minimize the time spent verifying false positives.

Access to raw results

The first capability that Xylok Scanner provides is the raw results from commands that are run to verify a benchmark check. This capability allows you to see the results as if you were still sitting at the computer. This allows for quicker data collection and better insight into the system. No longer do you only get a binary answer that you might have to go back and verify manually. All the information you need is right in front of you and available for analysis in Xylok Scanner–without having to sit in front of the actual the mission system or be connected to it over the network.

Post-processing

The second capability that Xylok Scanner provides is post-processing those results into something more useful and easier to interpret. This means less specialized skills are needed to analyze a system for benchmark compliance. Usually, if you need to manually check a machine for compliance, the person doing the checking needs to have some level of understanding of the operating system or software they are checking. With Xylok Scanner’s post-processing, you can write a simple Python script to display only the relevant data from the raw results.

If the benchmark check says that the shadow file should be owned by root, the command they want you to run might look like the following.

# ls -la /etc/shadow

This command produces the following output (the “raw results”):

-rw-r--r-- 1 root wheel 223 Oct 22 20:17 /etc/shadow

Now that we have the raw results, we can decide which pieces are critical to answer the benchmark check. The ls command with the -l option provides permissions, links, owner, group, size, time, and file name. But the benchmark check only asked for you to verify the owner. We can use Xylok Scanners post-processing to provide only that data.

This simple Python script can post-process the raw results:

holder = raw_output.split()
print("File Name: " , holder[8])
print("Owner: " , holder[2])

This script can be saved directly within Xylok alongside the command being run and the benchmark check information. When Xylok imports results, it will run the script against the data collected on your system and save the print()ed data. For the example ls output above, Xylok would produce the following post-processed view of the data.

File Name: /etc/shadow
Owner: root

No more extraneous information to analyze. The post-processed results can also easily be analyzed by someone who does not have knowledge of Linux permissions. For more complex commands and output, post-processing benefits increase exponentially.

Auto-analysis

As you can see, the raw results contain a date and a size of the file. Both of those items can change over time causing the Xylok Scanner auto-analysis system to see differences. But the post-processed results have narrowed down to only the information that is needed in order to answer the benchmark check about who owns the /etc/shadow file. The post-processed results are easily compared during auto-analysis and will only change if the owner of the file changes.

This is a huge bonus when comparing scans over time to ensure the system stays in compliance. With Xylok Scanner post-processing, you now have the ability to modify the raw results to simplify analysis and enable auto-analysis of all future scans.

If you have questions or want to learn more, please contact me at kevin@xylok.io.