Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

Compliance Findings

  • 4 minute(s) read
Prev Next

Overview

Compliance findings are similar to all types of findings, with the difference being that they are focused on compliance or configuration-focused findings as opposed to vulnerabilities. CSPM misconfigurations such as default password might be included as opposed to a traditional vulnerability type finding.

Differences from Vulnerability Findings

While all findings are rolled into a single data model in Nucleus, compliance findings allow for 2 primary differences in behavior from a vulnerability:

  1. Pass/Fail: Compliance findings allow you in Nucleus to provide a pass or fail result. This is to support reporting cadences. You will want to have an Active compliance finding but with a Passed result to have the finding show up in the Compliance Findings page in the console and have them show up in reports or filters.

  2. Map to compliance frameworks: Compliance findings in Nucleus allow you to map each finding to one or multiple compliance frameworks. This means you can filter and report against the pass/fail relationships related to these frameworks.

    1. An example would be a CIS benchmark control. You can upload a compliance finding where the severity is critical and an asset failed a CIS benchmark assessment check.

Compliance Finding Specific Fields

Field Name

Description

Allowed Values

finding_result

Specify whether or not the finding instance passed or failed the compliance check from the scanning tool.

PASSED/WARNING/FAILED

finding_references

Used to specify compliance frameworks this finding was assessed against. See examples below for usage.

JSON

Examples

Example JSON

MarkupJSON

{
    "nucleus_import_version": "1",
    "scan_tool": "ComplianceScannerTool",
    "scan_type": "Host",
    "scan_date": "2021-01-01 00:00:00",
    "assets": [
        {
            "host_name": "my.secret.server.com",
            "findings": [
                {
                    "finding_type": "Compliance",
                    "finding_number": "CMPL-RDP",
                    "finding_name": "RDP is disabled",
                    "finding_severity": "Critical",
                    "finding_description": "This checks that RDP is disabled on this server. Failed indicates that RDP is enabled.",
                    "finding_recommendation": "Ensure that RDP is disabled.",
                    "finding_references": {
                        "Compliance References": [
                            {
                                "policy": "ACME System Security Policy", 
                                "ref": "7.2.4 RDP is disabled"
                            }
                        ]
                    },
                    "finding_sub_type": "Prohibited Services",
                    "finding_result": "Failed",
                    "finding_output": "When port 3389 was probed, the following banner was returned:\nExample Banner",
                    "finding_port": "3389",
                    "finding_service": "rdp"
                }
            ]
        }
    ]
}

Finding References

In order to specify compliance frameworks in a finding, you need to add a Compliance References object with an array of objects with the keys “policy” and “ref”

“Policy” is the framework, and “ref” is the control ID. An example would be:

{

“policy”: “NIST 800-53”,

“ref”: “1.2.4”

}

Example XML

Markup

<nucleusCustomScan>
    <nucleus_import_version>1</nucleus_import_version>
    <scan_tool>ComplianceScannerTool</scan_tool>
    <scan_type>Host</scan_type>
    <scan_date>2021-01-01 00:00:00</scan_date>
    <assets>
        <asset>
            <host_name>my.secret.server.com</host_name>
            <findings>
                <finding>
                    <finding_type>Compliance</finding_type>
                    <finding_number>CMPL-RDP</finding_number>
                    <finding_name>RDP is disabled</finding_name>
                    <finding_severity>Critical</finding_severity>
                    <finding_description>This checks that RDP is disabled on this server. Failed indicates that RDP is enabled.</finding_description>
                    <finding_recommendation>Ensure that RDP is disabled.</finding_recommendation>
                    <finding_sub_type>Prohibited Services</finding_sub_type>
                    <finding_result>Failed</finding_result>
                    <finding_output>When port 3389 was probed, the following banner was returned:
Example Banner</finding_output>
                    <finding_port>3389</finding_port>
                    <finding_service>rdp</finding_service>
                </finding>
            </findings>
        </asset>
    </assets>
</nucleusCustomScan>

Example CSV

Markup

Markup

nucleus_import_version,scan_tool,scan_type,scan_date,host_name,finding_type,finding_number,finding_name,finding_severity,finding_description,finding_recommendation,finding_sub_type,finding_result,finding_output,finding_port,finding_service
"1","ComplianceScannerTool","Host","2021-01-01 00:00:00","my.secret.server.com","Compliance","CMPL-RDP","RDP is disabled","Critical","This checks that RDP is disabled on this server. Failed indicates that RDP is enabled.","Ensure that RDP is disabled.","Prohibited Services","Failed","When port 3389 was probed, the following banner was returned:
Example Banner","3389","rdp"