Cingulara/openrmf-docs Cingulara/openrmf-docs

  • Stars
    star
    115
  • Rank 299,684 (Top 7 %)
  • Language FreeMarker
  • License
    GNU General Publi...
  • Created over 5 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Cingulara/openrmf-docs
github

Cingulara

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Documentation on the OpenRMF application, including scripts to run the whole stack as well as just infrastructure with documentation on using the tool.

OpenRMF® Documentation (v 1.10)

OpenRMF® is an open source application for managing, viewing, and reporting of your DoD STIG checklists, SCAP Scans and Nessus Patch Scans in one web-based interface using your browser. It also generates a compliance listing of all your checklists across a whole system based on NIST 800-53 for your Risk Management Framework (RMF) documentation and process. This tool helps you manage multiple systems going through the RMF process and allows you to structure your data in a clean interface all in one location for your group or program.

You can export your checklists as CKL files and your test plan and POAM as MS Excel properly formatted files as well.

If you need more than the OSS version, check out OpenRMF® Professional.

  • custom checklist templates
  • CIS scans
  • Parsing patch vulnerabilities for hardware, software, PPSM
  • history and trends
  • deeper level of security on system packages
  • live POAM
  • bulk editing and locking vulnerabilities and checklists
  • Compliance down to the subcontrol level, overlays, tailoring, compliance statements
  • Generate SSP, SAR, RAR, CCRI documents
  • add in tracking of other vulnerabilities (software, container, infrastructure-as-code, etc.)
  • and more...

TL;DR Description

The OpenRMF® OSS application is a highly advanced alternative to the DISA STIGViewer.jar and MS Excel hell we go through used for DoD STIG checklist files, SCAP Scans, Nessus ACAS scans, RMF process information, and the like. It is necessary to capture and report on this information, please do not mistake what I say for not agreeing with securing services. However, the DISA Java tool itself is horribly designed and not conducive to today's environment and use. And it is only part of the story. Their Java tool has been like this for a loooooonnnnnngggg time and I have wanted to make something better (IMO) for almost as long. So this tool here is the start!

It is a way (currently) to view, report on, dive into, manage, and export your STIG checklists no matter which checklist you are referring to. All the .CKL files have a common format and htis reads and displays/manages that in a web front end using .NET Core APIs, MongoDB and NATS messaging. View the history of this tool on our website.

OpenRMF® OSS also is a single pane of glass for your DISA SCAP scans (to generate checklists), Nessus SCAP scans, Nessus patch scans (to track patch management), and compliance reporting for your systems going through the RMF process. We know: the RMF process is manual and all inclusive! This tool helps to automate as much as possible on the managing and reporting of data so you can:

  1. Know your current Risk Profile
  2. Know your current status
  3. Know what is left to do
  4. Know what your Critical and High items are so you can track and attack them

This particular repository is the repo for all the docs as the OpenRMF® project goes along. Documentation on the OpenRMF® OSS application will be here in MD files and reference images and other documents as well as GH markdown. This application idea has been brewing in my head for well over a decade and specifically since July 4th weekend 2018 when I started to put down code. Then in January 2019 when I scrapped all that July stuff and went for web APIs, microservices, eventual consistency, CQRS (command query responsibility segregation to scale separately), using MongoDB and NATS.

Get OpenRMF® OSS Running Locally

If you want to get it running on your local laptop, desktop, or server follow these instructions below. You need a fairly good internet connection and Docker Desktop / Docker Community Edition to get this going. And then go to the latest release and download the Keycloak zip file and OpenRMF® zip file.

Please read the Minimum Requirements for OpenRMF® OSS. And then follow these Step by Step Instructions.

Note that for Docker Desktop users, you need to have the File Sharing turned on to run OpenRMF® OSS the way it is designed in the docker-compose file. We use persistent volumes for MongoDB, Grafana, and Prometheus.

Install in Air-Gapped / Disconnected Environment

There are separate instructions in the included air-gapped installation MD file.

Running over HTTPS

There are separate instructions in the included HTTPS setup instructions for running OpenRMF® OSS v1.9 or higher over HTTPS. This assumes the full configuration all in one YML file for the software, versus the v1.8.x and earlier separate Keycloak and software YML files in combination.

Other OpenRMF® OSS Deployments

If you want to run on AWS EKS, you can see the Helm Chart and Kubernetes specific information here.

@medined put up a great set of Ansible and Terraform script information at https://github.com/medined/openrmf-at-aws/ for work he is doing at the Container Working Group for the Veterans Administration.

Why Use OpenRMF® OSS

It will save you weeks of manually checking vulnerability-to-CCI-to-NIST controls and manually generating reports, so you can get on to the value-added work for your cybersecurity hygiene.

When a team has poor visibility of their system’s risk data, it can result in bad decisions, errors, security risks and unforeseen issues. Teams must replace manual RMF and checklist methods that use spreadsheets and emails with an open, web-based solution that your team can leverage to plan, track and govern the entire RMF process. That is where OpenRMF® helps you and your team!

Read more about its genesis here.

Image

Current Functionality

  • Import SCAP scans (DISA STIGs) for automatic checklist documentation
  • Import Nessus ACAS scans (patches and updates) for automated reporting and managing critical updates
  • Exporting Nessus ACAS scans by host or total summary into MS Excel
  • Dashboard showing # of open items per system and # Critical, High, Medium, and Low items from Nessus ACAS Scans
  • Generate a Compliance listing of NIST 800-53 Controls to all checklists within a system
  • Filter the Compliance Generator for Low/Moderate/High projects as well as PII/Privacy overlay information
  • Save/Upload .CKL files for viewing and safekeeping
  • List and display active systems with checklists, scoring, and auditing information
  • List and display checklists with total open items and quick links to Vulnerabilities by status
  • List and display templated checklists (starting points)
  • Group and list checklists and reports by System (a group of checklists for a single application, system, etc.)
  • Reporting or "scoring" on Open, N/A, "Closed" as well as "not yet reviewed" items in the checklists quickly
  • Exporting the .CKL file for quick loading into the STIG Viewer Java application
  • Exporting checklists to MS Excel in seconds with color coded rows based on status (Open = RED, Not a Finding = GREEN, etc.)
  • Exporting of various charts for download to PNG
  • Filter Vulnerabilities on the Checklist page by status
  • Live Editing of Checklist data through the web browser
  • Bulk Edits of Vulnerabilities across similar checklist types within your System grouping
  • Filter vulnerabilities for your Compliance listing based on major controls
  • Exporting your list of checklists and their score by status and category to MS Excel
  • Metrics exported to Prometheus for API endpoints and NATS messaging, quickly display in Grafana
  • Single Docker Compose file to run locally
  • YAML to quickly setup this project in OpenShift or K8s natively
  • Interactive Nessus Report for searching on latest scan data, filtering, etc. via the web
  • Interactive Checklist Vulnerability report for search and filtering on vulnerabilities interactively via the web
  • User AuthN and AuthZ for login accounts and Role Based Access Control on functions
  • Auditing all creates, deletes, and updates
  • Import the Manual XML STIG to create a starting checklist (Automatic and behind the scenes for now)
  • Generate the RMF POA&M
  • Generate the Risk Assessment Report RAR
  • Generate the Test Plan
  • Central logging (ledger) for all CRUD and access usage based on NATS
  • Make the Keycloak setup easier (scripted)
  • Included Jaeger Tracing setup
  • Grafana and Prometheus included setup
  • External API access to certain functions in OpenRMF® (ext-api-score)
  • Export Compliance Report to XLSX
  • Meaningful Health Checks in APIs and MSG clients
  • Performance improvements
  • Separate Reporting API and Database (MSA)
  • Use NGINX reverse proxy for all API calls

If we are missing something you want, please add it on our main GitHub Issues page.

Metrics Tracking with Prometheus and Grafana

We include metrics tracking for all our major subsystems. See the OpenRMF Metrics document for more information.

Cleaning up the Docker volumes and such every so often

If you want to remove all data from volumes you can run the below. Do at your own risk and know the consequences! I do this on my development machine to clear ALL volumes including those not for OpenRMF®.

  • run docker volume rm $(docker volume ls -qf dangling=true)
  • run docker system prune and then enter y and press Enter when asked

Screenshots of the UI

The OpenRMF® Dashboard for all Systems Image

The System Listing Image

A System View Image

Exporting the Nessus Patch file summary to XLSX Image

The Individual Checklist view Image

Generate RMF Compliance Listing with linked Checklists and filtered vulnerabilities! Image

The checklist Upload page Image

Exporting the checklist to XLSX with color coding Image

More Repositories

1

dotnet-core-prometheus-grafana

A tutorial repo to use .NET Core 2.2, Prometheus and Grafana to show metrics of your Web APIs
C#
33
star
2

openrmf-web

The web UI for the OpenRMF tool, which uses multiple containers for parts of the distributed openRMF tool for managing DoD STIG checklists and RMF compliance.
JavaScript
22
star
3

cesium-starterkit

CesiumJS Starter Kit - A menu, event triggers, and drawing objects to get started with CesiumJS.
JavaScript
9
star
4

openshift-templates

OpenShift and MiniShift templates for various uses
Dockerfile
8
star
5

dotnet-core-web-api-caching-examples

This repo has .NET Core Web API examples with and without caching to go with a Medium.com article I wrote.
C#
8
star
6

custom-jenkins-openshift

Customize the Jenkins S2I image to include plugins, k8s pod templates, etc.
8
star
7

openrmf-api-controls

The Controls API of the OpenRMF tool that lets you list all controls or search for controls to get the family, title, and description of that control for 800-53 NIST.
C#
6
star
8

openrmf-api-read

The Read API for the OpenRMF tool, lets you return just Checklist data to save in a CKL. Can also get a single record (with checklist data) or list multiple records of STIGs (without the checklist data).
C#
5
star
9

openrmf-api-compliance

The Compliance API of the OpenRMF tool that lets you run a checklist or system of checklists against the NIST major controls to see what is open, closed or planned for implementation.
C#
3
star
10

openrmf-api-template

The Template API for the OpenRMF tool, lets you upload a CKL file to save as a template with metadata.
C#
3
star
11

openrmf-api-save

The Save API for the OpenRMF tool, lets you post/put form fields for your STIG record.
C#
3
star
12

openrmf-msg-system

Messaging service of the OpenRMF tool to update system level info within OpenRMF eventually.
C#
2
star
13

openrmf-api-upload

The Upload API for the OpenRMF tool, lets you upload a CKL file to start with or add to your STIG record.
C#
2
star
14

openrmf-api-scoring

The Scoring API for the OpenRMF tool, lets you read stats on the status and category of STIG vulnerabilities. Also returns a score when passed the STIG checklist in a long raw string.
C#
2
star
15

openrmf-io

The openrmf.io website repository
JavaScript
2
star
16

openrmf-msg-compliance

Messaging service of the OpenRMF tool to return Compliance lists and CCI records to Request/Reply NATS calls from internal APIs
C#
2
star
17

nats-client-metrics

This is a .NET 6 web api that reads NATS client metrics from the /connz endpoint and show Prometheus formatted metrics per client connection.
C#
2
star
18

openrmf-api-audit

The Audit API for the OpenRMF tool, lets you query Audit records across OpenRMF.
C#
2
star
19

openrmf-msg-score

Messaging service of the OpenRMF tool to process new saves and updates of checklists for scoring as well as deletes.
C#
2
star
20

openrmf-msg-template

Description Messaging service of the OpenRMF tool to return template / artifact information to Request/Reply NATS calls from internal APIs
C#
2
star
21

openrmf-ext-api-score

The External Score API for the OpenRMF tool. This sits behind an API GW and lets you return a score from the STIG checklist in a long raw string when POSTed.
C#
1
star
22

openrmf-msg-checklist

Messaging service of the OpenRMF tool to return checklist / artifact information to Request/Reply NATS calls from internal APIs
C#
1
star
23

dotnet-core-prometheus-grafana-jaeger

A demonstration of using .NET Core 2.2, Prometheus, Grafana, and Jaeger with APIs to show metrics, tracing, etc.
C#
1
star
24

openrmf-msg-audit

Messaging service of the OpenRMF tool that tracks and stores all auditable actions across the tool.
C#
1
star
25

openrmf-msg-controls

Messaging service of the OpenRMF tool to return control and vulnerability information to Request/Reply NATS calls from internal APIs
C#
1
star