NOTE: ARE YOU LOOKING FOR GRC TOOL? SEE REPO: GOVREADY-Q

govready

An accreditation-helper toolkit to make FISMA easier.

NOTE: THIS REPO IS NOT CURRENTLY BEING ACTIVELY MAINTAINED. THAT MAY CHANGE IN THE FUTURE.

Vision

The GovReady vision is to make FISMA easier for innovators by

making compliance part of Agile/DevOps
sharing compliance progress data among Dev, Ops, Sec, and Mgt
making baseline development collaborative
providing trusted SCAP content with open source friendly licenses
embracing compliance as a practice distinct from security

Product

Our first product is "govready", a toolkit for running FISMA scans and managing results with a git-like feel.

Govready uses (and is a contributor to) the NIST Certified SCAP 1.2 toolkit OpenSCAP and Scap-Security-Guide.

Our design goal is to make scanning easier and more collaborative regardless of your knowledge of FISMA.

License

License: GPL 3.0

Project Status

Govready is under heavy development and is pre-release. The current version is 0.6.x.

We recommend only using govready currently on non-production virtual machines.

Feedback via GitHub issues is appreciated!

The govready toolkit is funded by a generous grant from the John S and James L Knight Foundation

Get Started

Below are several quickstarts. Use the quickstart for your preferred OS.

( Need a vm to test GovReady? Try: https://github.com/GovReady/testmachines )

RedHat 7 quickstart (64 bit)

# Update nss to pre-emptively avoid problems with EPEL certificates (https://github.com/GovReady/govready/issues/64)
# Alternate if epel installed: sudo yum --disablerepo="epel" update nss -y
sudo yum clean all
sudo yum update nss -y

# Install some useful tools to take full advantage of SCAP-Security-Guide project
# scap-scanner is OpenSCAP certified SCAP scanner
# scap-security-guide is the SCAP Security Guide project
# ansible is the ansible infrastructure as code project
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum -y install epel-release-latest-7.noarch.rpm
sudo yum install ansible scap-scanner scap-security-guide -y

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
# curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo bash
curl -Lk io.govready.org/install | sudo bash

# Switch to root so scanner can run all tests properly
# It's OK. You are using a non-production vm, right?
# (On AWS, may be necessary to run `sudo su -`)
su - 

# Change back to prefered working directory if dropped into "/"
cd /home/myuser

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# List the scan profiles
govready profiles

# Choose the DISA STIG for RHEL 7 profile
govready profile stig-rhel7-disa

# Run a scan (e.g. before)
# This command runs a multi-parameter OpenSCAP (oscap) command based
# on settings in `GovReadyfile`
govready scan

# Run fix script generated by most recent OpenSCAP (oscap) scan
# This utility generates all the parameters to produce a remediation script and command.
govready fix

# Run an post-remeditation scan (e.g. "after")
# govready utility will track your two most recent scans for easy after / before comparison
govready scan

# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare

# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail

# List results
ls -l scans

# Install lynx commandline browser to view results from prompt
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
yum install lynx

# View repoort from most recent scan
lynx scans/stig-rhel7-disa/[datestamp]-results.html

# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs

# See available profiles (e.g., baselines)
govready profiles

# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server

# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh

Centos 6 quickstart (64 bit)

Note: CentOS is NOT RHEL without subscription. There is a general assumption that SSG tests for RHEL work on CentOS, but that is not guaranteed.

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash

# Switch to root so scanner can run all tests properly
su - 

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# Import CentOS cpe-dictionary.xml and cpe-oval.xml SCAP data into local scap/content directory
govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml
govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml

# Update GovReadyfile using sed command (or update the CPE line manually using a text editor)
sed -i 's:^CPE.*:CPE = scap/content/ssg-centos6-cpe-dictionary.xml:' GovReadyfile

# Run a scan
govready scan

# List results
ls -l scans

# View repoort from most recent scan
lynx scans/results.html

# Run fix script generated by most recent OpenSCAP scan
govready fix

# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare

# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail

# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs

# See available profiles (e.g., baselines)
govready profiles

# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server

# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh

Ubuntu 12 and 14 quick start (64 bit)

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash

# Switch to root so scanner can run all tests properly
su - 

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# Run an oscap command just to see things fail because we have no SCAP content installed for Ubuntu
oscap xccdf eval --profile test --results scans/test-results-0822-1319.xml --report scans/test-results-0822-1319.html  /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

# Sorry - this is all you can do on Ubuntu at the moment. :-(
# Fork the code and help us include Ubuntu and Debi

Additional Quickstarts available in the repo. See "Quickstart-platform.md"

Remote Scanning (integration with oscap-ssh script)

The recently released oscap-ssh enables Scanning Remote Machines with OpenSCAP. As a user-friendly frontend to the OpenSCAP tools, GovReady has been enhanced to make use of this exciting new feature. There are two ways to make use of this new feature (which may be used separately or together):

1. Update four variables in the (configuration) GovReadyfile:

# All four vars must be set 'sudo OSCAP_USER@OSCAP_HOST OSCAP_PORT' for remote scanning.
# Note that openscap-scanner ('oscap') must be installed on the remote server.
OSCAP_SUDO = sudo
OSCAP_USER = oscap-user
OSCAP_HOST = example.com
OSCAP_PORT = 22

The openscap scanner is best run by root, but enabling direct root SSH access is a security risk. A non-privileged user such as oscap-user can be enabled to run only the oscap binary as root (when the sudo flag is given) by updating the remote machine's sudoers file or adding a file like /etc/sudoers.d/99-oscap-user:

# allow oscap-user to run openscap scanner
Defaults!/bin/oscap !requiretty
oscap-user ALL=(root) NOPASSWD: /bin/oscap

2. Create or override GovReadyfile values with GOVREADY_* environment variables:

This will scan the RHEL 7 machine badwolf.example.com via port 2222:

export GOVREADY_OSCAP_HOST=badwolf.example.com
export GOVREADY_OSCAP_PORT=2222
export GOVREADY_XCCDF=ssg-rhel7-ds.xml
govready scan

Notes and Caveats on remote scanning

All values in the GovReadyfile can be overridden with GOVREADY_* environment variables. This facilitates integration with many site management tools such as Ansible, Chef and Puppet.
As @mpreisler notes, currently oscap-ssh must be run as root, while remote ssh access is generally considered a security hole to be remediated. A future release will resolve this.
OVAL and CPE files can not be separately named on the command line. Rather, use a "datastream" object as the XCCDF file (which can contain OVAL and CPE definitions within it).

Uninstall govready

Using curl

# Uninstall
curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo UNINSTALL=1 bash

Install development branches

# Install branch other than master
curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo BRANCH=branch_name bash

# Use an installer from a different branch
curl -Lk https://raw.githubusercontent.com/GovReady/govready/branch_name/install.sh | sudo BRANCH=branch_name bash

Testmachines

Use https://github.com/GovReady/testmachines for virtual machines to test GovReady.

Make installation instructions more prominent in documentation

@woodt: I tried to run sample line from sample-pipeline.sh and encountered error:

OSError: [E050] Can't find model 'en_core_web_sm'. It doesn't seem to be a Python package or a valid path to a data directory.

Searched on line and found helpful issue: explosion/spaCy#4577.

Ran command, python -m spacy download en_core_web_sm and had progress, but encountered this issue:

$ python ssp.py --reader json-l match --components data/ssp-components.json data/ssps/ssp1.jsonl
Traceback (most recent call last):
  File "ssp.py", line 461, in <module>
    cli()
  File "/codedata/code/CUB/venv/lib/python3.8/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/codedata/code/CUB/venv/lib/python3.8/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/codedata/code/CUB/venv/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/codedata/code/CUB/venv/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/codedata/code/CUB/venv/lib/python3.8/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/codedata/code/CUB/venv/lib/python3.8/site-packages/click/decorators.py", line 21, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "ssp.py", line 422, in match
    nlp.add_pipe(ruler, before="ner")
  File "/codedata/code/CUB/venv/lib/python3.8/site-packages/spacy/language.py", line 748, in add_pipe
    raise ValueError(err)
ValueError: [E966] `nlp.add_pipe` now takes the string name of the registered component factory, not a callable component. Expected string, but got <spacy.pipeline.entityruler.EntityRuler object at 0x112964400> (name: 'None').

- If you created your component with `nlp.create_pipe('name')`: remove nlp.create_pipe and call `nlp.add_pipe('name')` instead.

- If you passed in a component like `TextCategorizer()`: call `nlp.add_pipe` with the string name instead, e.g. `nlp.add_pipe('textcat')`.

- If you're using a custom component: Add the decorator `@Language.component` (for function components) or `@Language.factory` (for class components / factories) to your custom component and assign it a name, e.g. `@Language.component('your_name')`. You can then run `nlp.add_pipe('your_name')` to add it to the pipeline.

govready / cub Goto Github PK

cub's Introduction

govready

Vision

Product

License

Project Status

Get Started

RedHat 7 quickstart (64 bit)

Centos 6 quickstart (64 bit)

Ubuntu 12 and 14 quick start (64 bit)

Remote Scanning (integration with oscap-ssh script)

1. Update four variables in the (configuration) GovReadyfile:

2. Create or override GovReadyfile values with GOVREADY_* environment variables:

Notes and Caveats on remote scanning

Uninstall govready

Install development branches

Testmachines

cub's People

Contributors

Stargazers

Watchers

Forkers

cub's Issues

Recommend Projects

Recommend Topics

Recommend Org