Resolves short term feature fix mitre/heimdall-lite#116. Standard files are big - to improve user experience, and minimize bandwidth waste, we should send as little data as is necessary (only really need the controls the user is trying to view). Request this data asynchronously via graphql, send back the relevant controls. Locally cache the ones that have been sent (not literally in the cache, just in memory).
I know I am repeating myself in various issues on this but I hope this collects a lot of these ideas.
We should also write up a 'HDF Profile and Control' Stype guide that would help lay out a lot of these 'standards' that we have established.
I am sure many of these will break out into smaller sub-issues on the vaious projects.
I am also very sure that all this stuff will have to go into the guide referenced above.
That we update the parsing to ensure we always use sub-descriptions on text block types rather than tags:
fix
check
desc
The below are used in many overlays and tailoring profiles
/vulnerability/
vulnerability_discussion ( in xccdf, csv and xls for example )
/justification/
caveat
etc.
That we allow for allow for three new types: desc, justification, caveat, discussion
a. That caveat and or justification are appended to the 'Finding Details' in all the converters and Heidmall Applications
b. We also allow for /*caveat*/ and /*justification*/ - such that myorg-/_caveat is discovered.
c. that discussion or /*discussion*/ be appended to the bottom of the general description - such that vulnerability_discussion would be discovered.
That we support both text based impacts and numeric based impacts in our parsing and conversations to allow for better user interface ( in xccdf, csv, xccdf etc. )
That we update inspec_tools and heimdall_tools to use the new sub-sections
That the sub-descriptions are grouped and created together in the control logically:
That CAT I / CAT II / CAT III can be processed and their derivities and be replaced by CVSS 3.0 standards in all our tools forward and backward - such that if someone creats a CSV or XLS they can ask to use the CVSS, CAT[I-IV] or CAT[1-4] severity style.
That our tools do not create code that uses " where ' are the correct style
Ensure the output of our converters formats with a standard of 2-space utf-8 conmpliant chars. Automate and other windows and ruby unzip some time have issues with the char encoding or odd things. This is an old issue but I think they are just plian using an old library or something.
Remove the 'Rev_*' from the nist tag array as the actual mapping for the control and its nist revision is in the CCI database, and we have the CCI. This also confuses the end users as they think when the 800-53 mapping changes we have rework the profile and silly things like that. Less is more.
Convert all our XLS mapping systems into proper ruby data structures that the tools and apps. Allow for us to be able to use the XLS as a source but convert that into our stable ruby defined structures so that in the binary builds we are alows useing pure ruby objects and data structures which can can loaded as static constancts so we only have to load them one etc.
As a note, once we have Compliance Mapper working - we can just interact and gen these data there.
Ensure the output of our converts creates well formatted aligned starting point - I think rubocop can be fanagled to support this. See the Windows 10 profile for an example - given I had to review every control I just did this by hand on the 243 controls ... I would prefer never to do that again.
# encoding: utf-8control'V-63319'dotitle"Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version."desc"Features such as Credential Guard use virtualization based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Virtualization based security and Credential Guard are only available with Windows 10 Enterprise 64-bit version."impact0.5tagseverity: 'medium'taggtitle: 'WN10-00-000005'taggid: 'V-63319'tagrid: 'SV-77809r3_rule'tagstig_id: 'WN10-00-000005'tagfix_id: 'F-69237r2_fix'tagcci: ['CCI-000366']tagnist: ['CM-6 b']tagfalse_negatives: niltagfalse_positives: niltagdocumentable: falsetagmitigations: niltagseverity_override_guidance: falsetagpotential_impacts: niltagthird_party_tools: niltagmitigation_controls: niltagresponsibility: niltagia_controls: nildesc"check","Verify domain-joined systems are using Windows 10 Enterprise Edition 64-bit version. For standalone systems, this is NA. Open \"Settings\". Select \"System\", then \"About\". If \"Edition\" is not \"Windows 10 Enterprise\", this is a finding. If \"System type\" is not \"64-bit operating system…\", this is a finding."desc"fix",'Use Windows 10 Enterprise 64-bit version for domain-joined systems.'describeos.archdoit{shouldeq'x86_64'}enddescribeos.namedoit{shouldeq'windows_10_enterprise'}endend
Given the above, can we create a .rubocop standard file that would help enfore a lot of this
Additional context
Most likely need to sanitize for bad data since this frontend will now be used for both a standalone and a server application: https://www.npmjs.com/package/vue-sanitize
This issue(s) more relevant to heimdall, specifically, but is more likely to hold my attention if placed here. Some of these goals may already be accomplished, but they are repeated here nonetheless.
Essentially, as we refactor Heimdall DB to support Heimdall lite, we should also make sure that:
Heimdall DB stands on its own and needs no communication with the server to have total data independence/integrity
In particular, it is my belief that we should firmly separate the concept of users viewing evaluations from the evaluations themselves
This ensures that we will have a "pure data" / HDF data format central to our architecture, and that other developers can easily utilize the Heimdall DB if they wish to make their own frontend (or have no frontend at all).
This will hopefully aid in wider adoption of Heimdall platform tools, as people can take exactly what they want/need (storage, file format conversion, UI, etc.) without needing to use the entire monolithic platform.
It will also make transitioning from current Heimdall Server frontend to Heimdall lite simpler.
Heimdall DB ingest layer should be separated from Heimdall frontend
Similar line of reasoning as above: Modularity makes transitions between different frontends simpler.
Furthermore, if an organization discovers a need to massively scale up the amount of data they are intaking, it would behoove us to make sure our intake procedures can scale as well.
This also would improve resiliency, as we won't drop data just because the frontend is down.
Heimdall DB should enforce data correctness (to the best of its ability)
Third normal form is ideal, and I see no reason for us not to have it.
Avoid nulls wherever possible - they are frustrating to deal with, and in almost every case I would argue that the person submitting the data knows a better method of establishing default values than some poor frontend developer (won't someone please think of the interns! and me).
E.g. Search by SHA, whether it failed, compliance rate, etc. All these will need to be placed in the meta tag, and the search should specifically run on the meta tag, if possible.
Full Data: The current function of the CAAT component.
Condensed/Interactive:
Use Case:
A user wants to fold each NIST Sub-Family into single row rather than multiple rows for every result. If they select the condensed mode - we will have a 'wizard model' come out and ask what 'standard text' we want for each column for that Sub-Family Finding - walking them across the spreadsheet.
As the user is walking though each sub-family step - It would be good if we can have another model that has a datatable of the 'detailed results' of those findings for the sub-family that they could open and close for review if needed.
UX consideration: we can we can suggest a 'default' answer -
a) like Severity ( if 8 / 10 are high or they are all the same) or
b) if they have already provided an answer - such as 'System Name' - that is unlikely to change. ( perhaps the last answer is good enough for most cases ).
c) Could use vuetify modal
Once they walk through, they can save it as a csv/xlsx.
This was an idea that we already pushed to the inspec folks about updating the html reporter to just use a SPA version of HL - a bit modified - to save the results data into the Single page build of HL to make a much better version of the HTML reporter.
This is a good start but as you can see - it is not so pretty
@lukemalinowski did a lot of work with the Webpack build of HL so he may be a good resource
many of our initial reasons for simply using a list view are now moot.
This would solve the alignment issues and potentially/almost definitely. increase performance for paginated views.
However, the main reason to NOT make this change is that the initial implementation by the Vuetify devs was incredibly inefficient when doing the "all" view for extremely large #'s of rows. We must weigh the cost of development against the chance that this inefficiencies are still crippling. Additionally, we would lose our nifty stacking - however, said stacking is kind of a PITA to maintain.
The favicon should have a transparent background instead of being black.
Should also probably include more sizes in it to support a wider variety of usages.
Also, where did we derive the art from? Other projects called Heimdall have similar logos so not sure if ours is outdated or something, ex. https://heimdall.site/.
For example, an IfThisThenThat - style service could send digests of Inspec report activity, and forward them to arbitrary notification systems (e.g. phone notifications, emails, etc) with little additional dev work on our end.
At the moment the Results vue layout shows profile errors for InSpec Profile JSONs.
Given that the sidebar seems to know the difference between Results and Profile json's we should just have a second view for Profiles with a logical layout similar to the HL1.0.
A Summary version of the CAAT, listing only one row for each NIST SP 800-53 security control.
A template/mockup is attached: Summary_CAAT_Template_02062020a.xlsx
And add menu item as shown:
Message, status, etc. should be cached because being honest, CPU costs more than memory in JS world (gross!). Also, HDF objects are now less common since we generate them at intake time, so it's all good.
Technically this is an inspecJS thing but that doesn't matter - who cares - things aren't real.
As a Information System Owner, I need a combined view that aggregates the results of several scans so I can understand the overall security posture of a system or system component.