govready / govready Goto Github PK

View Code? Open in Web Editor NEW

97.0 21.0 31.0 1.77 MB

Toolkit for getting open source apps ready for secure, approved government use

License: GNU General Public License v3.0

HTML 2.91% CSS 0.48% Shell 32.29% XSLT 61.40% PHP 2.47% Perl 0.44%

govready's Introduction

NOTE: ARE YOU LOOKING FOR GRC TOOL? SEE REPO: GOVREADY-Q

govready

An accreditation-helper toolkit to make FISMA easier.

NOTE: THIS REPO IS NOT CURRENTLY BEING ACTIVELY MAINTAINED. THAT MAY CHANGE IN THE FUTURE.

Vision

The GovReady vision is to make FISMA easier for innovators by

making compliance part of Agile/DevOps
sharing compliance progress data among Dev, Ops, Sec, and Mgt
making baseline development collaborative
providing trusted SCAP content with open source friendly licenses
embracing compliance as a practice distinct from security

Product

Our first product is "govready", a toolkit for running FISMA scans and managing results with a git-like feel.

Govready uses (and is a contributor to) the NIST Certified SCAP 1.2 toolkit OpenSCAP and Scap-Security-Guide.

Our design goal is to make scanning easier and more collaborative regardless of your knowledge of FISMA.

License

License: GPL 3.0

Project Status

Govready is under heavy development and is pre-release. The current version is 0.6.x.

We recommend only using govready currently on non-production virtual machines.

Feedback via GitHub issues is appreciated!

The govready toolkit is funded by a generous grant from the John S and James L Knight Foundation

Get Started

Below are several quickstarts. Use the quickstart for your preferred OS.

( Need a vm to test GovReady? Try: https://github.com/GovReady/testmachines )

RedHat 7 quickstart (64 bit)

# Update nss to pre-emptively avoid problems with EPEL certificates (https://github.com/GovReady/govready/issues/64)
# Alternate if epel installed: sudo yum --disablerepo="epel" update nss -y
sudo yum clean all
sudo yum update nss -y

# Install some useful tools to take full advantage of SCAP-Security-Guide project
# scap-scanner is OpenSCAP certified SCAP scanner
# scap-security-guide is the SCAP Security Guide project
# ansible is the ansible infrastructure as code project
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum -y install epel-release-latest-7.noarch.rpm
sudo yum install ansible scap-scanner scap-security-guide -y

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
# curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo bash
curl -Lk io.govready.org/install | sudo bash

# Switch to root so scanner can run all tests properly
# It's OK. You are using a non-production vm, right?
# (On AWS, may be necessary to run `sudo su -`)
su - 

# Change back to prefered working directory if dropped into "/"
cd /home/myuser

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# List the scan profiles
govready profiles

# Choose the DISA STIG for RHEL 7 profile
govready profile stig-rhel7-disa

# Run a scan (e.g. before)
# This command runs a multi-parameter OpenSCAP (oscap) command based
# on settings in `GovReadyfile`
govready scan

# Run fix script generated by most recent OpenSCAP (oscap) scan
# This utility generates all the parameters to produce a remediation script and command.
govready fix

# Run an post-remeditation scan (e.g. "after")
# govready utility will track your two most recent scans for easy after / before comparison
govready scan

# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare

# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail

# List results
ls -l scans

# Install lynx commandline browser to view results from prompt
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
yum install lynx

# View repoort from most recent scan
lynx scans/stig-rhel7-disa/[datestamp]-results.html

# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs

# See available profiles (e.g., baselines)
govready profiles

# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server

# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh

Centos 6 quickstart (64 bit)

Note: CentOS is NOT RHEL without subscription. There is a general assumption that SSG tests for RHEL work on CentOS, but that is not guaranteed.

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash

# Switch to root so scanner can run all tests properly
su - 

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# Import CentOS cpe-dictionary.xml and cpe-oval.xml SCAP data into local scap/content directory
govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml
govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml

# Update GovReadyfile using sed command (or update the CPE line manually using a text editor)
sed -i 's:^CPE.*:CPE = scap/content/ssg-centos6-cpe-dictionary.xml:' GovReadyfile

# Run a scan
govready scan

# List results
ls -l scans

# View repoort from most recent scan
lynx scans/results.html

# Run fix script generated by most recent OpenSCAP scan
govready fix

# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare

# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail

# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs

# See available profiles (e.g., baselines)
govready profiles

# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server

# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh

Ubuntu 12 and 14 quick start (64 bit)

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash

# Switch to root so scanner can run all tests properly
su - 

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# Run an oscap command just to see things fail because we have no SCAP content installed for Ubuntu
oscap xccdf eval --profile test --results scans/test-results-0822-1319.xml --report scans/test-results-0822-1319.html  /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

# Sorry - this is all you can do on Ubuntu at the moment. :-(
# Fork the code and help us include Ubuntu and Debi

Additional Quickstarts available in the repo. See "Quickstart-platform.md"

Remote Scanning (integration with oscap-ssh script)

The recently released oscap-ssh enables Scanning Remote Machines with OpenSCAP. As a user-friendly frontend to the OpenSCAP tools, GovReady has been enhanced to make use of this exciting new feature. There are two ways to make use of this new feature (which may be used separately or together):

1. Update four variables in the (configuration) GovReadyfile:

# All four vars must be set 'sudo OSCAP_USER@OSCAP_HOST OSCAP_PORT' for remote scanning.
# Note that openscap-scanner ('oscap') must be installed on the remote server.
OSCAP_SUDO = sudo
OSCAP_USER = oscap-user
OSCAP_HOST = example.com
OSCAP_PORT = 22

The openscap scanner is best run by root, but enabling direct root SSH access is a security risk. A non-privileged user such as oscap-user can be enabled to run only the oscap binary as root (when the sudo flag is given) by updating the remote machine's sudoers file or adding a file like /etc/sudoers.d/99-oscap-user:

# allow oscap-user to run openscap scanner
Defaults!/bin/oscap !requiretty
oscap-user ALL=(root) NOPASSWD: /bin/oscap

2. Create or override GovReadyfile values with GOVREADY_* environment variables:

This will scan the RHEL 7 machine badwolf.example.com via port 2222:

export GOVREADY_OSCAP_HOST=badwolf.example.com
export GOVREADY_OSCAP_PORT=2222
export GOVREADY_XCCDF=ssg-rhel7-ds.xml
govready scan

Notes and Caveats on remote scanning

All values in the GovReadyfile can be overridden with GOVREADY_* environment variables. This facilitates integration with many site management tools such as Ansible, Chef and Puppet.
As @mpreisler notes, currently oscap-ssh must be run as root, while remote ssh access is generally considered a security hole to be remediated. A future release will resolve this.
OVAL and CPE files can not be separately named on the command line. Rather, use a "datastream" object as the XCCDF file (which can contain OVAL and CPE definitions within it).

Uninstall govready

Using curl

# Uninstall
curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo UNINSTALL=1 bash

Install development branches

# Install branch other than master
curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo BRANCH=branch_name bash

# Use an installer from a different branch
curl -Lk https://raw.githubusercontent.com/GovReady/govready/branch_name/install.sh | sudo BRANCH=branch_name bash

Testmachines

Use https://github.com/GovReady/testmachines for virtual machines to test GovReady.

govready's People

Contributors

Stargazers

Watchers

govready's Issues

Include openscap in vbkick file

I should be including openscap as part of vbkick build and kickstart file.

Make sure EPEL and installs work for 32 bit and 64 bit systems

Xplatform also means 32 vs 64 bit.

http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Add install branch flag for govreadycp.

See #24. Apply a flag BRANCHCP= flag.

Shorten install URL

Current url install for curl is too long. It cannot be easily remembered. So shortened url.

Install SCAP-Security-Guide on Ubuntu.

This task involves https://github.com/GovReady/ubuntu-scap.

Add basic anonymous logging of installs of Govready and uninstalls

How does RHEL 7 hardening configurator effect GovReady?

Add "Current Status" to README

Example: https://github.com/google/lmctfy

Closed with: c307bee

Implement unit testing framework for GovReady

worth 4 sprint points

Shunit2 shell unit testing

GovReady installs openSCAP correctly X-Platform

Handling for RHEL6-variants (Yum) vs Debian/Ubuntu (apt-get) vs Suse vs OS X.

Make cross platform early in code
maintain a single codebase

3 sprint points

GovReady installs on RHEL family and Ubuntu

worth 1 sprint point

Add "Getting Started" section to read me

Example: https://github.com/google/lmctfy

Explore MakeDrive

Explore information sharing - http://blog.humphd.org/introducing-makedrive/

Incorporating the `oscap info` command

oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml is an example of getting information on an oval file. This can be done on all SCAP files.

Incorporating this fact could be interesting.

Problems installing OpenSCAP with Docker

The problem first appeared to be related to the EPEL repo. But further examination indicates OpenSCAP installs from a CentOS Repo.

CentOS update repos:

from http://mirrorlist.centos.org/?release=6&arch=x86_64&repo=updates
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

http://repos.mia.quadranet.com/centos/6.5/updates/x86_64/
http://mirrors.unifiedlayer.com/centos/6.5/updates/x86_64/
http://centos-distro.cavecreek.net/centos/6.5/updates/x86_64/
ftp://ftp.ussg.iu.edu/linux/centos/6.5/updates/x86_64/
http://www.gtlib.gatech.edu/pub/centos/6.5/updates/x86_64/
http://mirror.keystealth.org/centos/6.5/updates/x86_64/
http://repos.lax.quadranet.com/centos/6.5/updates/x86_64/
http://mirror.chpc.utah.edu/pub/centos/6.5/updates/x86_64/
http://mirror.web-ster.com/centos/6.5/updates/x86_64/
http://centos.mirror.ndchost.com/6.5/updates/x86_64/

Installing repo manually...

wget http://www.gtlib.gatech.edu/pub/centos/6.5/updates/x86_64/Packages/openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm
sudo rpm -Uvh openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm

See bottom comments of #45 for more information.

Possible bug with variable generation failing on CentOS65

Variable export generation may be failing on CentOS65 test machine. Need to look closer.

Install openscap and sag when installing govready

If on a system with Yum, look for openscap and if not present install it. Also look for scap-security-guide and install if not found.

Add prompt to remove/keep scans during uninstall

Prompt user for keeping or uninstalling scans. Also provide for a flag for control.

Alter sudo path for vagrant sudo to include /usr/local/bin

Either check in GovReady, and/or adjust in my vbkick files.

Track we are using most current / appropriate version of Scap-security-guide and openscap

How do we track versions?

Govready does not install on AWS Linux

Issue appears to be related to Amazon's prioritization of repositories for yum installs and which EPEL repo is being used. Openscap libraries do not appeared to be listed in repos.

Add basic documentation to GovReadyfile

Header introduction
Something for each line item

Install OpenSCAP, SSG, (and GovReady) on AWS Default Linux

OpenSCAP and SSG does not seem to install on AWS Linux because AWS pins their Linux to their own set of repos. The choice to fix is to either build from source, understand how to adjust which repos are used, or to write AWS to have them include it.

This issue traces details of getting OpenSCAP and SSG to work on AWS.

See the https://github.com/GovReady/govready/blob/master/Quickstart-Amazon-Linux.md for directions on installing on Amazon Linux.

Clean up website

Website provides helpful information for the toolkit and new users.

Make it easy and friendly to find, list and run individual OVAL tests

Here is the oscap syntax for running an individual definition. How can this be made easier?

oscap oval eval --id oval:ssg:def:774 /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml

After install, provide feedback with instruction of typing govready

After install, provide feedback to user that they should type govready to get started, see help, and so forth.

Show diff of different scan results; compare results of two scans

Users can see what has changed between current scan, previous scan, and initial scan so they can see progress.

What previously passing rules are now failing (most important)
What rules previously failing are now passing
Additions (new rules selected for the profile)
Subtractions (rules previously selected and now unselected for the profile)

Add separate commands for installing various elements

Add separate commands for installing peel, remi, openscap, ssg. So of something fails, better feedback and smaller elements to try.

Move RPM directories to GovReady file so they can be changed.

Use fix files stored in the cloud

Users can save and retrieve and apply individual files with shell commands for fixing rules to the cloud by rule name.

Make it easy to install under development code on Ubuntu and CentOS

Add openscap and scap-security-guide to dependency check

'oval eval' does not work properly in version 0.9.3 (RHEL) but does in v1.0.8

oscap oval eval is broken in OpenSCAP version 0.9.3.

Maybe GovReady should report this information in errata or other notes? On Wiki?

See: OpenSCAP/openscap#3

On RHEL64 (no yum update) OpenSCAP appears to be version 0.9.3. For rule umask_for_daemons oscap oval eval does not indicate failure.

[root@vagrant fisma3]# oscap oval eval --id oval:ssg:def:221 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
Evaluation done.
[root@vagrant fisma3]# echo $?
0

Subscribing the system to RedHat and updating openscap provides more expected results for oscap oval eval

[root@vagrant fisma3]# oscap oval eval --id oval:ssg:def:221 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
Definition oval:ssg:def:221: false
Evaluation done.

CentOS65 with OpenSCAP version 1.0.8, doing oscap oval eval for umask_for_daemons responds:

oscap oval eval --id oval:ssg:def:221 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
Definition oval:ssg:def:221: false
Evaluation done.
[root@vagrant fismacentos1]# echo $?
0

Add xccdf to GovReadyfile

Add [sections] to config file

Create a simple introductory guide to OpenSCAP and SSG

man oscap
man scap-security-guide

Redhat's SCAP & STIG Workbook: http://people.redhat.com/swells/workbook.pdf

scans are failing and quitting on a particular test on CENTOS

On CentOS65 testmachine scan is failing and exiting here:

Title   Disable snmpd Service
Rule    disable_snmpd
Ident   CCE-26906-8
Result  pass

Title   Uninstall net-snmp Package
Rule    uninstall_net-snmp
Ident   CCE-26332-7
Result  pass

[INFO] Signal handler - cleanup before exiting...

Report summary of scan at command line

Why do I have to remember where the report is written? GovReady should tell me where report is written and provide initial information to display.

Add check to make sure no harmful code can be run via oscap command eval

This is a DANGEROUS sequence. Need a way to escape hostile code.

    local scan_command="oscap xccdf eval --profile ${profile} --results ${resultsdir}/${profile}-results-$suffix.xml --report ${resultsdir}/${profile}-results-${suffix}.html --cpe ${CPE} ${SSGCONTENTDIR}/ssg-rhel6-xccdf.xml"

    __log_govready "Scanning system for compliance to profile ${PROFILE}"
    __log_govready "Running command: ${scan_command}"
    # run openscap checklist
    eval $scan_command

Install of govready fails when ssh is not installed.

install.sh script install using curl -Lk fails when SSH is not installed on target system.

Error is: ssh command doesn't exist - install 'ssh-client (e.g. opens-client) to continue.`

Make sure SSG runs on CentOS

Need to have oval tests for CentOS 5, 6, and 7. Until SSG includes the oval checks for CentOS, GovReady needs a way to allow RedHat checks to be run on CentOS. GovReady can do this by having appropriate cpe-dictionary.xml and cpe-oval.xml files.

Put additional SCAP content xml files in directory /usr/share/xml/scap/govready/content/

FISMA help for complete beginners

Provide a really useful, "Yes, you can do this and here is how" introduction to FISMA and configuration scanning for complete beginners.

govready import should automatically handled SCAP content packages data-stream collections of SCAP files

The import function should automatically understand how to handled packages of SCAP content and data streams. User should only need to specific URL of content and the import function should do the rest.

Add flag to show command but not run the command

Example, govready scan --command should just show the `oscap command that would be run but not run it.

oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_test ./test-results-0815-1627.xml > test-fix-0815-1627.sh

Another example:

[root@vagrant ~]# govready scan
[GovReady] Scanning system for compliance to profile usgcb-rhel6-server
[GovReady] Running command: "oscap xccdf eval --profile usgcb-rhel6-server \ 
--results ./usgcb-rhel6-server-results-0815-1630.xml \ 
--report ./usgcb-rhel6-server-results-0815-1630.html \
--cpe /usr/share/xml/scap/ssg/content//ssg-rhel6-cpe-dictionary.xml \ 
/usr/share/xml/scap/ssg/content//ssg-rhel6-xccdf.xml"

Use vbkick to build os image properly
Export vm to vagrant
Use vagrant to launch multi-vm environment

Alternatively:

Figure out a solution with docker.