Open Source Software

Home / Open Source / OpenRMF

OpenRMF

Manage your Risk Management Framework and DoD STIG checklists with ease

OpenRMF Tool v 0.8

OpenRMF is a tool for you to manage your system's DoD STIG checklists, compliance reporting, open item tracking and (soon) using your SCAP scans to generate and update your checklists for the Risk Management Framework (RMF) process being used. Keeping track of all those checklists is EXTREMELY manual and this tool eases that greatly. How?

  • Filter Vulnerabilities on the Checklist page by status
  • Generate a Compliance listing of NIST 800-53 Controls to all checklists within a system
  • Compliance listing of a checklist filtered the Vulnerability IDs down to only those that match the NIST 800-53 Control
  • Save/Upload .CKL files for viewing and safekeeping - automatic naming based on type and revision
  • List and display active checklists by system
  • List and display templated checklists (starting points)
  • Dashboard showing # of checklists, top 5 checklists based on activity
  • Group and list checklists and reports by System (a group of checklists for a single application, system, etc.)
  • Quickly show "scoring" on Open, N/A, "Closed" as well as "not yet reviewed" items in the checklists
  • Exporting the .CKL file for quick loading into the STIG Viewer Java application
  • Exporting a Checklist to MS Excel in seconds with color coded rows based on status (Open = RED, Not a Finding = GREEN, etc.)
  • Exporting of charts for download to PNG
  • Export the "score" of a system of checklists to MS Excel with a single click
  • Manage Roles for Administrator, Read Only, Editor, and Download access of data

This tool gives you a better way to do a required, needed part of your day in securing networks, systems, and software with specific checks and compliance reporting. At its heart, this helps implement a Risk Management Framework which any organization can use to better secure its networks, systems, and applications. This tool makes your job easier and automates away some parts of this process so it is more manageable.



Most Recent Use Case

One of Tutela's clients was managing 15 servers with 5 checklists per server: Yes that is 75 total checklists! He was generating a compliance report manually for the most recent updates to show what passed, what was still open, and tracking it against each individual checklist. By hand, this took over two weeks...



Enter OpenRMF...



Loading the 75 checklists into a new system group for OpenRMF took about 5 minutes total. Generating the compliance and tracking the checklists took less than 1 minute when all checklists were loaded! And it found 1 item that he missed that was still open!

OpenRMF - Upcoming Features!

We believe in automation here, so we are working to automate this horribly manual process. Feel free to add issues or "wants" to our GitHub project area! Some upcoming features are listed below:

  • Import SCAP Scans from your systems to create/update checklists
  • Import NESSUS Scans
  • Select the fields to export to MS Excel, autofilter enabled on the header row
  • A wizard to ask questions and customize a starting checklist file for you with certain fields and comments filled in
  • Central logging (ledger) for all CRUD and access usage based on NATS
  • Import the Manual XML STIG to create a starting checklist
  • Live Edits of Checklists
  • Track changes / versions as you edit for a visual diff
  • Track projects and due dates with notifications on timelines as well as anniversaries and required updates
  • more...

OpenRMF Screenshots

The main user interface of OpenRMF is built on bootstrap 4 and is responsive from the get go. The simple menu is on the left showing the main areas of the tool. The Upload and some other UI buttons are based on permissions (roles) so you can control access to uploads, deletes, exports, downloads, and other features.

OpenRMF Dashboard

Below is the Compliance Generator. You choose your system, click the button, and in a minute or less you can generate a top level NIST 800-53 compliance listing against all your checklists. Color coded for each checklist, based on the control, to say if it is not a finding (green), open (red), or not reviewed (blue).

OpenRMF Compliance against NIST 800-53

Below is the view for a single checklist. You can view the number of issues per status and per category. You can see the asset information and the type of checklist. And you can filter and view each vulnerability color coded by status.

OpenRMF Checklist View

Below is the view for a upload screen. OpenRMF allows you to upload up to 5 checklist files against a system at a time. When checklists are uploaded, they are group by system, ran against a scoring machine for the number of items per status and category, and immediately available for viewing and studying for your system security risk. This also allows OpenRMF to be your single source of truth for all checklists which is a great improvement over searching email and file systems for the latest file by modified date!

OpenRMF Upload Checklists

OpenRMF - Join in!

The OpenRMF tool is on GitHub for download. On the release tab you can see the ZIP file to pull down, unzip, and launch the start.sh or start.cmd files to pull the latest images and run this application locally on your desktop, workstation, or server via docker-compose. Note: Docker is required to run this tool as all pieces are in containers.

TL;DR OpenRMF History

From the desk of the CTO - I have been using the STIGViewer.jar file for over a decade and hate it. Hate the tool. I understand the information is needed but I hate the damn tool. I have been saying "there has to be a better way" for over a decade back since almost 2006 when I had to do one of the first Application Security & Development STIG checklists. And it never got better. It bugged me...


So in July 2018 (on my "vacation" in FL at my dad's no less) I started to pick apart the CKL STIG checklist files and recognized they were just XML files with specific fields and a specific order they needed or the viewer would die (literally!). So in a few hours here and there I came up with a design and a working prototype to read in and "score" a checklist.


Then I got home, thought about it, and threw it in the trash! It was the same old same old, .NET website with code and APIs and MVC all rolled up. It bugged me because I knew it was not right. It was not fitting to containers or sitting on AWS or using serverless functions where it could. So I let it stew a bit. Then in January 2019 I figured it out during a workout session and scribbed it on my whiteboard (see this here) to digest it. That basically sat there a week or so as I thought on it. Then I started to create what is currently the OpenRMF tool. It has a few technologies in there like .NET Core 2.2, microservice APIs, NATS messaging server, as well as a few MongoDB instances to talk to the APIs. I wanted (eventually) Command Query Responsiblity Segregation (CQRS) and eventual consistency. And I wanted to learn these techniques and use them in a way that was easy to digest. So I put all this into the OpenRMF tool to get it done, to get it out of my head, and to mess with some technology I need to get better at using.


© 2019 Cingulara. All rights reserved | Design by W3layouts.