Solutions Page

Home / Open Source

Our Open Source

Our Open Source Projects, Tools, and Ideas

openRMF Tool v 0.6.1

- Manage your STIG checklists, SCAP scans, and NESSUS scans per system in a single web-based application

- Single source of truth for all Checklist files

- Generate RMF Compliance across all checklists in minutes, color coded by status

- Export status and listings of all checklists into MS Excel

- Available on GitHub for download

History

From the desk of the CTO - I have been using the STIGViewer.jar file for over a decade and hate it. Hate the tool. I understand the information is needed but I hate the damn tool. I have been saying "there has to be a better way" for over a decade back since almost 2006 when I had to do one of the first Application Security & Development STIG checklists. And it never got better. It bugged me...


So in July 2018 (on my "vacation" in FL at my dad's no less) I started to pick apart the CKL STIG checklist files and recognized they were just XML files with specific fields and a specific order they needed or the viewer would die (literally!). So in a few hours here and there I came up with a design and a working prototype to read in and "score" a checklist.


Then I got home, thought about it, and threw it in the trash! It was the same old same old, .NET website with code and APIs and MVC all rolled up. It bugged me because I knew it was not right. It was not fitting to containers or sitting on AWS or using serverless functions where it could. So I let it stew a bit. Then in January 2019 I figured it out during a workout session and scribbed it on my whiteboard (see this here) to digest it. That basically sat there a week or so as I thought on it. Then I started to create what is currently the openRMF tool. It has a few technologies in there like .NET Core 2.2, microservice APIs, NATS messaging server, as well as a few MongoDB instances to talk to the APIs. I wanted (eventually) Command Query Responsiblity Segregation (CQRS) and eventual consistency. And I wanted to learn these techniques and use them in a way that was easy to digest. So I put all this into the openRMF tool to get it done, to get it out of my head, and to mess with some technology I need to get better at using.


openRMF Dashboard

It currently sits at version 0.6.1 in a beta state and needs some testing, some other eyes on, some Information Assurance and Cybersecurity DoD people to say "You know what, it needs to do this!", as well as beefing up security, multi-tenancy, better error checking, probably some JS UI framework, and unit testing. However it is a good start. IT IS NOT PRODUCTION so do not treat it as such. Some of the tool's highlights include:

  • Save/Upload .CKL files for viewing and safekeeping
  • List and display active checklists
  • List and display templated checklists (starting points)
  • Group and list checklists and reports by System (a group of checklists for a single application, system, etc.)
  • Reporting or "scoring" on Open, N/A, "Closed" as well as "not yet reviewed" items in the checklists quickly
  • Exporting the .CKL file for quick loading into the STIG Viewer Java application
  • Exporting to MS Excel in seconds with color coded rows based on status (Open = RED, Not a Finding = GREEN, etc.)
  • Dashboard showing # of checklists, top 5 checklists based on activity
  • Exporting of charts for download to PNG
  • Generate a Compliance listing of NIST 800-53 Controls to all checklists within a system
  • Filter Vulnerabilities on the Checklist page by status

We will keep using this as a technology testbed and give the DoD, Federal and State government sector, as well as the commercial community a better way to do a required, needed part of their day in securing networks, systems, and software with specific checks and compliance reporting. At its heart, this helps implement a Risk Management Framework which any organization can use to better secure its networks, systems, and applications. Hopefully this makes their job easier and automates away some parts of this process so it is more manageable. Some things coming up soon in the tool so far are below to help manage this process and the data it creates a lot easier. We believe in automation here, so we are working to automate this horribly manual process. Feel free to add issues or "wants" to our GitHub project area!

  • Select the fields to export to MS Excel, autofilter enabled on the header row
  • A wizard to ask questions and customize a starting checklist file for you with certain fields and comments filled in
  • User login and auditing
  • Central logging (ledger) for all CRUD and access usage based on NATS
  • Import the Manual XML STIG to create a starting checklist
  • Live Edits of Checklists
  • Import SCAP Scans from your systems to create/update checklists
  • Import NESSUS Scans
  • Track changes / versions as you edit for a visual diff
  • Track projects and due dates with notifications on timelines as well as anniversaries and required updates
  • more...

openRMF Screenshots

Below is the Compliance Generator. You choose your system, click the button, and in a minute or less you can generate a top level NIST 800-53 compliance listing against all your checklists. Color coded for each checklist, based on the control, to say if it is not a finding (green), open (red), or not reviewed (blue).

openRMF Compliance against NIST 800-53

Below is the view for a single checklist. You can view the number of issues per status and per category. You can see the asset information and the type of checklist. And you can filter and view each vulnerability color coded by status.

openRMF Checklist View

Below is the view for a upload screen. openRMF allows you to upload up to 5 checklist files against a system at a time. When checklists are uploaded, they are group by system, ran against a scoring machine for the number of items per status and category, and immediately available for viewing and studying for your system security risk. This also allows openRMF to be your single source of truth for all checklists which is a great improvement over searching email and file systems for the latest file by modified date!

openRMF Upload Checklists

openRMF - Join in!

The openRMF tool is on GitHub for download. On the release tab you can see the ZIP file to pull down, unzip, and launch the start.sh or start.cmd files to pull the latest images and run this application locally on your desktop, workstation, or server via docker-compose. Note: Docker is required to run this tool as all pieces are in containers.

© 2019 Cingulara. All rights reserved | Design by W3layouts.