Our Open Source Projects, Tools, and Ideas
- Manage your STIG checklists, SCAP scans, and NESSUS scans per system in a single web-based application
- Single source of truth for all Checklist files
- Generate RMF Compliance across all checklists in minutes, color coded by status
- Export status and listings of all checklists into MS Excel
- Available on GitHub for download
From the desk of the CTO - I have been using the STIGViewer.jar file for over a decade and hate it. Hate the tool. I understand the information is needed but I hate the damn tool. I have been saying "there has to be a better way" for over a decade back since almost 2006 when I had to do one of the first Application Security & Development STIG checklists. And it never got better. It bugged me...
So in July 2018 (on my "vacation" in FL at my dad's no less) I started to pick apart the CKL STIG checklist files and recognized they were just XML files with specific fields and a specific order they needed or the viewer would die (literally!). So in a few hours here and there I came up with a design and a working prototype to read in and "score" a checklist.
Then I got home, thought about it, and threw it in the trash! It was the same old same old, .NET website with code and APIs and MVC all rolled up. It bugged me because I knew it was not right. It was not fitting to containers or sitting on AWS or using serverless functions where it could. So I let it stew a bit. Then in January 2019 I figured it out during a workout session and scribbed it on my whiteboard (see this here) to digest it. That basically sat there a week or so as I thought on it. Then I started to create what is currently the openRMF tool. It has a few technologies in there like .NET Core 2.2, microservice APIs, NATS messaging server, as well as a few MongoDB instances to talk to the APIs. I wanted (eventually) Command Query Responsiblity Segregation (CQRS) and eventual consistency. And I wanted to learn these techniques and use them in a way that was easy to digest. So I put all this into the openRMF tool to get it done, to get it out of my head, and to mess with some technology I need to get better at using.
It currently sits at version 0.6.1 in a beta state and needs some testing, some other eyes on, some Information Assurance and Cybersecurity DoD people to say "You know what, it needs to do this!", as well as beefing up security, multi-tenancy, better error checking, probably some JS UI framework, and unit testing. However it is a good start. IT IS NOT PRODUCTION so do not treat it as such. Some of the tool's highlights include:
We will keep using this as a technology testbed and give the DoD, Federal and State government sector, as well as the commercial community a better way to do a required, needed part of their day in securing networks, systems, and software with specific checks and compliance reporting. At its heart, this helps implement a Risk Management Framework which any organization can use to better secure its networks, systems, and applications. Hopefully this makes their job easier and automates away some parts of this process so it is more manageable. Some things coming up soon in the tool so far are below to help manage this process and the data it creates a lot easier. We believe in automation here, so we are working to automate this horribly manual process. Feel free to add issues or "wants" to our GitHub project area!
Below is the Compliance Generator. You choose your system, click the button, and in a minute or less you can
generate a top level NIST 800-53 compliance listing against all your checklists. Color coded for each checklist, based on the control,
to say if it is not a finding (green), open (red), or not reviewed (blue).
Below is the view for a single checklist. You can view the number of issues per status and per category. You can see the asset information and
the type of checklist. And you can filter and view each vulnerability color coded by status.
Below is the view for a upload screen. openRMF allows you to upload up to 5 checklist files against a system at a time. When
checklists are uploaded, they are group by system, ran against a scoring machine for the number of items per status and category, and
immediately available for viewing and studying for your system security risk. This also allows openRMF to be your single source of truth for
all checklists which is a great improvement over searching email and file systems for the latest file by modified date!
The openRMF tool is on GitHub for download. On the release tab you can see the ZIP file to pull down, unzip, and launch the start.sh or start.cmd files to pull the latest images and run this application locally on your desktop, workstation, or server via docker-compose. Note: Docker is required to run this tool as all pieces are in containers.
© 2019 Cingulara. All rights reserved | Design by W3layouts.