mitre / heimdall-mongo Goto Github PK

Related to issue #36, fix here should also add code for docker secret usage.

The "Clear Filter" button on the evaluations /heimdall/evaluations/<uuid> gets hidden behind some of the other UI elements as you scroll down the page. See the below images:

Add ability to tag an evaluation into a Circle before the upload takes place. Currently you can only add an evaluation to a Circle after it's uploaded.

Given that we are now using the impact element inside the control to assign severity if and when a severity tag doesn't exist we need to add this to heimdall.

6f3d41b
4785de8

Some of the new profiles and results that follow the current best practice of not using the severity tag are not able to be imported.

Load multiple results files at once - we need this to show a 'system level' compliance view.

Currently Heimdall app follows UTC time... it should preferably pull timezone and time from the OS

fontawesome and ionicons fail to load when served to a production environment, with a baseurl set. Additionally, the app itself does not respect RAILS_RELATIVE_URL_ROOT when loading.

The issue stems from loadTreemapData() in the evaluations view using an absolute path to route to a given evaluation.json.

Inserting <%= home_path %> to the api_path variable in loadTreemapData() in the show view's erb is the first fix that comes to mind.

loadTreemapData is also in the profiles show view, but I do not know if it is bugged or does anything at all.

I think for the most part folks will want to 'download' a copy of the checklist by default rather than a raw file display. We should have the option for both as the 'raw' output would be used by systems pulling the data but for humans, a 'save as' options seems to make sense.

Every time I load an evaluation I notice it takes about 6-10 seconds for the results to show up. It seems that this is due to about 450 repeated calls to

MONGODB | localhost:27017 | dashboard_development.find | STARTED | {"find"=>"results", "filter"=>{"control_id"=>BSON::ObjectId('5c4b5b65c60ac1581a738697')}}
MONGODB | localhost:27017 | dashboard_development.find | SUCCEEDED | 0.019s```

Rails should make it possible to load all of these results at once instead of repeated calls to the database, which should significantly speed up the load times of the page.

Given the work @rx294 is doing with inspec_tools for further parsing of results JSON for the totals of the results. This also adds the ability to define a set of acceptable number of high, med, low, none, skipped, NA etc. and the 80% of compliance etc.

It would be good to be able to add another indicator that we link to the both all results or the circle the results are a part of. We can also add a setting for alerting when a scan result fails to meet the minimum result.

For example:

1. All results should be at least 80% compliant with no high or critical findings
2. All results should have only 0 critical, 3 high, 5 med, any low or none or skipped
3. We will need a model for setting this attached to the circle or generally

This would be a good thing we could add to the default or summary screen and we could also add this as a general set of data for all the results or of your circles you are a part of.

We should also add this data to:

1. The results of the api upload data
2. Add an api call to ask for the summary results of a result file directly

Dockerfile and docker-compose.yml have the ability to manage secrets through docker which limits leakage by avoiding storing them un-encrypted on the main FS. They are mounted to /run/secrets/ in the container.

We need the ability to upload results to a running heimdall without humans clicking on buttons. So perhaps what we really need is an API?

Work to shrink docker image to 300MB uncompressed.
Don't know if it's doable, but its a target to shoot for.

When you are currently not logged in and you git a page that requires you to be authenticated we are going to the standard rails error page.

We should update this to redirect to the login page with a red error notification saying that you need to log in to use this feature, section or whatnot.

In the (hopefully rare) instance where a profile control returns "no result" either through poor coding or not running with appropriate credentials/authorization, dynamically add a stand-alone tile to the right of the findings block of four tiles. Label this "Profile Error", and below it in parenthesis:
(no result from test - check profile run privileges or author of profile)

I am having an issue where test results are unable to load for a specific test, below are the results as showing in heimdall-lite:

And the results in heimdall:

The JSON output in question can be found at http://employeeshare.mitre.org/r/rbclark/transfer/broken-test.json

May be fixable with https://github.com/plataformatec/devise/wiki/How-To:-redirect-to-a-specific-page-on-successful-sign-in.

SC-5: MY TITLE
AC-3: TITLE

Currently gitlab-runner CI cannot handle deploying nginx-passenger builds as it is running in a container, and it needs to modify rvm installed gems for passenger to work. Additionally launching containers from within a container only mostly works, it cannot setup networks.

InSpec 3.x introduced two breaking change to our apps - multi-section describe blocks

1. Multi-Section describe blocks
   see: inspec/inspec#3424

2. Text based impacts
   see: inspec/inspec#3359

We will need to update all our apps to support both pre and post InSpec.

heimdall_web.1.zba4fbducy4b@default    | F, [2018-08-01T12:33:10.319933 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9]   
heimdall_web.1.zba4fbducy4b@default    | F, [2018-08-01T12:33:10.320064 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9] ActionView::Template::Error (The asset "default_profile_pic.jpeg" is not present in the asset pipeline.):
heimdall_web.1.zba4fbducy4b@default    | F, [2018-08-01T12:33:10.320321 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9]     20:               <% if @user.image_url.present? %>
heimdall_web.1.zba4fbducy4b@default    | [ab75f27c-aab7-4364-9479-dc81000486e9]     21:                 <%= image_tag @user.image_url.to_s, class: "rounded-circle img-thumbnail"  %>
heimdall_web.1.zba4fbducy4b@default    | [ab75f27c-aab7-4364-9479-dc81000486e9]     22:               <% else %>
heimdall_web.1.zba4fbducy4b@default    | [ab75f27c-aab7-4364-9479-dc81000486e9]     23:                 <%= image_tag "default_profile_pic.jpeg", class: "rounded-circle img-thumbnail" %>
heimdall_web.1.zba4fbducy4b@default    | [ab75f27c-aab7-4364-9479-dc81000486e9]     24:               <% end %>
heimdall_web.1.zba4fbducy4b@default    | [ab75f27c-aab7-4364-9479-dc81000486e9]     25:                 <!-- <img src="" class="rounded-circle img-thumbnail" alt="profile-image"> -->
heimdall_web.1.zba4fbducy4b@default    | [ab75f27c-aab7-4364-9479-dc81000486e9]     26:             </div>
heimdall_web.1.zba4fbducy4b@default    | F, [2018-08-01T12:33:10.320448 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9]   
heimdall_web.1.zba4fbducy4b@default    | F, [2018-08-01T12:33:10.320589 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9] app/views/users/show.html.erb:23:in `_app_views_users_show_html_erb__1777844105659209954_47082317246760'

Likely just a config change is needed

Currently the evaluations are populated on the table with oldest entry on the top, which would make it difficult to examine newer entries especially as the list grows large

Please consider a table sort feature and possibly make Descending by timestamp the default option so that latest entry is on top.

This is actually an error with baseurls in show_details.

docker builds need some support for private gem repos due to inspec tools, easiest fix is ENV vars, they're easy to change and inherently difficult to commit by accident.

In the current verision, Inspec Profile is extracted from every evaluation uploaded and listed in the Profiles even if they are duplicates.

Only unique profiles entries needs to be populated.

Uniqueness could be evaluated using profile shasum entry.

Please consider serving Heimdall application at the baseurl so that application can be accessed at
http://localhost:3000 rather than http://localhost:3000/heimdall

Requiring end users to always build their own image is less than ideal. Most of the time it is possible and more convenient to provide a prebuilt image through dockerhub. Additionally, it is a lot easier for users who are behind a proxy.

We want to be able to run curl commands from other systems to upload an evaluation.

The export functions for XCCDF, CSV, and CKL don't work anymore. An exception is thrown. It is probably an issue with the refactoring of inspec_tools.

Add docker-compose up to .gitlab-ci.yml with the assumption that gitlab CI tool has some form of dind. Either through explicit docker in docker or volume export of docker socket to CI container.

For the "Not Applicable" findings tile, change the text in parenthesis to:
(zero impact: exception for this system and/or absent component)

For "Not Reviewed", change the text to
(can only be tested manually or disabled test)

• https://github.com/usnistgov/sctools/tree/master/bt-angular
• https://nvd.nist.gov/800-53/ ( Display format and labels )
• http://iasecontent.disa.mil/stigs/zip/u_cci_list.zip

cci_tags: {...}
reason:
nist_tags: {...}
reason:
cis_tags: {...}
reason:
note: should be very similar to a nist_tags structure.

see: http://wordsandmagic.com/2017/09/01/RMagick-2-16-0-Error-MagickWand/

We would like the ability to select more than one results sets and display them in the gui and 'turn on / turn off' each 'layer' as we do review of the 'results stack'.

This is due to config/initializers/z_circle.rb.
rails/rails#25246 has a simple solution for ignoring the db during precompile.
Then when the server actually starts it will add the public circle.

However, I'd like to know if the DB really should exist during precompilation, and the build environment is what actually needs to be fixed.

Any time a label for NIST 800 53, should read "NIST SP 800-53"

Ability to create a 'grouped filter' of controls families to view the data in sub-sets with respect to the selected family of controls.

Change "Compliance Level" to "Compliance Level [ (Not a Finding) / (Not a Finding + Open + Not Reviewed) * 100% ]"

Also, change Compliance Level calculation to match. (to match Heimdall lite version)

After logging in, the button "Log In" link in the navbar is still shown and none of the additional options are available in the navbar.

I was using the "remember me" function.

Here is what happens when I try to log in again...

When linking to the app's root we get '/' instead of the appropriate
'/base_url' which derives from RAILS_RELATIVE_URL_ROOT

Mitre's internal LDAP is changing so we should update our example ldap.yml.
https://comm.mitre.org/ldap/

The fix is in a PR opened in February, but it looks like gibberish isn't very actively maintained so it has not been merged yet: mdp/gibberish#27

Additionally, the deprecation itself is purely an API level change per the following source. The deprecated class is identical to the new class with exception of the deprecation message being inserted:
https://github.com/ruby/openssl/blob/master/lib/openssl/cipher.rb

In all, Gibberish seems to be more of an issue than the usage of the Cipher::Cipher openssl class.

The InSpec output that our tests are generating has this additional "descriptions": field that is not included in the control.rb model.

"controls": [
        {
          "id": "V-13613",
          "title": "The Web site software ...",
          "desc": "The IAVM process ...",
          "descriptions": [
            {
              "label": "default",
              "data": "The IAVM process ..."
            }
          ],
          "impact": 0.5,
          "etc": "etc ..."
       }]

When uploading an evaluation that includes this field, the following error is thrown:

Attempted to set a value for 'descriptions' which is not allowed on the model Control.
summary:
  Without including Mongoid::Attributes::Dynamic in your model and the attribute does not already 
  exist in the attributes hash, attempting to call Control#descriptions= for it is not allowed. This is also
 triggered by passing the attribute to any method that accepts an attributes hash, and is raised instead 
  of getting a NoMethodError.
resolution:
  You can include Mongoid::Attributes::Dynamic if you expect to be writing values for undefined fields often.

Is this a problem with our InSpec output? How can I correct that? If not, I have a fix ready to go that adds the following to control.rb and lets me upload my evaluation without a problem.

  field :descriptions, type: Array, default: []

For Compliance Level, change formula description and calculation to:
Compliance Level [Not A Finding / (Not A Finding + Open + Not Reviewed + Profile Error) * 100]

(Profile Error is what we know as InSpec outputting "no result" due to poor coding or not running as root, etc.)