mitre / heimdall-mongo Goto Github PK
View Code? Open in Web Editor NEWA Mongo-based version of Heimdall (Deprecated)
License: Other
A Mongo-based version of Heimdall (Deprecated)
License: Other
Related to issue #36, fix here should also add code for docker secret usage.
Add ability to tag an evaluation into a Circle before the upload takes place. Currently you can only add an evaluation to a Circle after it's uploaded.
Given that we are now using the impact
element inside the control to assign severity if and when a severity tag doesn't exist we need to add this to heimdall.
Some of the new profiles and results that follow the current best practice of not using the severity
tag are not able to be imported.
Load multiple results files at once - we need this to show a 'system level' compliance view.
Currently Heimdall app follows UTC time... it should preferably pull timezone and time from the OS
fontawesome and ionicons fail to load when served to a production environment, with a baseurl set. Additionally, the app itself does not respect RAILS_RELATIVE_URL_ROOT when loading.
The issue stems from loadTreemapData() in the evaluations view using an absolute path to route to a given evaluation.json.
Inserting <%= home_path %> to the api_path variable in loadTreemapData() in the show view's erb is the first fix that comes to mind.
loadTreemapData is also in the profiles show view, but I do not know if it is bugged or does anything at all.
I think for the most part folks will want to 'download' a copy of the checklist by default rather than a raw file display. We should have the option for both as the 'raw' output would be used by systems pulling the data but for humans, a 'save as' options seems to make sense.
Every time I load an evaluation I notice it takes about 6-10 seconds for the results to show up. It seems that this is due to about 450 repeated calls to
MONGODB | localhost:27017 | dashboard_development.find | STARTED | {"find"=>"results", "filter"=>{"control_id"=>BSON::ObjectId('5c4b5b65c60ac1581a738697')}}
MONGODB | localhost:27017 | dashboard_development.find | SUCCEEDED | 0.019s```
Rails should make it possible to load all of these results at once instead of repeated calls to the database, which should significantly speed up the load times of the page.
Given the work @rx294 is doing with inspec_tools
for further parsing of results JSON for the totals of the results. This also adds the ability to define a set of acceptable
number of high, med, low, none, skipped, NA etc. and the 80% of compliance etc.
It would be good to be able to add another indicator that we link to the both all results or the circle the results are a part of. We can also add a setting for alerting
when a scan result fails to meet the minimum result.
For example:
This would be a good thing we could add to the default
or summary
screen and we could also add this as a general set of data for all the results or of your circles you are a part of.
We should also add this data to:
Dockerfile and docker-compose.yml have the ability to manage secrets through docker which limits leakage by avoiding storing them un-encrypted on the main FS. They are mounted to /run/secrets/ in the container.
We need the ability to upload results to a running heimdall without humans clicking on buttons. So perhaps what we really need is an API?
Work to shrink docker image to 300MB uncompressed.
Don't know if it's doable, but its a target to shoot for.
When you are currently not logged in and you git a page that requires you to be authenticated we are going to the standard rails error page.
We should update this to redirect to the login page with a red error notification saying that you need to log in to use this feature, section or whatnot.
In the (hopefully rare) instance where a profile control returns "no result" either through poor coding or not running with appropriate credentials/authorization, dynamically add a stand-alone tile to the right of the findings block of four tiles. Label this "Profile Error", and below it in parenthesis:
(no result from test - check profile run privileges or author of profile)
I am having an issue where test results are unable to load for a specific test, below are the results as showing in heimdall-lite:
And the results in heimdall:
The JSON output in question can be found at http://employeeshare.mitre.org/r/rbclark/transfer/broken-test.json
SC-5: MY TITLE
AC-3: TITLE
Currently gitlab-runner CI cannot handle deploying nginx-passenger builds as it is running in a container, and it needs to modify rvm installed gems for passenger to work. Additionally launching containers from within a container only mostly works, it cannot setup networks.
InSpec 3.x introduced two breaking change to our apps - multi-section describe blocks
Multi-Section describe blocks
see: inspec/inspec#3424
Text based impacts
see: inspec/inspec#3359
We will need to update all our apps to support both pre and post InSpec.
heimdall_web.1.zba4fbducy4b@default | F, [2018-08-01T12:33:10.319933 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9]
heimdall_web.1.zba4fbducy4b@default | F, [2018-08-01T12:33:10.320064 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9] ActionView::Template::Error (The asset "default_profile_pic.jpeg" is not present in the asset pipeline.):
heimdall_web.1.zba4fbducy4b@default | F, [2018-08-01T12:33:10.320321 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9] 20: <% if @user.image_url.present? %>
heimdall_web.1.zba4fbducy4b@default | [ab75f27c-aab7-4364-9479-dc81000486e9] 21: <%= image_tag @user.image_url.to_s, class: "rounded-circle img-thumbnail" %>
heimdall_web.1.zba4fbducy4b@default | [ab75f27c-aab7-4364-9479-dc81000486e9] 22: <% else %>
heimdall_web.1.zba4fbducy4b@default | [ab75f27c-aab7-4364-9479-dc81000486e9] 23: <%= image_tag "default_profile_pic.jpeg", class: "rounded-circle img-thumbnail" %>
heimdall_web.1.zba4fbducy4b@default | [ab75f27c-aab7-4364-9479-dc81000486e9] 24: <% end %>
heimdall_web.1.zba4fbducy4b@default | [ab75f27c-aab7-4364-9479-dc81000486e9] 25: <!-- <img src="" class="rounded-circle img-thumbnail" alt="profile-image"> -->
heimdall_web.1.zba4fbducy4b@default | [ab75f27c-aab7-4364-9479-dc81000486e9] 26: </div>
heimdall_web.1.zba4fbducy4b@default | F, [2018-08-01T12:33:10.320448 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9]
heimdall_web.1.zba4fbducy4b@default | F, [2018-08-01T12:33:10.320589 #1] FATAL -- : [ab75f27c-aab7-4364-9479-dc81000486e9] app/views/users/show.html.erb:23:in `_app_views_users_show_html_erb__1777844105659209954_47082317246760'
Likely just a config change is needed
Currently the evaluations are populated on the table with oldest entry on the top, which would make it difficult to examine newer entries especially as the list grows large
Please consider a table sort feature and possibly make Descending
by timestamp the default option so that latest entry is on top.
This is actually an error with baseurls in show_details.
docker builds need some support for private gem repos due to inspec tools, easiest fix is ENV vars, they're easy to change and inherently difficult to commit by accident.
In the current verision, Inspec Profile is extracted from every evaluation uploaded and listed in the Profiles
even if they are duplicates.
Only unique profiles entries needs to be populated.
Uniqueness could be evaluated using profile shasum entry.
Please consider serving Heimdall application at the baseurl so that application can be accessed at
http://localhost:3000
rather than http://localhost:3000/heimdall
Requiring end users to always build their own image is less than ideal. Most of the time it is possible and more convenient to provide a prebuilt image through dockerhub. Additionally, it is a lot easier for users who are behind a proxy.
We want to be able to run curl commands from other systems to upload an evaluation.
Add docker-compose up
to .gitlab-ci.yml with the assumption that gitlab CI tool has some form of dind. Either through explicit docker in docker or volume export of docker socket to CI container.
For the "Not Applicable" findings tile, change the text in parenthesis to:
(zero impact: exception for this system and/or absent component)
For "Not Reviewed", change the text to
(can only be tested manually or disabled test)
cci_tags: {...}
reason:
nist_tags: {...}
reason:
cis_tags: {...}
reason:
note: should be very similar to a nist_tags structure.
We would like the ability to select more than one results sets and display them in the gui and 'turn on / turn off' each 'layer' as we do review of the 'results stack'.
This is due to config/initializers/z_circle.rb.
rails/rails#25246 has a simple solution for ignoring the db during precompile.
Then when the server actually starts it will add the public circle.
However, I'd like to know if the DB really should exist during precompilation, and the build environment is what actually needs to be fixed.
Any time a label for NIST 800 53, should read "NIST SP 800-53"
Ability to create a 'grouped filter' of controls families to view the data in sub-sets with respect to the selected family of controls.
Change "Compliance Level" to "Compliance Level [ (Not a Finding) / (Not a Finding + Open + Not Reviewed) * 100% ]"
Also, change Compliance Level calculation to match. (to match Heimdall lite version)
When linking to the app's root we get '/' instead of the appropriate
'/base_url' which derives from RAILS_RELATIVE_URL_ROOT
Mitre's internal LDAP is changing so we should update our example ldap.yml.
https://comm.mitre.org/ldap/
The fix is in a PR opened in February, but it looks like gibberish isn't very actively maintained so it has not been merged yet: mdp/gibberish#27
Additionally, the deprecation itself is purely an API level change per the following source. The deprecated class is identical to the new class with exception of the deprecation message being inserted:
https://github.com/ruby/openssl/blob/master/lib/openssl/cipher.rb
In all, Gibberish seems to be more of an issue than the usage of the Cipher::Cipher openssl class.
The InSpec output that our tests are generating has this additional "descriptions":
field that is not included in the control.rb
model.
"controls": [
{
"id": "V-13613",
"title": "The Web site software ...",
"desc": "The IAVM process ...",
"descriptions": [
{
"label": "default",
"data": "The IAVM process ..."
}
],
"impact": 0.5,
"etc": "etc ..."
}]
When uploading an evaluation that includes this field, the following error is thrown:
Attempted to set a value for 'descriptions' which is not allowed on the model Control.
summary:
Without including Mongoid::Attributes::Dynamic in your model and the attribute does not already
exist in the attributes hash, attempting to call Control#descriptions= for it is not allowed. This is also
triggered by passing the attribute to any method that accepts an attributes hash, and is raised instead
of getting a NoMethodError.
resolution:
You can include Mongoid::Attributes::Dynamic if you expect to be writing values for undefined fields often.
Is this a problem with our InSpec output? How can I correct that? If not, I have a fix ready to go that adds the following to control.rb
and lets me upload my evaluation without a problem.
field :descriptions, type: Array, default: []
For Compliance Level, change formula description and calculation to:
Compliance Level [Not A Finding / (Not A Finding + Open + Not Reviewed + Profile Error) * 100]
(Profile Error is what we know as InSpec outputting "no result" due to poor coding or not running as root, etc.)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.