Merge pull request #97 from Cingulara/develop

Update to 0.12.7 docs and scripts

README.md

@@ -1,4 +1,4 @@
-# OpenRMF Documentation (v 0.11)
+# OpenRMF Documentation (v 0.12)
 
 ## Introduction to OpenRMF
 OpenRMF is an open source tool for managing, viewing, and reporting of your DoD STIG checklists and Nessus Patch Scans in one web-based interface using your browser. It also generates a compliance listing of all your checklists across a whole system based on NIST 800-53 for your Risk Management Framework (RMF) documentation and process. This tool helps you manage multiple systems going through the RMF process and allows you to structure your data in a clean interface all in one location for your group or program. It can save you _weeks_ of manually checking vulnerability-to-CCI-to-NIST controls and manually generating reports, so you can get on to the value-added work for your cybersecurity hygiene.
@@ -24,6 +24,7 @@ Read more about its genesis <a href="https://www.cingulara.com/opensource.html"
 - [x] Exporting checklists to MS Excel in seconds with color coded rows based on status (Open = RED, Not a Finding = GREEN, etc.)
 - [x] Exporting of various charts for download to PNG
 - [x] Filter Vulnerabilities on the Checklist page by status 
+- [x] Live Editing of Checklist data through the web browser
 - [x] Filter vulnerabilities for your Compliance listing based on major controls
 - [x] Exporting your list of checklists and their score by status and category to MS Excel 
 - [x] Metrics exported to Prometheus for API endpoints and NATS messaging, quickly display in Grafana
@@ -47,9 +48,9 @@ If we are missing something you want, please add it on our main <a href="https:/
 
 ## Description
 
-The OpenRMF tool is an advanced alternative to the [DISA STIGViewer.jar](https://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx) and MS Excel hell we go through used for DoD STIG checklist files, RMF process information, and the like. It is necessary to capture and report on this information, please _do not_ mistake what I say for not agreeing with securing services. However, the DISA Java tool itself is horribly designed and not conducive to today's environment and use. And it is only part of the story. Their Java tool has been like this for a loooooonnnnnngggg time and I have wanted to make something better (IMO) for almost as long. So this tool here is the start! It is a way (currently) to view, report on, dive into, manage, and export your STIG checklists no matter which checklist you are referring to. All the .CKL files have a common format and htis reads and displays/manages that in a web front end using .NET Core APIs, MongoDB and NATS messaging. [View the history](https://www.cingulara.com/opensource.html) of this tool on our website. 
+The OpenRMF tool is an advanced alternative to the [DISA STIGViewer.jar](https://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx) and MS Excel hell we go through used for DoD STIG checklist files, SCAP Scans, Nessus ACAS scans, RMF process information, and the like. It is necessary to capture and report on this information, please _do not_ mistake what I say for not agreeing with securing services. However, the DISA Java tool itself is horribly designed and not conducive to today's environment and use. And it is only part of the story. Their Java tool has been like this for a loooooonnnnnngggg time and I have wanted to make something better (IMO) for almost as long. So this tool here is the start! It is a way (currently) to view, report on, dive into, manage, and export your STIG checklists no matter which checklist you are referring to. All the .CKL files have a common format and htis reads and displays/manages that in a web front end using .NET Core APIs, MongoDB and NATS messaging. [View the history](https://www.cingulara.com/opensource.html) of this tool on our website. 
 
-OpenRMF also is a single pane of glass for your DISA SCAP scans (to generate checklists), Nessus SCAP scans (Beta), Nessus patch scans (to track patch management), and compliance reporting for your systems going through the RMF process. We know: the RMF process is manual and all inclusive! This tool helps to automate as much as possible on the managing and reporting of data so you can:
+OpenRMF also is a single pane of glass for your DISA SCAP scans (to generate checklists), Nessus SCAP scans, Nessus patch scans (to track patch management), and compliance reporting for your systems going through the RMF process. We know: the RMF process is manual and all inclusive! This tool helps to automate as much as possible on the managing and reporting of data so you can:
 1. Know your current Risk Profile
 2. Know your current status
 3. Know what is left to do
@@ -91,11 +92,6 @@ Starting with version 0.10.7 we include metrics tracking for all our major subsy
 
 Starting with version 0.8 we have AuthN and AuthZ setup for use. See the [Keycloak Document](keycloak.md) document for more information.
 
-## Known issues
-If you find something please add an issue to the correct repo. 
-
-- The DISA SCAP tool and the Nessus SCAP scans put out different formats when exporting the report data. We currently can import DISA SCAP XCCDF files. We are currently working on the Nessus SCAP scan import to create / update checklists from it as well. 
-
 ## Creating MongoDB Users by Hand
 If you wish you can create a MongoDB setup locally to persist your data and see what it does. Checkout the [create users by hand](create-users-by-hand.md) readme for more on that. 
 

deployments/chart/openrmf/templates/template.yaml

@@ -43,6 +43,8 @@ spec:
           value: Development
         - name: ASPNETCORE_URLS
           value: http://*:8080
+        - name: NATSSERVERURL
+          value: nats://natsserver:4222
         - name: MONGODBCONNECTION
           valueFrom:  
             secretKeyRef:

docs/checklists.md

@@ -11,8 +11,20 @@ The detailed Checklist page shows several things about the checklist. It shows t
 
 The scoring of the checklist based on status is one of the first things you see as well. The total and then breakdown by category is shown with the relevant colors. There are also download links for the CKL file, an Excel version of the checklist to download, as well as a Delete button. These buttons depend on the Download role and Editor role respectively. Or if you have the Administrator role you get them all. 
 
+Each listing in the score table are linked to the Vulnerability Filter below it. For example, click the CAT 1 OPEN number, and you can filter your vulnerabilities below to only show Category 1 (High severity) Open items. This also affects the Export as you will export only those vulnerabilities shown on the page at that time. 
+
 ![OpenRMF Checklist Vulnerability Details](/assets/checklist-record-detail.png)
 
 The specific STIG title and asset information from the STIG checklist are shown next. Then the main section of the checklist is shown. On the left of the section is a list of every single vulnerability for this checklist, color coded by status. Click the vulnerability and the details of it show on the right.  You also can filter the vulnerabilities by status by checking / unchecking the 4 statuses to filter the list down accordingly.
 
-At the bottom of this page are quick visual graph representations of the status and category breakdown of the checklist as well. 
+At the bottom of this page are quick visual graph representations of the status and category breakdown of the checklist as well. 
+
+## Editing the Checklist Vulnerability
+
+With the 0.12 version OpenRMF, if you are an Editor or Administrator (role) you can edit the main Checklist data at the top of the screen. The host name, domain name as well as the technology area, asset type and role of the machine for the checklist being viewed/edited. This data will be represented in the downloaded export XLSX as well as the CKL checklist file.
+
+![OpenRMF Edit Checklist Metadata](/assets/checklist-edit-asset.png)
+
+You also can edit each Vulnerability record with those roles. The following fields in the image below can be edited. Once saved, the data in the checklist is updated and the score is recalculated for the checklist and subsequently the system. 
+
+![OpenRMF Edit Checklist Vulnerability Details](/assets/checklist-edit-vulnerability.png)

docs/compliance.md

@@ -20,7 +20,7 @@ The data in the compliance report is presented in a filterable table that is com
 
 ![OpenRMF Compliance Details](/assets/compliance-detail.png)
 
-Each result is grouped per NIST major control and is color coded according to the overall status of that control within the checklist. Click on the checklist in the compliance result table to quickly view the checklist through the lens of *only* that control with a filtered vulnerability listing relevant only to that control. This allows you to view the vulnerability items that remain open or not reviewed to quickly tackle your RMF action items. 
+Each result is listed per NIST major control and checklist and is color coded according to the overall status of that control within the checklist. Click on the checklist in the compliance result table to quickly view the checklist through the lens of *only* that control with a filtered vulnerability listing relevant only to that control. This allows you to view the vulnerability items that remain open or not reviewed to quickly tackle your RMF action items. 
 
 ## Compliance Color Coding Rules
 

docs/index.md

@@ -21,21 +21,23 @@ Some of the high level features are below:
 
 * 100% web based
 * 100% Open Source Software (OSS)
-* Upload a CKL or DISA SCAP XCCDF (Nessus SCAP XCCDF is in beta now!) format file easily to visualize your RMF process
+* Upload a DISA Checklist CKL, DISA SCAP XCCDF format file or Nessus SCAP XCCDF format file easily to visualize your RMF process
 * Upload a .Nessus ACAS scan file to see Patch summary of Critical and High items
 * Automatically organizes your checklists by system
+* Live online editing of your checklist through your web browser with auditing of the changes
 * Single source of truth for your system checklists
 * Single source of truth for your latest Nessus patch scans
 * Interactive Reports and Searching of Nessus scan data
-* Interactive Reports and Searching of checklist vulnerability data
+* Interactive Reports and Searching of System and checklist vulnerability data
 * Management insight into Cybersecurity Status and Security Posture instantly
+* Generating of Test Plan Summary for your System
 * AuthN, AuthZ, and Role Based Access Control (RBAC) to control access to read as well as edit data
 * Run on premise, on a local machine, or in the cloud
 * Easily find errors and deltas across checklists in your system
 * Easily run a compliance report in seconds for your Low, Moderate, or High system
 
 ## Why use OpenRMF
-The current way to implement the Risk Management Framework for your DoD Authority to Operate is VERY manual and VERY slow. It is driven by disparate pieces of a Java Viewer for checklists, massive amounts of MS Excel spreadsheets for viewing the checklists for management, MS Word documents, various PDF files, and more. Information is shared (hopefully!) via email and shared folders. And there is no one central place for developers, operations, management, and cybersecurity analysts to see the most up to date information. 
+The current way to implement the Risk Management Framework for your DoD Authority to Operate is VERY manual and VERY slow. It is driven by disparate pieces of a Java Viewer for checklists, massive amounts of MS Excel spreadsheets for viewing the checklists for management, MS Word documents, various PDF files, and more. Information is shared (hopefully!) via email and shared folders. And there is no one central place for developers, operations, management, and cybersecurity analysts to see the most up to date information that is needed to eventually submit to eMASS. 
 
 That changes with OpenRMF!
 
@@ -54,6 +56,6 @@ With coming updates such as automating the Risk Assessment Report, automating th
 More information can be found in our <a href="https://www.openrmf.io/doc/OpenRMF-Product-Information.pdf" target="_blank">product PDF</a> on our website.
 
 ## Architecture
-Below is the top level architecture, drawn via <a href="https://www.draw.io/" target="_blank">Draw.io</a>'s great tool. 
+Below is the top level architecture as of version 0.11 and beyond, drawn via <a href="https://www.draw.io/" target="_blank">Draw.io</a>'s great tool. 
 
 ![OpenRMF v0.10 Architecture](/assets/openRMF-Tool-Architecture.png)

docs/reports.md

@@ -26,3 +26,15 @@ This is a larger chart used for exporting and viewing the total items in a syste
 This reports allows you to select a system to load all available checklists. Choose an checklist and click the Run Report button to see all vulnerability data in an interactive table format. You can order columns, use the Search box to filter the information, and click the + icon to see more detailed information on the vulnerability.
 
 ![OpenRMF System Checklist Vulnerability Report](/assets/reports-checklists.png)
+
+
+## RMF Controls Listing Report
+This report lists out the controls and subcontrols across the RMF control listing to let you have more detailed information on what it represents. 
+
+![OpenRMF Controls Report](/assets/reports-controls.png)
+
+
+## System Checklist Vulnerability Report
+This reports lets you search on a vulnerability and see what hosts and checklists have that vulnerability across all checklists within your system.
+
+![OpenRMF Controls Report](/assets/reports-vulnerabilities.png)

docs/uploading.md

@@ -5,7 +5,7 @@ nav_order: 100
 
 # Uploading Checklists and Templates
 
-The Upload page is available to users with the Administrator or Editor role assigned. From this page you can upload a CKL checklist file made from the DISA Java Viewer. You can upload a SCAP (DoD and now Nessus SCAP in beta) scan result in XCCDF XML format. Or you can upload a CKL file as a User Template for others to start from and create their checklist for the appropriate system technology. 
+The Upload page is available to users with the Administrator or Editor role assigned. From this page you can upload a CKL checklist file made from the DISA Java Viewer. You can upload a SCAP (DoD or Nessus SCAP) scan result in XCCDF XML format. Or you can upload a CKL file as a User Template for others to start from and create their checklist for the appropriate system technology. 
 
 ## Upload Checklists or SCAP XCCDF files
 

docs/whatsnew.md

@@ -1,13 +1,22 @@
 ---
-title: What's New in v0.11
+title: What's New in v0.12
 nav_order: 2
 ---
 
 # What's New with OpenRMF
 
 Please refer to the <a href="https://github.com/Cingulara?tab=projects" target="_blank">OpenRMF Projects listing on GitHub</a> for more information on feature updates and timeline.
 
-The latest version is version 0.11 The recent updates are below:
+The latest working version is version 0.12. The recent updates on that are below:
+* Live editing of Checklist Asset data and Vulnerability status data
+* Showing the version of the checklist
+* Updated UI of the Template page to match the Checklist page
+* Filtering on the System page listing checklists by status and severity/category of Vulnerabilities across all System checklists
+* Filtering on the Checklist page by status and severity/category of Vulnerabilities within that checklist
+* Create a Test Plan Summary across your System of Checklists and Nessus ACAS scan data
+* Updated color coding throughout the UI for Open items to show severity / category better
+
+Version 0.11 updates are also below:
 * Interactive Reports for Nessus Scan data, System Score and Checklist Vulnerability Data
 * New and Improved Dashboard for at-a-glance Critical and High patch issues
 * New and Improved Dashboard for at-a-glance list of Open Items for checklists

scripts/docker-compose.yml

@@ -3,7 +3,7 @@ version : '3'
 services:
 ### 1 Web Front End Container
   openrmf-web:
-    image: cingulara/openrmf-web:0.12.1
+    image: cingulara/openrmf-web:0.12.7
     ports:
       - 8080:80
     depends_on:
@@ -33,7 +33,7 @@ services:
       - openrmf
 
   openrmfapi-save:
-    image: cingulara/openrmf-api-save:0.12
+    image: cingulara/openrmf-api-save:0.12.2
     ports:
       - 8082:8080
     env_file: .env
@@ -51,13 +51,14 @@ services:
       - openrmf
 
   openrmfapi-template:
-    image: cingulara/openrmf-api-template:0.11.2
+    image: cingulara/openrmf-api-template:0.12
     ports:
       - 8088:8080
     env_file: .env
     environment:
       - ASPNETCORE_ENVIRONMENT=Development
       - ASPNETCORE_URLS=http://*:8080
+      - NATSSERVERURL=nats://natsserver:4222
       - MONGODBCONNECTION=mongodb://openrmftemplate:openrmf1234!@templatedb/openrmftemplate?authSource=openrmftemplate
       - MONGODB=openrmftemplate
     depends_on:
@@ -66,7 +67,7 @@ services:
       - openrmf
 
   openrmfapi-upload:
-    image: cingulara/openrmf-api-upload:0.12
+    image: cingulara/openrmf-api-upload:0.12.2
     ports:
       - 8086:8080
     env_file: .env
@@ -84,7 +85,7 @@ services:
       - openrmf
 
   openrmfapi-read:
-    image: cingulara/openrmf-api-read:0.12
+    image: cingulara/openrmf-api-read:0.12.4
     ports:
       - 8084:8080
     env_file: .env
@@ -100,7 +101,7 @@ services:
       - openrmf
 
   openrmfapi-compliance:
-    image: cingulara/openrmf-api-compliance:0.11
+    image: cingulara/openrmf-api-compliance:0.12
     ports:
       - 8092:8080
     env_file: .env
@@ -139,7 +140,7 @@ services:
 
 ### 7 Messaging Containers
   openrmfmsg-score:
-    image: cingulara/openrmf-msg-score:0.12
+    image: cingulara/openrmf-msg-score:0.12.2
     environment:
       - MONGODBCONNECTION=mongodb://openrmfscore:openrmf1234!@scoredb/openrmfscore?authSource=openrmfscore
       - MONGODB=openrmfscore
@@ -151,7 +152,7 @@ services:
       - openrmf
 
   openrmfmsg-checklist:
-    image: cingulara/openrmf-msg-checklist:0.12
+    image: cingulara/openrmf-msg-checklist:0.12.1
     environment:
       - MONGODBCONNECTION=mongodb://openrmf:openrmf1234!@checklistdb/openrmf?authSource=openrmf
       - MONGODB=openrmf

scripts/edge/docker-compose.yml

@@ -55,6 +55,7 @@ services:
     environment:
       - ASPNETCORE_ENVIRONMENT=Development
       - ASPNETCORE_URLS=http://*:8080
+      - NATSSERVERURL=nats://natsserver:4222
       - MONGODBCONNECTION=mongodb://openrmftemplate:openrmf1234!@templatedb/openrmftemplate?authSource=openrmftemplate
       - MONGODB=openrmftemplate
     depends_on:

scripts/local/prometheus.yml

@@ -1,5 +1,5 @@
 global:
-  scrape_interval:     5s # By default, scrape targets every 5 seconds.
+  scrape_interval:     30s # By default, scrape targets every 5 seconds.
 
   # Attach these labels to any time series or alerts when communicating with
   # external systems (federation, remote storage, Alertmanager).

scripts/prometheus.yml

@@ -1,5 +1,5 @@
 global:
-  scrape_interval:     15s # By default, scrape targets every 5 seconds.
+  scrape_interval:     30s # By default, scrape targets every 5 seconds.
 
   # Attach these labels to any time series or alerts when communicating with
   # external systems (federation, remote storage, Alertmanager).