Merge pull request #99 from Cingulara/develop

Final 0.12 Release

README.md

@@ -1,7 +1,9 @@
 # OpenRMF Documentation (v 0.12)
 
 ## Introduction to OpenRMF
-OpenRMF is an open source tool for managing, viewing, and reporting of your DoD STIG checklists and Nessus Patch Scans in one web-based interface using your browser. It also generates a compliance listing of all your checklists across a whole system based on NIST 800-53 for your Risk Management Framework (RMF) documentation and process. This tool helps you manage multiple systems going through the RMF process and allows you to structure your data in a clean interface all in one location for your group or program. It can save you _weeks_ of manually checking vulnerability-to-CCI-to-NIST controls and manually generating reports, so you can get on to the value-added work for your cybersecurity hygiene.
+OpenRMF is an open source tool for managing, viewing, and reporting of your DoD STIG checklists and Nessus Patch Scans in one web-based interface using your browser. It also generates a compliance listing of all your checklists across a whole system based on NIST 800-53 for your Risk Management Framework (RMF) documentation and process. This tool helps you manage multiple systems going through the RMF process and allows you to structure your data in a clean interface all in one location for your group or program. 
+
+It will save you _weeks_ of manually checking vulnerability-to-CCI-to-NIST controls and manually generating reports, so you can get on to the value-added work for your cybersecurity hygiene.
 
 Read more about its genesis <a href="https://www.cingulara.com/opensource.html" target="_blank">here</a>.
 
@@ -24,7 +26,7 @@ Read more about its genesis <a href="https://www.cingulara.com/opensource.html"
 - [x] Exporting checklists to MS Excel in seconds with color coded rows based on status (Open = RED, Not a Finding = GREEN, etc.)
 - [x] Exporting of various charts for download to PNG
 - [x] Filter Vulnerabilities on the Checklist page by status 
-- [x] Live Editing of Checklist data through the web browser
+- [x] *Live Editing of Checklist data through the web browser*
 - [x] Filter vulnerabilities for your Compliance listing based on major controls
 - [x] Exporting your list of checklists and their score by status and category to MS Excel 
 - [x] Metrics exported to Prometheus for API endpoints and NATS messaging, quickly display in Grafana
@@ -35,14 +37,20 @@ Read more about its genesis <a href="https://www.cingulara.com/opensource.html"
 - [x] User AuthN and AuthZ for login accounts and Role Based Access Control on functions
 - [x] Auditing all creates, deletes, and updates
 - [x] Import the Manual XML STIG to create a starting checklist (Automatic and behind the scenes for now)
+- [x] *Generate the RMF POA&M*
+- [x] Generate the Risk Assessment Report RAR
+- [x] Generate the Test Plan
+- [x] Central logging (ledger) for all CRUD and access usage based on NATS
 
 ## ToDos (in no particular order)
-- [ ] Central logging (ledger) for all CRUD and access usage based on NATS
-- [ ] Generate the RMF POA&M
-- [ ] Generate the Risk Assessment Report RAR
-- [ ] Generate the Test Plan
-- [ ] Select the fields to export to MS Excel, autofilter enabled on the header row
 - [ ] A wizard to ask questions and customize a starting checklist file for you with certain fields and comments filled in
+- [ ] External API access to certain functions in OpenRMF
+- [ ] Make the Keycloak setup easier (scripted)
+- [ ] Performance improvements
+- [ ] NATS Jetstream (currently in beta https://www.nats.io/)
+- [ ] Included Jaeger Tracing setup
+- [ ] Scripted Grafana Dashboards
+- [ ] Export Compliance Report to XLSX
 
 If we are missing something you want, please add it on our main <a href="https://github.com/Cingulara/openrmf-web/issues" target="_blank">GitHub Issues</a> page.
 
@@ -66,7 +74,9 @@ You need a web browser that is fairly current. And you need Docker installed on
 ## Run OpenRMF locally
 The best way to run this application (once you have Docker installed) is to go to the Code -- Releases tab https://github.com/Cingulara/openrmf-docs/releases and pull down the latest release. Unzip the file and then run the ./start.sh or .\start.cmd file to pull the latest images and run OpenRMF. Then you can open a local browser to http://{ip-address}:8080/ and see what happens. If you want to change the ports you only have to edit the docker-compose.yml file locally. These files are in the [scripts](scripts) folder of this repo.
 
-Be sure to check out the [Keycloak information](#authentication-with-keycloak) because version 0.8 and beyond has RBAC for AuthN and AuthZ on the web and API calls. Or you could use another OpenID compliant application to provide AuthN and AuthZ.
+Be sure to check out the [Keycloak information](#authentication-with-keycloak) because OpenRMF version 0.8 and beyond has RBAC for AuthN and AuthZ on the web and API calls. Or you could use another OpenID compliant application to provide AuthN and AuthZ. 
+
+> You need to setup Keycloak first before running OpenRMF.
 
 > The data is currently mapped to internal Docker-managed volumes for persistence. You can run the "docker volume rm" command below if you wish to remove and start over as you test.  If you want persistence you could change the connection strings to another MongoDB server and adjust the docker-compose.yml accordingly. Or use a volume in your docker-compose.yml or individual docker commands. 
 
@@ -90,7 +100,9 @@ Starting with version 0.10.7 we include metrics tracking for all our major subsy
 
 ## Authentication with Keycloak
 
-Starting with version 0.8 we have AuthN and AuthZ setup for use. See the [Keycloak Document](keycloak.md) document for more information.
+Starting with version 0.8 we have AuthN and AuthZ setup for use. See the [Keycloak Document](keycloak.md) document for more information. 
+
+> NOTE: You need to setup Keycloak before running OpenRMF. And you must get the .env file correctly setup.
 
 ## Creating MongoDB Users by Hand
 If you wish you can create a MongoDB setup locally to persist your data and see what it does. Checkout the [create users by hand](create-users-by-hand.md) readme for more on that. 
@@ -103,6 +115,9 @@ If you want to remove all data from volumes you can run the below. Do at your ow
 
 ## Screenshots of the UI
 
+The OpenRMF Dashboard for all Systems
+![Image](./img/UI-dashboard.png?raw=true)
+
 The System Listing
 ![Image](./img/UI-system-listing.png?raw=true)
 

architecture/README.md

@@ -1,5 +1,5 @@
 # OpenRMF Architecture
-This has the current architecture information for the OpenRMF application as of version 0.11.
+This has the current architecture information for the OpenRMF application as of version 0.11 and beyond (current version).
 
 ![Image](./openRMF-Tool-Architecture.png?raw=true)
 

deployments/chart/openrmf/values.yaml

@@ -27,20 +27,20 @@ installType: minikube
 # examples: 0.8, 0.8.1, latest
 auditImage: 0.11
 auditmsgImage: 0.11
-checklistmsgImage: 0.11
-complianceImage: 0.11
+checklistmsgImage: 0.12.2
+complianceImage: 0.12.2
 compliancemsgImage: 0.11
-controlImage: 0.11
+controlImage: 0.12.1
 controlmsgImage: 0.11
-readImage: 0.11.1
-saveImage: 0.11
-scoremsgImage: 0.11
-scoringImage: 0.11
-templateImage: 0.11.1
-templatemsgImage: 0.11
-uploadImage: 0.11
-systemmsgImage: 0.11
-webuiImage: 0.11.1
+readImage: 0.12.10
+saveImage: 0.12.3
+scoremsgImage: 0.12.3
+scoringImage: 0.12.2
+templateImage: 0.12.1
+templatemsgImage: 0.12
+uploadImage: 0.12.3
+systemmsgImage: 0.12.1
+webuiImage: 0.12.12
 mongoImage: 4.0.5
 natsImage: 2.1.2-linux
 

docs/artifacts.md

@@ -0,0 +1,38 @@
+---
+title: Step 6 - Generate RMF Artifact Reports
+nav_order: 450
+---
+
+# Generating your System's RMF Artifacts
+
+With all your data in one place for your entire system, you can how start to generate the RMF artifacts required such as your POA&M, Risk Assessment Report, and Test Summary Report. Below are examples of each. All of these can be found on the System 
+page where you see the title, list of checklists, overall score, and other data. 
+
+## Nessus Scan Export
+
+![OpenRMF Compliance Generator](/assets/nessus-export-xlsx.png)
+
+The Nessus Scan Export shows patching items across your system servers/hosts, sorted by criticality/severity, and gives details on the ID, description, and severity level.
+
+## POA&M Export
+
+![OpenRMF POA&M Generator](/assets/poam-export.png)
+
+The Plan of Actions and Milestones (POA&M) Export lists all Open and Not Reviewed items across every single checklist within your system. The data is ordered by severity and then vulnerability so all high level items are near the top. The POA&M is used to show your plan to address, mitigate, and/or close the items still open while you go through the RMF Process.
+
+## Test Plan Summary Export
+
+![OpenRMF Test Plan Summary Generator](/assets/test-plan-summary-export.png)
+
+The Test Plan Export shows all Nessus Patch data with items that need to be addressed in Critical and High (CAT I) down to Low (CAT III) items. It then shows similar data across all your checklists (manual and SCAP generated) in a similar fashion. This gives you a high level count of items per severity.  
+
+## Risk Assessment Report (RAR) Export
+
+![OpenRMF Risk Assessment Report Generator](/assets/rar-export.png)
+
+The RAR  shows all open or not reviewed items in a format to show you the host, the NIST control, the checklist the item was in, as well as severity of the item. This allows you to fill in the actual risk of this item as it pertains to your system and your risk profile. 
+
+
+## Color Coding Rules
+
+For compliance, a green color means all the vulnerabilities for that control are either Not a Finding or marked as Not Applicable. If 1 vulnerability is marked as Open, then that whole group is Open. And if there are any vulnerabilities that are Not Reviewed with no Open vulnerabilities for that group, then the whole group is marked as Not Reviewed.

docs/index.md

@@ -8,14 +8,20 @@ nav_order: 1
 Welcome to the OpenRMF Docs site. This site contains help screens, scenarios, screenshots and 
 other useful information to use the OpenRMF tool fo you and your team. 
 
-OpenRMF is the only open source tool to manage your DoD STIG checklists, generate NIST compliance, keep track of your security items that are Open or Not Reviewed, and shrink your timeline to submit for an ATO!
+OpenRMF is the only web-based open source tool to manage your DoD STIG checklists, generate NIST compliance, keep track of your security items that are Open or Not Reviewed, and massively shrink your timeline to collect data and submit for an ATO!
 
 See [What's New](./whatsnew.md) with the latest version.
 
 ## What it does
-OpenRMF manages your RMF documentation and removes the Cybersecurity mystery! It allows management to view the status of checklists and RMF progress on their systems. It allows IT administrators and developers to store their checklists and scans in a single place. It allows cybersecurity analysts to see the status of systems in a quick glance. And it allows assessors to have a single place to view the system and all its checklists so their job is more organized. 
+OpenRMF manages your RMF documentation and removes the Cybersecurity mystery! It allows management to view the status of checklists and RMF progress on their systems. 
 
-It has a great use for everyone! Most importantly: It minimizes the manual nature of managing all this data for you!
+It allows IT administrators and developers to store their checklists and scans in a single place. 
+
+It allows cybersecurity analysts to see the status of systems in a quick glance. 
+
+And it allows assessors to have a single place to view the system and all its checklists so their job is more organized. 
+
+It has great use cases for everyone! Most importantly: It greatly minimizes the manual nature of managing all this data for you!
 
 Some of the high level features are below:
 
@@ -24,38 +30,42 @@ Some of the high level features are below:
 * Upload a DISA Checklist CKL, DISA SCAP XCCDF format file or Nessus SCAP XCCDF format file easily to visualize your RMF process
 * Upload a .Nessus ACAS scan file to see Patch summary of Critical and High items
 * Automatically organizes your checklists by system
-* Live online editing of your checklist through your web browser with auditing of the changes
 * Single source of truth for your system checklists
 * Single source of truth for your latest Nessus patch scans
+* Live online editing of your checklist through your web browser with auditing of the changes
+* One-click creation of your POA&M for your entire system (all servers, devices, SCAP scans, manual checklists)
+* One-click creation of your Risk Assessment Report (RAR) for your entire system (all servers, devices, SCAP scans, manual checklists)
+* One-click creation of your Test Plan Summary for your entire system (all servers, devices, SCAP scans, manual checklists)
 * Interactive Reports and Searching of Nessus scan data
 * Interactive Reports and Searching of System and checklist vulnerability data
-* Management insight into Cybersecurity Status and Security Posture instantly
-* Generating of Test Plan Summary for your System
-* AuthN, AuthZ, and Role Based Access Control (RBAC) to control access to read as well as edit data
-* Run on premise, on a local machine, or in the cloud
 * Easily find errors and deltas across checklists in your system
 * Easily run a compliance report in seconds for your Low, Moderate, or High system
+* Management insight into Cybersecurity Status and Security Posture instantly
+* AuthN, AuthZ, and Role Based Access Control (RBAC) to control access to read as well as edit data
+* Run on premise, on a local machine, or in the cloud (testing on Raspberry Pi 4 now)
+* Containerized to run locally, in a container runtime, or in Kubernetes
 
 ## Why use OpenRMF
-The current way to implement the Risk Management Framework for your DoD Authority to Operate is VERY manual and VERY slow. It is driven by disparate pieces of a Java Viewer for checklists, massive amounts of MS Excel spreadsheets for viewing the checklists for management, MS Word documents, various PDF files, and more. Information is shared (hopefully!) via email and shared folders. And there is no one central place for developers, operations, management, and cybersecurity analysts to see the most up to date information that is needed to eventually submit to eMASS. 
+The current way to implement the Risk Management Framework for your DoD Authority to Operate is VERY manual and VERY, VERY slow. VERY slow.  It is driven by disparate pieces of a Java Viewer for checklists, massive amounts of MS Excel spreadsheets for viewing the checklists for management, MS Word documents, various PDF files, your own home grown applications to help automate pieces of this process, and more. Information is shared (hopefully!) via email and shared folders. And there is no one central place for developers, operations, management, and cybersecurity analysts to see the most up to date information that is needed to eventually submit to eMASS. 
 
 That changes with OpenRMF!
 
 OpenRMF solves this dilemma. All you need is a web browser to view the pertinent information on your checklists within your system. Checklists are grouped by system and quickly show information such as the number of Category 1, 2, and 3 items as well as the number of Open items versus the Not a Finding "closed" items. Without having to open every single checklist file in the heavy Java viewer DISA provides. 
 
-OpenRMF helps in a few ways:
+OpenRMF helps in several ways:
 * It is 100% browser based for all the major browsers (Chrome, Edge, Firefox, Safari, IE 11)
 * You can import multiple checklists for a single source-of-truth for all checklists
 * You can organize and manage your data by systems for a quicker, less stress filled way to see your system's risk profile
 * Reports for management highlight the most asked question on status and numbers of items by type
 * You can run a single compliance report across all your checklists based on the Low/Moderate/High label as well as PII data included
 * You can export any checklists to Excel or download a CKL file for viewing in the DISA Java Viewer
+* You can drill down to your problem areas across all your checklists quickly with a few clicks and get actionable data quickly
 
 With coming updates such as automating the Risk Assessment Report, automating the POA&M on fixes, as well as online editing of checklist status and comments OpenRMF is the app any DoD IT / Developer / Operations / Cybersecurity professional needs!
 
 More information can be found in our <a href="https://www.openrmf.io/doc/OpenRMF-Product-Information.pdf" target="_blank">product PDF</a> on our website.
 
 ## Architecture
-Below is the top level architecture as of version 0.11 and beyond, drawn via <a href="https://www.draw.io/" target="_blank">Draw.io</a>'s great tool. 
+Below is the top level architecture as of version 0.11 and beyond, drawn via <a href="https://app.diagrams.net/" target="_blank">Draw.io</a>'s great tool (now Diagrams.net). 
 
-![OpenRMF v0.10 Architecture](/assets/openRMF-Tool-Architecture.png)
+![OpenRMF v0.11 Architecture and beyond](/assets/openRMF-Tool-Architecture.png)

docs/reports.md

@@ -37,4 +37,10 @@ This report lists out the controls and subcontrols across the RMF control listin
 ## System Checklist Vulnerability Report
 This reports lets you search on a vulnerability and see what hosts and checklists have that vulnerability across all checklists within your system.
 
-![OpenRMF Controls Report](/assets/reports-vulnerabilities.png)
+![OpenRMF Checklist Vulnerability Report](/assets/reports-vulnerabilities.png)
+
+
+## System Checklist Vulnerability Report
+This reports lets you search on a system and major RMF control and see what servers, workstations, devices, etc. relate to that control across all your checklists.
+
+![OpenRMF RMF Controls by Host Report](/assets/reports-host-for-control.png)

docs/whatsnew.md

@@ -15,6 +15,10 @@ The latest working version is version 0.12. The recent updates on that are below
 * Filtering on the Checklist page by status and severity/category of Vulnerabilities within that checklist
 * Create a Test Plan Summary across your System of Checklists and Nessus ACAS scan data
 * Updated color coding throughout the UI for Open items to show severity / category better
+* Generating the POA&M for Open and Not Reviewed items for a system (across all checklists)
+* Generating the Risk Assessment Report (RAR) for a system (across all checklists)
+* Generating the Test Plan Summary for a system (across all checklists)
+* Upgrading a Checklist to the latest version and release with the click of a button!
 
 Version 0.11 updates are also below:
 * Interactive Reports for Nessus Scan data, System Score and Checklist Vulnerability Data