CS-2021 SBT - Security Benchmarking Tool
FAF 192 Y3-S1
Pasecinic Nichita
- Electron - for building cross-platform desktop apps (the app is configured to run in browser too)
- React with TS - for UI (antd components)
- Express - for our NodeJS api (multer for file storage, crypto used for encryption / decryption)
- PassportJS - for OAuth authentication (providers Google, GitHub, Twitter)
- MongoDB - application database (mongoose odm)
- Nodemailer - sending emails (email confirmation)
- 1 - Importing Compliance Audit Policies
- 2 - Creating Custom Audit Policies
- 3 - Auditing a Workstation
- 4 - Enforcing a Policy
- 5 - Enforcing a Policy (cont'd)
- 6 - SSO Security
- 7 - Database Security
- 8 - Email Confirmation
$ # clone the project
$ git clone https://github.com/nichitaa/CS-Labs
$
$ # install dependencies (electron deps)
$ cd app\electron-ts
$ npm install # or yarn install
$
$ # install dependencies (express api)
$ cd app\express-api
$ npm install
$
$ # run the app (api should start first)
$ cd app\express-api
$ npm run dev # available on http://localhost:8080
$
$ # run the desktop app
$ cd app\electron-ts
$ npm run dev # will open desktop app
$ # but the app could be open in browser too on: http://loclahost:3000The API requires several environment variables to be configured in order to run locally on your machine. Please create the .env file in the root of the express API (folder: \app\express-api ) with your specific configurations
MONGODB_URL= # mongo db connection url
GOOGLE_CLIENT_ID= # google client id
GOOGLE_CLIENT_SECRET= # google client secret
GITHUB_CLIENT_ID= # github client id
GITHUB_CLIENT_SECRET= # github client secret
TWITTER_CONSUMER_KEY= # twitter api key
TWITTER_CONSUMER_SECRET= # twitter secret key
SMTP_HOST = # e.g. smtp.gmail.com
SMTP_PORT = # defaults to 587
SMTP_FROM_NAME = # emails will be send with this name
SMTP_AUTH_USER = # email will be send from this email address
SMTP_AUTH_PASS = # nodemailer.createTransport password for email provider
- Importing an audit file
- Parsing it to a JSON structure and saving it as a mongodb document
- Saving the document on the local server (
uploadsfolder)
- Displaying each policy item in a separate section
- Select / deselect a custom policy item from an audit document
- Search bar for quick search an audit custom item by attribute value
- Select / deselect all custom items in one click
- Create and save and display in the app a new policy with selected custom items under a new name
- Perform an audit of the workstation, using the selected custom items
- Display the scan results as icons, where green checkbox is a passed test, red - failed, yellow is warning this means that the values from expected are not the same but still is valid the optional "CAN_NOT_BE_NULL" || "CAN_BE_NULL"
- As a backup system, the application will export all current system registry key : HKLM, HKCU, HKCR, HKU and HKCC to a folder on desktop (ex:
regedit-backup1632761699) - Apply a single fix (enforce), on a single failed custom item
- Apply a batch fix over all failed items
- Live results
- Adding more custom items rule types that can be enforced by the system
- Adding user authentication with SSO
- PassportJS (SSO providers are Google, GitHub and Twitter)
- The raw data from
passportjsis displayed on the UI as a JSON structure
-
Some of the fields (e.g. audit
filename) is saved as an encrypted value in database (aes-256-ctralgorithm) -
The email confirmation token used for user email verification is encrypted as well
-
"token": { "iv": "7b54d294024a965daed91065f86b83f0", "content": "c84a154d23bf78a6ccc61127c44beb1626880e7c" }
- Registered users have the possibility to verify their email address (extracted from SSO providers)
- The verification tokens are encrypted and stored together with a user mapping in a mongodb collection
Nodemaileris used for sending email via ourexpressapi- Token confirmation page is server side rendered
- The electron SBT app will display the current status of the user email verification