Skip to content

OpenRMF Professional open API automation scripts and code to POST, PUT, and GET information via the External API

Notifications You must be signed in to change notification settings

SoteriaSoftwareLLC/openrmfpro-automation

Repository files navigation

OpenRMF® Professional API Automation

This repo contains OpenRMF® Professional API automation scripts and code to POST, PUT, and GET information via our open API. The API was introduced as a main feature in v2.6 late summer 2021 and vastly improved in v2.7 released in January 2022 and again in v2.8. Later versions will expand on this as well, as will the examples in this repo. Subscribe to the repo to get notifications on updates.

This repo goes along with the OpenRMF® Professional application and the Developer's Guide from Soteria Software to automate ingest and download of data to/from OpenRMF Professional. Please contact Soteria Software for more information.

How this Repo is Organized

Scenarios

The scenarios folder explains a few scenarios around the APIs to get your creative juices flowing through your brain and getting your team communicating around ideas.

Data

The data for checklists, SCAP scans and Nessus/ACAS scans, and Audit Compliance scans based on DISA or CIS benchmarks is in the data directory. Your scripts can pull from that sample data as examples. There are also example custom checklists created with our Custom Checklist wizard for all the manual policy, process, and procedure requirements in cyber compliance (i.e. NIST Control families like PM, AT, IR, PL, SA, RA).

  • Nessus Patch Vulnerability Scans
  • DISA CKLs
  • Evaluate-STIG checklists
  • Tanium CSV SCAP results
  • Nessus SCAP
  • other SCAP results
  • Nessus audit compliance scans for
  • Software / Container vulnerability data
  • Universal format Patch vulnerability data
  • Lists for hardware, software, ports/protocols/services
  • Lists for mitigation statements
  • Lists for compliance statements
  • Rapid7 Nexpose scan data
  • Reading data from dashboards, scores, and compliance

Each type of technology / language is organized in its own folder for dotnet core, golang, python, and scripts to just show examples. Your folder structure, URL, key, token, systemKey for data may be different but similar.

Sample Dashboards

The dashboards folder show mainly Grafana dashboards pulling data from the OpenRMF® Professional API as well using the JSON API datasource for Grafana.

Sample Applications

The applications folder has an (older) example NodeJS application in it. This was done in VSCode. The .vscode has launch JSON information for the environment variables needed to wrap the API correctly.

  • "LISTENPORT" -- the port that your application listens on for the web interface, can be whatever you want it to be that works
  • "ROOTAPIURL" -- the root URL to the external API based on DNS name, IP, etc. ending in /api/external
  • "APIKEY" -- your API Key created for you, that tracks back to a user in OpenRMF with permissions and roles, especially the ExternalAPI role it needs
  • "APITOKEN" -- the token generated for that API key

Scripts showing API calls

The python folder has python 3 scripts organized to show almost all of the API calls as well as a few combination calls.

The dotnet-core folder has example .NET Core API call examples.

The golant folder has example Go language API call examples.

The scripts folder has bash shell scripts with curl to call APIs with examples as well.

Swagger.json

The swagger.json file in the root of this repo shows calls as of OpenRMF® Professional v2.10 API. Check the Developers Guide for this version to understand the calls and data formats.

Note to Developers

Feel free to Fork this repo, add your own ideas, and do a P/R for us to review and add into the community using this.

The massive manual way we STILL do ATOs and FedRAMP/RMF approvals has passed its expiration date! And it is starting to stink.

We need to do better!

See more information at https://www.soteriasoft.com/ as well as our links on that site to our YouTube videos and scenarios.