From 2c6b15a027bc97f869d3a9f67c229933f8a6e7c5 Mon Sep 17 00:00:00 2001 From: CM Lubinski Date: Wed, 11 Jan 2017 16:09:06 +0000 Subject: [PATCH] Add initial project docs Copied from 18F/atf-eregs --- these all need to be updated --- .about.yml | 128 ++++++++++++++++++ .bandit | 2 + LICENSE.md | 35 +++++ README.md | 27 ++++ compliance/component.yaml | 268 ++++++++++++++++++++++++++++++++++++++ opencontrol.yaml | 26 ++++ system-security-plan.yml | 64 +++++++++ 7 files changed, 550 insertions(+) create mode 100644 .about.yml create mode 100644 .bandit create mode 100644 LICENSE.md create mode 100644 README.md create mode 100644 compliance/component.yaml create mode 100644 opencontrol.yaml create mode 100644 system-security-plan.yml diff --git a/.about.yml b/.about.yml new file mode 100644 index 000000000..5756c8203 --- /dev/null +++ b/.about.yml @@ -0,0 +1,128 @@ +--- +# .about.yml project metadata + +# This is a short name of your project that can be used as a URL slug. +# (required) +name: atf-eregs + +# This is the display name of your project. (required) +full_name: ATF eRegulations + +# What is the problem your project solves? What is the solution? (required) +description: The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) maintains a large amount of complex information that the public needs to use, including regulations with important requirements related to munitions, firearms, and explosives. 18F adapted and customized eRegulations, an open source project started by the Consumer Financial Protection Bureau in 2013, to make ATF's regulations easier to find, read, and understand. + +# What is the measurable impact of your project? (required) +impact: We produced a web application that offers substantial support for reading complex legal information, which helps ATF serve the public. + +# What kind of team owns the repository? (required) +# values: guild, working-group, project +owner_type: project + +# What is your project's current status? (required) +# values: discovery, alpha, beta, live +stage: live + +# Should this repo have automated tests? If so, set to `true`. (required) +# values: true, false +testable: true + +# What are the licenses that apply to the project and/or its components? +# (required) +# Items by property name pattern: +# .*: +# name: Name of the license from the Software Package Data Exchange (SPDX): https://spdx.org/licenses/ +# url: URL for the text of the license +licenses: + atf-eregs: + name: CC0-1.0 + url: https://github.com/18F/atf-eregs/blob/master/LICENSE.md + +# Who is the partner for your project? (Use the full name of the partner +# documented here: +# https://github.com/18F/dashboard/blob/staging/_data/partners.yml) +partners: +- Bureau of Alcohol, Tobacco, Firearms and Explosives + +# The main point of contact(s) and/or the issue reporting system for your +# project, and either a `mailto:` link or URL for each contact. +# Items: +# - url: URL for the link +# text: Anchor text for the link +contact: +- url: https://github.com/18F/atf-eregs/issues + text: GitHub issues + +# Who are the team members on your project? You can specify GitHub usernames, +# email addresses, or other organizational usernames. (required) +# Items: +# - github: GitHub user name +# id: Internal team identifier/user name +# role: Team member's role; leads should be designated as 'lead' +team: +- github: brittag + role: Content Designer +- github: cmc333333 + role: Engineer +- github: jbarnicle + role: Engineer +- github: jehlers + role: User Experience Designer +- github: journerdism + role: Product Manager +- github: tadhg-ohiggins + role: Engineer +- github: theresaanna + role: Engineer +- github: vrajmohan + role: Engineer + +# What kind of content is contained in the project repository? +# values: app, docs, policy +type: app + +# What are the key milestones you've achieved recently? +#milestones: +#- + +# Name of the main project repo if this is a sub-repo; name of the grouplet +# repo if this is a working group/guild subproject +#parent: + +# What are the links to key artifacts associated with your project? e.g. the +# production site, documentation. +# Items: +# - url: URL for the link +# text: Anchor text for the link +# category: Type of the link +links: +- url: https://atf-eregs.apps.cloud.gov/ + text: ATF eRegulations website + +# What tags does your organization's blog associate with your project? You can +# find a list of 18F blog tags here: https://18f.gsa.gov/tags/ +#blogTag: +#- + +# What technologies are used in this project? +#stack: +#- + +# What are the services used to supply project status information? +# Items: +# - name: Name of the service +# category: Type of the service +# url: URL for detailed information +# badge: URL for the status badge +#services: +#- + +# Organizations or individuals who have adopted the project for their own use +# Items: +# - id: The name of the organization or individual +# url: A URL to the user's version of the project +#users: +#- + +# Tags that describe the project or aspects of the project +#tags: +#- \ No newline at end of file diff --git a/.bandit b/.bandit new file mode 100644 index 000000000..f7831187e --- /dev/null +++ b/.bandit @@ -0,0 +1,2 @@ +[bandit] +skips: B101 diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 000000000..b0ddfaaf0 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,35 @@ +# Public domain + +As a work of the United States Government, this project is in the +public domain within the United States. + +Additionally, we waive copyright and related rights in the work +worldwide through the CC0 1.0 Universal public domain dedication. + +## CC0 1.0 Universal Summary + +This is a human-readable summary of the +[Legal Code (read the full +text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode). + +### No Copyright + +The person who associated a work with this deed has dedicated the work to +the public domain by waiving all of his or her rights to the work worldwide +under copyright law, including all related and neighboring rights, to the +extent allowed by law. + +You can copy, modify, distribute and perform the work, even for commercial +purposes, all without asking permission. + +### Other Information + +In no way are the patent or trademark rights of any person affected by CC0, +nor are the rights that other persons may have in the work or in how the +work is used, such as publicity or privacy rights. + +Unless expressly stated otherwise, the person who associated a work with +this deed makes no warranties about the work, and disclaims liability for +all uses of the work, to the fullest extent permitted by applicable law. +When using or citing the work, you should not imply endorsement by the +author or the affirmer. diff --git a/README.md b/README.md new file mode 100644 index 000000000..dff31eb42 --- /dev/null +++ b/README.md @@ -0,0 +1,27 @@ +# ATF eRegulations +This repository contains code necessary to run a Bureau of Alcohol, +Tobacco, Firearms and Explosives ([ATF](https://www.atf.gov)) instance of +[eRegulations](https://eregs.github.io) (a regulation parser, API, and viewer). Live version: [https://atf-eregs.apps.cloud.gov/](https://atf-eregs.apps.cloud.gov/) + +This code glues together general-purpose/non-agency-specific eRegulations libraries (which are not in this repository) with ATF-specific styles, templates, and plugins (which are in this repository). + +## Status +[![Build Status](https://travis-ci.org/18F/atf-eregs.svg?branch=master)](https://travis-ci.org/18F/atf-eregs) +[![Quantified Code](https://www.quantifiedcode.com/api/v1/project/e2ee92b5c3db486f89d47371c4d89a2f/badge.svg)](https://www.quantifiedcode.com/app/project/e2ee92b5c3db486f89d47371c4d89a2f) +[![Dependency Status](https://gemnasium.com/18F/atf-eregs.svg)](https://gemnasium.com/18F/atf-eregs) + +## Documentation and contributing + +See the [eRegulations overview](https://eregs.github.io/) for context about eRegulations, which is a multi-agency project. + +To learn how to set up ATF eRegulations (locally or in production) and customize it/develop for it, see [the documentation hosted on Read the Docs](https://atf-eregs.readthedocs.org/). + +If you're interested in contributing to ATF eRegulations, see [the contributing guidelines](CONTRIBUTING.md). + +## Public domain + +This project is in the worldwide [public domain](LICENSE.md). As stated in [CONTRIBUTING](CONTRIBUTING.md): + +> This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/). +> +> All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest. \ No newline at end of file diff --git a/compliance/component.yaml b/compliance/component.yaml new file mode 100644 index 000000000..58e29ee43 --- /dev/null +++ b/compliance/component.yaml @@ -0,0 +1,268 @@ +schema_version: 3.0.0 +name: ATF eRegs +documentation_complete: false +references: +- name: New Relic Application Monitoring + path: https://newrelic.com/application-monitoring + type: URL +- name: Repository's Github + path: https://github.com/18F/atf-eregs + type: URL +- name: Custom User Provided Service Documentation + path: https://docs.cloudfoundry.org/devguide/services/user-provided.html + type: URL +- name: Flake8, Python Linting Tool + path: http://flake8.pycqa.org/en/latest/ + type: URL +- name: Bandit, Static Security Analysis + path: https://wiki.openstack.org/wiki/Security/Projects/Bandit + type: URL +- name: OWASP's ZAP + path: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project + type: URL +- name: Nessus + path: http://www.tenable.com/products/nessus-vulnerability-scanner + type: URL +satisfies: +- standard_key: NIST-800-53 + control_key: AC-2 # Account Management + narrative: + - text: > + Within the application (see cloud.gov for lower-level controls), there + are no users nor sensitive data. The system only displays open data. +- standard_key: NIST-800-53 + control_key: AC-3 # Access Enforcement + narrative: + - text: > + The majority of the application's functionality is read-only, and + accessible to the general public. The ability to *update* data (i.e. + write-access) is restricted via HTTP BASIC AUTH credentials. Combined, + the user name and password are 64 randomly generated hexadecimal + characters. For more details, see + http://atf-eregs.readthedocs.io/en/latest/production_setup.html#updating-data +- standard_key: NIST-800-53 + control_key: AC-6 # Least Privilege + narrative: + - text: > + As noted above, the only "privilege" is write access, which only + developers have (due to configuring the system). +- standard_key: NIST-800-53 + control_key: AU-2 # Audit Events + narrative: + - text: > + Cloud.gov logs requests, failures, warnings, etc. emitted by the + application. We also utilize New Relic, which registers Python-level + exceptions and periods of down-time. + covered_by: + - verification_key: new-relic +- standard_key: NIST-800-53 + control_key: AU-6 # Audit Review, Analysis, and Reporting + narrative: + - text: > + In addition to the low-level reporting provided by cloud.gov, New Relic + sends email alerts to the team after repeated errors or down-time. + covered_by: + - verification_key: new-relic +- standard_key: NIST-800-53 + control_key: CA-8 # Penetration Testing + narrative: + - text: No controls on top of cloud.gov's +- standard_key: NIST-800-53 + control_key: CM-2 # Baseline Configuration + narrative: + - text: No controls on top of cloud.gov's +- standard_key: NIST-800-53 + control_key: CM-3 # Configuration Change Control + narrative: + - text: > + In addition to cloud.gov controls, all code is reviewed on GitHub before + being merged into the "master" branch. These changes are tested + automatically via Travis CI (which runs unit, integration tests, and + static analysis). Proposed changes have appropriate justification + (describing problems resolved or referencing further details in an + issue tracker) in either their commit history or as part of the Github + Pull Request. Proposed changes which fail automated tests are + generally not merged. Only the tested, "master" branch code is + deployed, on an ad-hoc basis. + references: + - verification_key: github + - verification_key: travis +- standard_key: NIST-800-53 + control_key: CM-6 # Configuration Settings + narrative: + - text: > + As described in the application docs, configurable settings are + defined in a handful of locations. Configurations which can be shared + between cloud.gov environments are located in the manifest_base.yml, + atf_eregs/settings/base.py and prod.py files ("prod" here meaning in + contrast to local development). Configurations which are specific to + one cloud.gov environment (i.e. either the staging or production + environment) are located in the appropriate manifest_*.yml file or + stored in and provided by a cloud.gov "custom user provided service". + references: + - verification_key: cups +- standard_key: NIST-800-53 + control_key: CM-8 # Information System Component Inventory + narrative: + - text: > + In addition to the controls provided by cloud.gov, the application + tracks components through versioned library dependencies + (requirements.txt), as well as a listing of relevant cloud.gov services + (mentioned in the application docs) +- standard_key: NIST-800-53 + control_key: IA-2 # Identification and Authentication (Organizational + # Users) + narrative: + - text: > + Cloud.gov controls cover the majority, here. We also use a + randomly-generated 64-character hexadecimal HTTP BASIC AUTH token to + identify organizational users when updating regulation data. This token + (split into two halves for "username" and "password") is stored in a + cloud.gov "custom user provided service", from which developers retrieve + the credentials before using them. +- standard_key: NIST-800-53 + control_key: IA-2 (1) # Identification and Authentication (Organizational + # Users) + # Network Access to Privileged Accounts + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: IA-2 (2) # Identification and Authentication (Organizational + # Users) + # Network Access to Non-Privileged Accounts + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: IA-2 (12) # Identification and Authentication (Organizational + # Users) + # Acceptance of PIV Credentials + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: PL-8 # Information Security Architecture + narrative: + - text: > + In addition to cloud.gov controls, note the diagrams in + http://atf-eregs.readthedocs.io/en/latest/production_setup.html#production-setup + . In summary, data is indirectly retrieved from the Federal Register + and FDSYS (via the regulations-parser library), but passes through a + developer before it reaches the server. +- standard_key: NIST-800-53 + control_key: RA-5 # Vulnerability Scanning + narrative: + - text: > + In addition to cloud.gov controls, the application layer is scanned with + both static and dynamic tooling. Before being merged into "master", all + custom code is automatically analyzed by "flake8" (a linting tool to + catch syntactic errors), "bandit" (a security-focused static analysis + tool), and a handful of custom, security-centric unit tests. Code which + does not meet these standards is generally not merged. We also employ + Gemnasium to track our dependencies, Code Climate to warn of potentially + concerning style, and Quantified Code to warn about security and style + issues. + + For dynamic analysis, we've addressed all high and medium issues + raised by evaluating the application with OWASP ZAP and Nessus. + Indeed, only two low priority issues remain and both are + false-positives. + references: + - verification_key: flake8 + - verification_key: bandit + - verification_key: gemnasium + - verification_key: code-climate + - verification_key: quantified-code + - verification_key: owasp-zap + - verification_key: nessus +- standard_key: NIST-800-53 + control_key: SA-11 (1) # Developer Security Testing and Evaluation + # Static Code Analysis + narrative: + - text: > + In addition to cloud.gov controls, the application layer is scanned with + static analysis tooling. Before being merged into "master" all custom + code has "flake8" (a linting tool to catch syntactic errors), "bandit" + (a security-focused static analysis tool), and a handful of custom, + security-centric unit tests ran. Code which does not meet these + standards is generally not merged. We also employ Gemnasium to track our + dependencies, Code Climate to warn of potentially concerning style, and + Quantified Code to warn about security and style issues. + references: + - verification_key: flake8 + - verification_key: bandit + - verification_key: gemnasium + - verification_key: code-climate + - verification_key: quantified-code +- standard_key: NIST-800-53 + control_key: SA-22 (1) # Unsupported System Components + # Alternative Sources for Continued Support + narrative: + - text: > + At the application layer (see cloud.gov controls for lower), one + selection criteria for libraries was their support status. Should a + library fall in to an unsupported state, 18F has the capacity to + maintain it in-house. +- standard_key: NIST-800-53 + control_key: SC-7 # Boundary Protection + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: SC-12 (1) # Cryptographic Key Establishment and Management + # Availability + narrative: + - text: > + At the application layer (see cloud.gov controls for lower), all keys + are available to authorized users by querying cloud.gov's "services", + including "custom user provided services". +- standard_key: NIST-800-53 + control_key: SC-13 # Cryptographic Protection + narrative: + - text: See cloud.gov controls, which ensure HTTPS throughout. +- standard_key: NIST-800-53 + control_key: SC-28 (1) # Protection of Information at Rest + # Cryptographic Protection + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: SI-2 # Flaw Remediation + narrative: + - text: > + At the application layer (see cloud.gov controls for lower), all custom + code passes through a set of automated unit and integration tests via + Travis CI. Library dependencies are verified up to date via Gemnasium. + Production errors are captured via New Relic and emailed to relevant + parties. Further, code is first deployed (automatically) to our staging + environment, where we may discover errors before appearing in + production. + references: + - verification_key: travis + - verification_key: new-relic +- standard_key: NIST-800-53 + control_key: SI-4 # Information System Monitoring + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: SI-10 # Information Input Validation + narrative: + - text: > + At the application layer (see cloud.gov controls for lower), we + validate a JSON schema for incoming regulatory data (though the + information can only come from a trusted source). That said, the data + is generally low risk, as it comes from a developer. +verifications: +- key: travis + name: Repository's Travis CI + path: https://travis-ci.org/18F/atf-eregs + type: URL +- key: gemnasium + name: Project's Gemnasium Results + path: https://gemnasium.com/github.com/18F/atf-eregs + type: URL +- key: code-climate + name: Project's Code Climate Results + path: https://codeclimate.com/github/18F/atf-eregs + type: URL +- key: quantified-code + name: Project's Quantified Code Results + path: https://www.quantifiedcode.com/app/project/e2ee92b5c3db486f89d47371c4d89a2f + type: URL + diff --git a/opencontrol.yaml b/opencontrol.yaml new file mode 100644 index 000000000..51b833a0d --- /dev/null +++ b/opencontrol.yaml @@ -0,0 +1,26 @@ +schema_version: "1.0.0" +name: ATF eRegs +metadata: + description: > + A pilot project to display ATF's regulations and associated meta data. + maintainers: + - christopher.lubinski@gsa.gov + - tadhg.ohiggins@gsa.gov + - william.sullivan@gsa.gov +components: + - ./compliance +certifications: + # paths +standards: + # paths +dependencies: + certifications: + # LATO + - url: https://github.com/18F/GSA-Certifications + revision: master + systems: + # Cloud.gov + - url: https://github.com/18F/cg-compliance + revision: master + standards: + # data diff --git a/system-security-plan.yml b/system-security-plan.yml new file mode 100644 index 000000000..774f247aa --- /dev/null +++ b/system-security-plan.yml @@ -0,0 +1,64 @@ +--- +name: ATF eRegs +uniqueID: MB18F15ATF01 +version: 1.0.0 +phase: beta +information-types: +- D26 Civilian Operations +confidentiality: none +integrity: low +availability: low +security-baseline: open data +system-type: minor +level-of-identity-assurance: 0 +staff: + authorizing-official: + name: Aaron Snow + title: 18F Executive Director + org: General Services Administration + unit: 18F + email: 18F@gsa.gov + system-owner: + name: Noah Kunin + title: 18F Infrastructure Director + org: General Services Administration + unit: 18F + email: devops@gsa.gov + system-management: + name: Noah Kunin + title: 18F Infrastructure Director + org: General Services Administration + unit: 18F + email: devops@gsa.gov + system-security-officer: + name: Noah Kunin + title: 18F Infrastructure Director + org: General Services Administration + unit: 18F + email: devops@gsa.gov + technical-lead: + name: CM Lubinski + title: Technical Lead + org: General Services Administration + unit: 18F + email: christopher.lubinski@gsa.gov +leveraged-authorizations: +- https://www.fedramp.gov/marketplace/compliant-systems/amazon-web-services-aws-eastwest-us-public-cloud/ +purpose: https://github.com/18F/atf-eregs +components: +- https://github.com/eregs/regulations-core +- https://github.com/eregs/regulations-site +diagram: http://atf-eregs.readthedocs.io/en/latest/production_setup.html#architecture +network-architecture: http://atf-eregs.readthedocs.io/en/latest/production_setup.html#updating-data +environments: +- Cloud Foundry +- Amazon Web Services East / West +user-types: + developer: + functions: + - deployment + - engineering +controls: +- http://atf-eregs.readthedocs.io/en/latest/production_setup.html#updating-data +- https://github.com/eregs/regulations-core#security +---