ALERT: Due to Oracle policy change, this automated build stopped working as of March 16, 2014. See: https://github.com/GitMachines/statedecoded-gm-centos6/issues/64 for more details.
|Date||Status||Time to Build|
|Apr 24, 2014 Updated||VM OK. Statedecoded OK. Search OK. SCAP Scan ran OK.||real 31m8.796s; user 0m17.039s; sys 0m12.127s|
|Apr 21, 2014 Updated||VM OK. Statedecoded OK. Search OK. SCAP Scan ran OK.||real 30m55.886s; user 0m16.435s; sys 0m11.889s|
|Apr 19, 2014 Updated||VM OK. Statedecoded OK. Search OK. SCAP Scan ran OK.||real 28m47.478s; user 0m16.496s; sys 0m11.757s|
For previous status tests see STATUS.md
This repo is to create a GitMachines version of State Decoded on CentOS 6.
- First, a one-click install of Waldo Jacquith's Statedecoded.
- Second, basic scans for security auditing as part of the install. (in progress as of 01.04.2014)
-  Third, transparent documentation to make multi-machine configuration easier.
-  Finally, a Statedecoded GitMachine - fully accreditation-ready, one-click install of Statedecoded on a virtual machine, ready for easy adoption.
** Warning this is a work in progress - Please check branches for activity**
|v0.4.0||Fully automatic build of State Decoded including configuring of Solr, loading sample laws, and running SCAP scan to generate reports.|
|v0.3.0 audit-stub||One-click build of StateDecoded from a released version on localhost:8080 (including Solr running with Tomcat6). Subset of Virginia imported from project warehouse for reliability. Import tested. Laws import. Bulk exports prepared. Laws indexed in Solr. Links to text and xml versions of law work. Bulk dowload works. Added audit folder and simpler test profile to run scap easier.|
|v0.2.3 nicer++.1||One-click build of StateDecoded on localhost:8080 (including Solr running with Tomcat6). Virginia laws prepared for import. Import tested. Laws import. Bulk exports prepared. Laws indexed in Solr. Links to text and xml versions of law work. Bulk dowload works. Separate script to run SCAP report. OS not yet locked down.|
|v0.2 nicer||one-click install to working StateDecoded localhost:8080, tomcat6, solr. Ready to import Virginia laws. Solr not populated. No auto security check.|
|v0.1 nice||one-click install to working localhost:8080, no xml, no solr.|
How can I contribute?
We are learning as we go and do not yet clear asks to make of others. However, you can:
- Follow along, try things, and submit issues
- Fork, hack, and make pull requests (PLEASE keep these small for now and related to our project goals).
Why this project?
The current statedecoded-vagrant is helpful in setting up the environment on vagrant, but is not yet a one-click install. There are also has some gotchas we found in using it.
At GitMachines we are interested in one-click installs to get accreditation-ready builds in order to encourage adoption.
What our one-click build does..
- Uses CentOS, which is very very close to RedHat Enterprise
- Configures CentOS firewall for Apache, Solr, and Tomcat
- Pulls down statededecoded from its github repo
- Mounts statedecoded directory on both guest and host machine (so you can access files from host machine, too)
- Installs PHP 5, Apache, Java (for Solr, Tomcat), Tomcat6 (for running Solr), Solr,
- Configures statedecoded.dev virtual host
- Pulls down Virginia state laws
- Automatically runs SCAP security scan using oscap and produces report
- Automatically imports subset sample of Virginia laws
What user needs to do...
- Open terminal
- Clone repo
git clone firstname.lastname@example.org:GitMachines/statedecoded-gm-centos6.git
- Change directory into
- Surf web for ~20 minutes (may vary with speed of connection)
- Wait ~10 minutes while sample laws automatically imported, bulk exports prepared, and laws get indexed by Solr
open audit/home.htmlto open your GitMachines control page
- Latest version of vagrant (vagrantup.com)
- Latest version Virtualbox (4.2.10 guest additions on our base box)
- Do not have service running on ports 8080 or 8081 on host computer.
One-click build and (simple) audit run
# Clone this repo locally to your computer and switch to repo directory. git clone email@example.com:GitMachines/statedecoded-gm-centos6.git cd statedecoded-gm-centos6 # Stop any running virtual machines that might conflict on ports 8080 and 8081. # Launch your gitmachine vagrant up # Browse the web, b/c this will take ~ 30 minutes or more. # Your statedecoded GitMachines is running on http://localhost:8080 # Sample laws have been imported # Openscap has been installed and a very (very) simple scan is run # Check out your GitMachine! # If a browser does not open on its own, enter the below line on command line open audit/home.html
(Optional) SSH into your gitmachine and run the SCAP test manually
You can run your own audit checks using installed openscap
oscap from the command line steps.
vagrant ssh # Re-run sample scap script /vagrant/resources/scripts/oscap-rhel6.sh # Reports are available in audit/reports directory. # Want to run your own scan, here is the command format from oscap-rhel6.sh oscap xccdf eval --profile stig-rhel6-server \ --results /vagrant/audit/reports/results-stig-rhel6-server.xml \ --report /vagrant/audit/reports/report-stig-rhel6-server.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Your statedecoded will look a bit lame without any laws. We've pre-configured everything to use Virginia's laws as a sample.
To change the laws you will need to follow the below steps.
(Optional) Install Laws for a Different State
To use laws of a different state, follow the steps below to modify files and re-import laws to use a different state laws.
- Adjust config.inc.php settings. See http://statedecoded.github.io/documentation/config.html
statedecoded/includes/class.Virginia.incto new state name, example
- Prepare the laws to the StateDecoded XML format. See http://statedecoded.github.io/documentation/
- Replace the Virginia XML law files with new state XML formatted laws into
- Empty the database. (Better instructions to come.)
- Re-import the laws from the admin page at
(Optional) Give your GitMachine a domain name of statedecoded.dev
Your GitMachine and Statedecoded website is configured to be accessed by the domain
statedecoded.dev. To do this, add the following line to the bottome of your host computer's known hosts file (ex:
/etc/hosts on Linux and Macs).
Note: We do not automate changing your host computer's known hosts file because it is highly risky to do automatically.
This is box is being tested for the following security
Why CentOS instead of Ubuntu?
- Bit compatibility with RedHat Enterprise Linux (RHEL) since RHEL is popular with is common/popular among governments and businesses.
- We want cities to adopt Statedecoded and RHEL has government acceptance b/c it is built on SELinux (Security Enhanced Linux)
- SELinux has elements, like default firewall (/etc/sysconfig/iptables) that Ubuntu does not
- OpenSCAP (Security Content Automation Protocols) and base line control configurations already exist for CentOS but do not yet for Ubuntu (from what we can tell). We need SCAP to produce the scans and audit reports to make Statedecoded accreditation-ready.
Why from scratch?
Why not just start from what statedecoded-vagrant has?
- To learn.
- To deal easier with CentOS's built-in firewall.
- To automate OpenSCAP scanning and reporting.
- To see if we can streamline and further automate the install.
- To rethink how documentation can be managed and even driven from code.
- Because some installations will require the database to be run on a different server from the application and to have other redundancies. We want to understand how to create a path for varying configurations.
See the issues.