Toolkit for getting open source apps ready for secure, approved government use
XSLT Shell HTML PHP Other
Latest commit 543004b Feb 2, 2017 @gregelin gregelin committed on GitHub Notice that rep is not being maintained

README.md

govready

An accreditation-helper toolkit to make FISMA easier.

NOTE: THIS REPO IS NOT CURRENTLY BEING ACTIVELY MAINTAINED. THAT MAY CHANGE IN THE FUTURE.

Vision

The GovReady vision is to make FISMA easier for innovators by

  • making compliance part of Agile/DevOps
  • sharing compliance progress data among Dev, Ops, Sec, and Mgt
  • making baseline development collaborative
  • providing trusted SCAP content with open source friendly licenses
  • embracing compliance as a practice distinct from security

Product

Our first product is "govready", a toolkit for running FISMA scans and managing results with a git-like feel.

Govready uses (and is a contributor to) the NIST Certified SCAP 1.2 toolkit OpenSCAP and Scap-Security-Guide.

Our design goal is to make scanning easier and more collaborative regardless of your knowledge of FISMA.

License

Copyright 2013, 2014 Greg Elin and GovReady. All Rights Reserved.

License: GPL 3.0

Project Status

Govready is under heavy development and is pre-release. The current version is 0.6.x.

We recommend only using govready currently on non-production virtual machines.

Feedback via GitHub issues is appreciated!

The govready toolkit is funded by a generous grant from the John S and James L Knight Foundation

Get Started

Below are several quickstarts. Use the quickstart for your preferred OS.

( Need a vm to test GovReady? Try: https://github.com/GovReady/testmachines )

RedHat 6, 7 quickstart (64 bit)

# Update nss to pre-emptively avoid problems with EPEL certificates (https://github.com/GovReady/govready/issues/64)
# Alternate if epel installed: sudo yum --disablerepo="epel" update nss -y
sudo yum clean all
sudo yum update nss -y


# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash

# Switch to root so scanner can run all tests properly
# It's OK. You are using a non-production vm, right?
su - 

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# Run a scan
govready scan

# List results
ls -l scans

# View repoort from most recent scan
lynx scans/results.html

# Run fix script generated by most recent OpenSCAP scan
govready fix

# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare

# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail

# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs

# See available profiles (e.g., baselines)
govready profiles

# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server

# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh

Centos 6 quickstart (64 bit)

Note: CentOS is NOT RHEL without subscription. There is a general assumption that SSG tests for RHEL work on CentOS, but that is not guaranteed.

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash

# Switch to root so scanner can run all tests properly
su - 

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# Import CentOS cpe-dictionary.xml and cpe-oval.xml SCAP data into local scap/content directory
govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml
govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml

# Update GovReadyfile using sed command (or update the CPE line manually using a text editor)
sed -i 's:^CPE.*:CPE = scap/content/ssg-centos6-cpe-dictionary.xml:' GovReadyfile

# Run a scan
govready scan

# List results
ls -l scans

# View repoort from most recent scan
lynx scans/results.html

# Run fix script generated by most recent OpenSCAP scan
govready fix

# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare

# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail

# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs

# See available profiles (e.g., baselines)
govready profiles

# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server

# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh

Ubuntu 12 and 14 quick start (64 bit)

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash

# Switch to root so scanner can run all tests properly
su - 

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# Run an oscap command just to see things fail because we have no SCAP content installed for Ubuntu
oscap xccdf eval --profile test --results scans/test-results-0822-1319.xml --report scans/test-results-0822-1319.html  /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

# Sorry - this is all you can do on Ubuntu at the moment. :-(
# Fork the code and help us include Ubuntu and Debi

Additional Quickstarts available in the repo. See "Quickstart-platform.md"

Remote Scanning (integration with oscap-ssh script)

The recently released oscap-ssh enables Scanning Remote Machines with OpenSCAP. As a user-friendly frontend to the OpenSCAP tools, GovReady has been enhanced to make use of this exciting new feature. There are two ways to make use of this new feature (which may be used separately or together):

1. Update four variables in the (configuration) GovReadyfile:

# All four vars must be set 'sudo OSCAP_USER@OSCAP_HOST OSCAP_PORT' for remote scanning.
# Note that openscap-scanner ('oscap') must be installed on the remote server.
OSCAP_SUDO = sudo
OSCAP_USER = oscap-user
OSCAP_HOST = example.com
OSCAP_PORT = 22

The openscap scanner is best run by root, but enabling direct root SSH access is a security risk. A non-privileged user such as oscap-user can be enabled to run only the oscap binary as root (when the sudo flag is given) by updating the remote machine's sudoers file or adding a file like /etc/sudoers.d/99-oscap-user:

# allow oscap-user to run openscap scanner
Defaults!/bin/oscap !requiretty
oscap-user ALL=(root) NOPASSWD: /bin/oscap

2. Create or override GovReadyfile values with GOVREADY_* environment variables:

This will scan the RHEL 7 machine badwolf.example.com via port 2222:

export GOVREADY_OSCAP_HOST=badwolf.example.com
export GOVREADY_OSCAP_PORT=2222
export GOVREADY_XCCDF=ssg-rhel7-ds.xml
govready scan

Notes and Caveats on remote scanning

  • All values in the GovReadyfile can be overridden with GOVREADY_* environment variables. This facilitates integration with many site management tools such as Ansible, Chef and Puppet.
  • As @mpreisler notes, currently oscap-ssh must be run as root, while remote ssh access is generally considered a security hole to be remediated. A future release will resolve this.
  • OVAL and CPE files can not be separately named on the command line. Rather, use a "datastream" object as the XCCDF file (which can contain OVAL and CPE definitions within it).

Uninstall govready

Using curl

# Uninstall
curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo UNINSTALL=1 bash

Install development branches

# Install branch other than master
curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo BRANCH=branch_name bash

# Use an installer from a different branch
curl -Lk https://raw.githubusercontent.com/GovReady/govready/branch_name/install.sh | sudo BRANCH=branch_name bash

Testmachines

Use https://github.com/GovReady/testmachines for virtual machines to test GovReady.