An accreditation-helper toolkit to make FISMA easier.
NOTE: THIS REPO IS NOT CURRENTLY BEING ACTIVELY MAINTAINED. THAT MAY CHANGE IN THE FUTURE.
The GovReady vision is to make FISMA easier for innovators by
- making compliance part of Agile/DevOps
- sharing compliance progress data among Dev, Ops, Sec, and Mgt
- making baseline development collaborative
- providing trusted SCAP content with open source friendly licenses
- embracing compliance as a practice distinct from security
Our first product is "govready", a toolkit for running FISMA scans and managing results with a git-like feel.
Our design goal is to make scanning easier and more collaborative regardless of your knowledge of FISMA.
Copyright 2013, 2014 Greg Elin and GovReady. All Rights Reserved.
License: GPL 3.0
Govready is under heavy development and is pre-release. The current version is 0.6.x.
We recommend only using govready currently on non-production virtual machines.
Feedback via GitHub issues is appreciated!
The govready toolkit is funded by a generous grant from the John S and James L Knight Foundation
Below are several quickstarts. Use the quickstart for your preferred OS.
( Need a vm to test GovReady? Try: https://github.com/GovReady/testmachines )
RedHat 7 quickstart (64 bit)
# Update nss to pre-emptively avoid problems with EPEL certificates (https://github.com/GovReady/govready/issues/64) # Alternate if epel installed: sudo yum --disablerepo="epel" update nss -y sudo yum clean all sudo yum update nss -y # Install some useful tools to take full advantage of SCAP-Security-Guide project # scap-scanner is OpenSCAP certified SCAP scanner # scap-security-guide is the SCAP Security Guide project # ansible is the ansible infrastructure as code project wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm sudo yum -y install epel-release-latest-7.noarch.rpm sudo yum install ansible scap-scanner scap-security-guide -y # Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content # curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo bash curl -Lk io.govready.org/install | sudo bash # Switch to root so scanner can run all tests properly # It's OK. You are using a non-production vm, right? # (On AWS, may be necessary to run `sudo su -`) su - # Change back to prefered working directory if dropped into "/" cd /home/myuser # Create a directory and cd into it mkdir myfisma cd myfisma # Initialize the directory govready init # List the scan profiles govready profiles # Choose the DISA STIG for RHEL 7 profile govready profile stig-rhel7-disa # Run a scan (e.g. before) # This command runs a multi-parameter OpenSCAP (oscap) command based # on settings in `GovReadyfile` govready scan # Run fix script generated by most recent OpenSCAP (oscap) scan # This utility generates all the parameters to produce a remediation script and command. govready fix # Run an post-remeditation scan (e.g. "after") # govready utility will track your two most recent scans for easy after / before comparison govready scan # Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan. govready compare # Compare before and after scans to see if anything fails passed in second most recent scan. govready compare fail # List results ls -l scans # Install lynx commandline browser to view results from prompt yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional yum install lynx # View repoort from most recent scan lynx scans/stig-rhel7-disa/[datestamp]-results.html # Information and evaluation of individual rule (rule must be listed in results.xml file) govready rule configure_auditd_num_logs # See available profiles (e.g., baselines) govready profiles # Run a scan for a different profile (e.g., baseline) govready scan usgcb-rhel6-server # Run an autogenerated fix script from available remediations in the SCAP content # Example - your file name may differ bash scan/usgcb-rhel6-server-fix-0822-1552.sh
Centos 6 quickstart (64 bit)
Note: CentOS is NOT RHEL without subscription. There is a general assumption that SSG tests for RHEL work on CentOS, but that is not guaranteed.
# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content curl -Lk io.govready.org/install | sudo bash # Switch to root so scanner can run all tests properly su - # Create a directory and cd into it mkdir myfisma cd myfisma # Initialize the directory govready init # Import CentOS cpe-dictionary.xml and cpe-oval.xml SCAP data into local scap/content directory govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml # Update GovReadyfile using sed command (or update the CPE line manually using a text editor) sed -i 's:^CPE.*:CPE = scap/content/ssg-centos6-cpe-dictionary.xml:' GovReadyfile # Run a scan govready scan # List results ls -l scans # View repoort from most recent scan lynx scans/results.html # Run fix script generated by most recent OpenSCAP scan govready fix # Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan. govready compare # Compare before and after scans to see if anything fails passed in second most recent scan. govready compare fail # Information and evaluation of individual rule (rule must be listed in results.xml file) govready rule configure_auditd_num_logs # See available profiles (e.g., baselines) govready profiles # Run a scan for a different profile (e.g., baseline) govready scan usgcb-rhel6-server # Run an autogenerated fix script from available remediations in the SCAP content # Example - your file name may differ bash scan/usgcb-rhel6-server-fix-0822-1552.sh
Ubuntu 12 and 14 quick start (64 bit)
# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content curl -Lk io.govready.org/install | sudo bash # Switch to root so scanner can run all tests properly su - # Create a directory and cd into it mkdir myfisma cd myfisma # Initialize the directory govready init # Run an oscap command just to see things fail because we have no SCAP content installed for Ubuntu oscap xccdf eval --profile test --results scans/test-results-0822-1319.xml --report scans/test-results-0822-1319.html /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml # Sorry - this is all you can do on Ubuntu at the moment. :-( # Fork the code and help us include Ubuntu and Debi
Additional Quickstarts available in the repo. See "Quickstart-platform.md"
Remote Scanning (integration with oscap-ssh script)
The recently released oscap-ssh enables Scanning Remote Machines with OpenSCAP. As a user-friendly frontend to the OpenSCAP tools, GovReady has been enhanced to make use of this exciting new feature. There are two ways to make use of this new feature (which may be used separately or together):
1. Update four variables in the (configuration) GovReadyfile:
# All four vars must be set 'sudo OSCAP_USER@OSCAP_HOST OSCAP_PORT' for remote scanning. # Note that openscap-scanner ('oscap') must be installed on the remote server. OSCAP_SUDO = sudo OSCAP_USER = oscap-user OSCAP_HOST = example.com OSCAP_PORT = 22
The openscap scanner is best run by root, but enabling direct root SSH access is a security risk. A non-privileged user such as
oscap-user can be enabled to run only the oscap binary as root (when the
sudo flag is given) by updating the remote machine's
sudoers file or adding a file like
# allow oscap-user to run openscap scanner Defaults!/bin/oscap !requiretty oscap-user ALL=(root) NOPASSWD: /bin/oscap
2. Create or override GovReadyfile values with GOVREADY_* environment variables:
This will scan the RHEL 7 machine badwolf.example.com via port 2222:
export GOVREADY_OSCAP_HOST=badwolf.example.com export GOVREADY_OSCAP_PORT=2222 export GOVREADY_XCCDF=ssg-rhel7-ds.xml govready scan
Notes and Caveats on remote scanning
- All values in the GovReadyfile can be overridden with
GOVREADY_*environment variables. This facilitates integration with many site management tools such as Ansible, Chef and Puppet.
- As @mpreisler notes, currently
oscap-sshmust be run as root, while remote ssh access is generally considered a security hole to be remediated. A future release will resolve this.
- OVAL and CPE files can not be separately named on the command line. Rather, use a "datastream" object as the XCCDF file (which can contain OVAL and CPE definitions within it).
# Uninstall curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo UNINSTALL=1 bash
Install development branches
# Install branch other than master curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo BRANCH=branch_name bash # Use an installer from a different branch curl -Lk https://raw.githubusercontent.com/GovReady/govready/branch_name/install.sh | sudo BRANCH=branch_name bash
Use https://github.com/GovReady/testmachines for virtual machines to test GovReady.