Skip to content

Commit

Permalink
first draft of RMF documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@squinky86
squinky86 committed Jan 27, 2020
1 parent fcd2ba2 commit 0c1a71c
Show file tree
Hide file tree
Showing 11 changed files with 217 additions and 47 deletions.
20 changes: 17 additions & 3 deletions doc/ac.tex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,15 +211,29 @@ \subsection{AC-3 -- Access Enforcement}

\subsubsection{AC-3(4) -- Discretionary Access Control}

\paragraph{Applicable CCIs:} CCI-2165
\paragraph{Applicable CCIs:} CCI-2163, CCI-2164, CCI-2165

Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) are handled by the operating system. The files and permissions that are created by the application must use the principle of least privilege on the file protection listed in Section~\ref{sec:ac-3}.

\subsection{AC-4 -- Information Flow Enforcement}

\paragraph{Applicable CCIs:} CCI-1368, CCI-1414, CCI-1548, CCI-1549, CCI-1550, CCI-1551

The only data flow for the application pulls information via HTTPS from public.cyber.mil and from NIST. Data flows into the application and SQLite database. Reports can be generated to pull the data out of the application. Data in the application are only accessible by the user.

\subsection{AC-6 -- Least Privilege}

\subsubsection{AC-6(8) -- Privilege Levels for Code Execution}

\paragraph{Applicable CCIs:} CCI-223

The software will not attempt to elevate the privileges or require privileges beyond that of the standard user OS account.

\subsection{AC-23 -- Data Mining Protection}

\paragraph{Applicable CCIs:} CCI-2346, CCI-2347
\paragraph{Applicable CCIs:} CCI-2343, CCI-2344, CCI-2345, CCI-2346, CCI-2347

Data mining protection is provided by protecting the data files using the file-level protection detailed in Section~\ref{sec:ac-3}.
Data mining protection is provided by protecting the data files using the file-level protection detailed in Section~\ref{sec:ac-3}. Data mining can be detected by verifying the privileges on the database files.

\clearpage
\printbibliography
Expand Down
38 changes: 31 additions & 7 deletions doc/au.tex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,12 @@ \subsection{AU-3 -- Content of Audit Records}

All logged entries contain the system's local date and time along with the user that is operating the application. If an issue occurs in the Qt framework, the location of the issue is logged. If the logged entry occurs as part of the STIGQter application, when applicable, the function where the log entry is generated is preserved. Log records are given a unique identifier. When an event fails, an additional log record of the failure is created.

\subsubsection{AU-3(1) -- Additional Audit Information}

\paragraph{Applicable CCIs:} CCI-1488

The application logs failures, including errors in STIG↔CCI mappings.

\subsubsection{AU-3(2) -- Centralized Management of Planned Audit Record Content}
\label{sec:au-3-2}

Expand Down Expand Up @@ -236,16 +242,25 @@ \subsubsection{AU-4(1) -- Transfer to Alternate Storage}
Alternatively, a central logging mechanism can be set to connect to the SQLite database and pull the latest logs.

\subsection{AU-5 -- Response to Audit Processing Failures}
\label{sec:au-5}

\paragraph{Applicable CCIs:} CCI-139, CCI-140
\paragraph{Applicable CCIs:} CCI-139, CCI-140, CCI-1490, CCI-1572

The application will show an error message when logging failures occur. This message can be ignored if availability of the application is an overriding concern. Software availability conerns are left to the user.

If desired, the user may issue a bug report to STIGQter's issue tracker on Github.

\subsubsection{AU-5(2) -- Real-Time Alerts}

\paragraph{Applicable CCIs:} CCI-1857, CCI-1858

The alerts in Section~\ref{sec:au-5} are displayed to the user immediately.

\subsection{AU-6 -- Audit Review, Analysis, and Reporting}

\paragraph{Applicable CCIs:} CCI-148
\paragraph{Applicable CCIs:} CCI-148, CCI-1862, CCI-1863

Any anomolous log records should be reported to the project's Github issue tracker.

\subsubsection{AU-6(4) -- Central Review and Analysis}

Expand All @@ -255,7 +270,7 @@ \subsubsection{AU-6(4) -- Central Review and Analysis}

\subsubsection{AU-6(10) -- Audit Level Adjustment}

\paragraph{Applicable CCIs:} CCI-1872
\paragraph{Applicable CCIs:} CCI-1872, CCI-1874

Audit levels may be adjusted using the filtering defined in Section~\ref{sec:au-7}. Audit record reviews, to comply with SV-84919r1\_rule, should occur every 99 years. This is a random value and should be overridden by any program implementing the software.

Expand All @@ -268,9 +283,9 @@ \subsection{AU-7 -- Audit Reduction and Report Generation}

\subsubsection{AU-7(1) -- Automatic Processing}

\paragraph{Applicable CCIs:} CCI-158
\paragraph{Applicable CCIs:} CCI-158, CCI-1883

The audit record sorting and filtering defined in Section~\ref{sec:au-7} can be automated by the processes defined in Section~\ref{sec-au-4-1}.
The audit record sorting and filtering defined in Section~\ref{sec:au-7} can be automated by the processes defined in Section~\ref{sec:au-4-1}. The fields for the event datetime and contents are defined, a unique id, and the log level identified in Section~\ref{sec:au-12-3}.

\subsection{AU-8 -- Time Stamps}

Expand All @@ -284,6 +299,12 @@ \subsection{AU-9 -- Protection of Audit Information}

No user management occurs in the application. The user is granted permissions to their files, and the user is defined as the proper role for accessing these records.

\subsubsection{AU-9(2) -- Audit Backup on Separate Physical Systems / Components}

\paragraph{Applicable CCIs:} CCI-1348

Backups, including audits, are available on the off-site backup/nightly server documented in the CP policy.

\subsubsection{AU-9(3) -- Cryptographic Protection}

\paragraph{Applicable CCIs:} CCI-1350
Expand All @@ -310,13 +331,14 @@ \subsection{AU-12 -- Audit Generation}

\subsection{AU-12(1) -- System-Wide / Time-Correlated Audit Trail}

\paragraph{Applicable CCIs:} CCI-173, CCI-174
\paragraph{Applicable CCIs:} CCI-173, CCI-174, CI-1577

All log records are timestamped to the second. Correlation can be managed by the tools identified in Section~\ref{sec:au-3-2} by sorting on the \texttt{Log.when} field.

\subsubsection{AU-12(3) -- Audit Generation | Changes by Authorized Individuals}
\label{au-12-3}

\paragraph{Applicable CCIs:} CCI-1914
\paragraph{Applicable CCIs:} CCI-1911, CCI-1912, CCI-1914, CCI-2047

Log records are stored in the SQLite database under the \texttt{Log} table. Users may select only the severity level of errors they wish to see:
\begin{enumerate}
Expand All @@ -328,6 +350,8 @@ \subsubsection{AU-12(3) -- Audit Generation | Changes by Authorized Individuals}
\item Debugging
\end{enumerate}

Logs should be reviewed by the user as needed by the user.

\subsection{AU-14 -- Session Audit}

\subsection{AU-14(1) -- System Start-Up}
Expand Down
8 changes: 5 additions & 3 deletions doc/cm.tex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ \subsubsection{CM-5(6) -- Limit Library Privileges}

\subsection{CM-6 -- Configuration Settings}

\paragraph{Applicable CCIs:} CCI-366, CCI-363, CCI-367, CCI-368, CCI-369
\paragraph{Applicable CCIs:} CCI-366, CCI-363, CCI-367, CCI-368, CCI-369, CI-1502, CCI-1503, CCI-1756

The following security scans are performed and documented publicly for each major release:
\begin{itemize}
Expand All @@ -238,6 +238,8 @@ \subsection{CM-6 -- Configuration Settings}

The milestones and issues are tracked in GitHub as the authoritative list of POA\&M entries.

The Git repository logs the entire history of the changes to the software.

\subsection{CM-7 -- Least Functionality}

\paragraph{Applicable CCIs:} CCI-380
Expand All @@ -246,13 +248,13 @@ \subsection{CM-7 -- Least Functionality}

\subsubsection{CM-7(2) -- Prevent Program Execution}

\paragraph{Applicable CCIs:} CCI-1764
\paragraph{Applicable CCIs:} CCI-1592, CCI-1763, CCI-1764

The application is permitted to execute under the terms of the GPL version 3.

\subsection{CM-9 -- Configuration Management Plan}

\paragraph{Applicable CCIs:} CCI-421, CCI-423, CCI-424, CCI-426, CCI-1795
\paragraph{Applicable CCIs:} CCI-421, CCI-423, CCI-424, CCI-426, CCI-1790, CCI-1792, CCI-1793, CCI-1795, CCI-1796, CCI-1798, CCI-1799, CCI-1801

The software uses Github as its repository and configuration management platform. The Semantic Versioning System 2.0.0 is used for versioning of STIGQter releases.\autocite{preston2013semantic} Changes are tracked in the Github issue tracker and assigned to milestones to determine when fixes will be released.

Expand Down
19 changes: 16 additions & 3 deletions doc/cp.tex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,18 +202,31 @@ \section{RMF Control Compliance}
The nature of an open-source application is that anyone may fork the code (under the terms of the GPL-3 license) and pick up the torch on the product's maintenance. As all details to build and recreate the environment for the software are provided, all CP requirements are fulfilled by the public release of the software.

\subsection{CP-2 -- Contingency Plan}
\label{sec:cp-2}

\paragraph{Applicable CCIs:} CCI-443, CCI-445, CCI-446, CCI-448, CCI-449, CCI-450
\paragraph{Applicable CCIs:} CCI-443, CCI-445, CCI-446, CCI-448, CCI-449, CCI-450, CCI-451, CCI-452, CCI-453, CCI-454, CCI-455, CCI-456, CCI-457, CCI-458, CCI-459, CCI-462, CCI-463, CCI-464, CCI-465, CCI-466, CCI-468, CCI-2832

The contingency plan is to fork the software and start development on a new fork in the event of catastrophic failure. The implementation of this plan must abide by the license.

No missions or business functions are identified for this software to support. The state of the database may be saved regularly, and the database can be loaded as part of a recovery objective. The recovery of this support application is lowest priority.

Support for contingency planning is available via Jon Hood on Github's issue tracker.
Support for contingency planning is available via Jon Hood on Github's issue tracker. If the software were to become compromised, it may be recompiled from the authoritative repository's source code and a new database can be created.

This plan will be maintained in the project's Github repository. A log of reviews is available in this document's changelog and in Github's file history whenever organization, environment, and operational needs change or problems arise.

\paragraph{Not-Applicable CCIs:} CCI-460

Incident Response (IR) plans are not in the categorization baseline.

\subsubsection{CP-2(8) -- Identify Critical Assets
\paragraph{Applicable CCIs:} CCI-2828, CCI-2829
Since no missions or business processes are identified in Section~\ref{sec:cp-2}, no critical assets are identified. The only asset included is the STIGQter software.
\subsection{CP-9 -- Information System Backup}
\paragraph{Applicable CCIs:} CCI-537, CCI-540
\paragraph{Applicable CCIs:} CCI-535, CCI-537, CCI-539, CCI-540
The application's nightly build server checks if there are any changes and backs up the day's changes. The build server and backup locations are stored off-site.
Expand Down
4 changes: 3 additions & 1 deletion doc/pm.tex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,10 +201,12 @@ \section{RMF Control Compliance}

\subsection{PM-14 -- Testing, Training, and Monitoring}

\paragraph{Applicable CCIs:} CCI-3004
\paragraph{Applicable CCIs:} CCI-2998, CCI-2999, CCI-3000, CCI-3001, CCI-3002, CI-3003, CCI-3004, CCI-3005, CCI-3006, CCI-3007

All test plans are defined in the CM policy.

Any findings or variances are published immediately to their respective scanning websites and on the STIGQter website for triaging and prioritization.

\clearpage
\printbibliography

Expand Down
20 changes: 14 additions & 6 deletions doc/sa.tex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,15 +203,15 @@ \subsection{SA-4 -- Acquisition Process}

\subsubsection{SA-4(5) -- System / Component / Service Configurations}

\paragraph{Applicable CCIs:} CCI-3109
\paragraph{Applicable CCIs:} CCI-3109, CCI-3111

The application is delivered in a secure state and with no additional user accounts created.

\subsection{SA-5 -- Information System Documentation}

\paragraph{Applicable CCIs:} CCI-3124
\paragraph{Applicable CCIs:} CCI-642, CCI-3124, CCI-3125, CCI-3129, CCI-3130, CCI-3131, CCI-3135

Application Configuration Guide is included as part of the Configuration, Installation, and Usage Guide.
Application Configuration Guide is included as part of the Configuration, Installation, and Usage Guide. All documentation is maintained in the project's Github repository.

\subsection{SA-10 -- Developer Configuration Management}

Expand All @@ -224,7 +224,7 @@ \subsubsection{SA-10(1) -- Software / Firmware Integrity Verification}
\subsection{SA-11 -- Developer Security Testing and Evaluation}
\label{sec:sa-11}

\paragraph{Applicable CCIs:} CCI-3173, CCI-3177, CCI-3178
\paragraph{Applicable CCIs:} CCI-3173, CCI-3177, CCI-3178, CCI-3171, CCI-3172, CCI-3174, CCI-3175, CCI-3176, CCI-3177

Scans are performed, at a minimum, on each release of the software. Most scans are performed with each commit of the source code using several automated tools. For each commit, Travis-CI is initialized and begins a scanning, debug build of the software. The following tools are run automatically:
\begin{itemize}
Expand Down Expand Up @@ -267,15 +267,19 @@ \subsubsection{SA-11(8) -- Dynamic Code Analysis}

\subsection{SA-15 -- Development Process, Standards, and Tools}

\paragraph{Applicable CCIs:} CCI-3233
\paragraph{Applicable CCIs:} CCI-3233, CCI-3234, CCI-3235, CCI-3236, CCI-3237, CCI-3238, CCI-3239, CCI-3240, CCI-3241, CCI-3242, CCI-3243, CCI-3244, CCI-3246

The \href{http://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines#S-functions}{C++ Core Guidelines} are used as the standard for development. The \href{https://google.github.io/styleguide/cppguide.html}{Google C++ Style Guide}, \href{https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-cpp-coding-standard-2016-v01.pdf}{CERT Coding Standards}, and \href{https://wiki.qt.io/Qt_Coding_Style}{Qt Coding Style} are used as secondary references.

Since there is a single user role for the application, the design document is defined as the User's Guide.

Security requirements are to perform the testing listed in Section~\ref{sec:sa-11}. Changes to these requirements are stored in the Github changelog for each file. Reviews of this process occur for every major release.

\subsubsection{SA-15(4) -- Threat Modeling / Vulnerability Analysis}

\paragraph{Applicable CCIs:} CCI-3256
\paragraph{Applicable CCIs:} CCI-3256, CCI-3257, CCI-3258, CCI-3259, CCI-3260, CCI-3261, CCI-3262, CCI-3263, CCI-3264, CCI-3265, CCI-3266, CCI-3267, CCI-3268, CCI-3269, CCI-3270, CCI-3271

Vulnerability analysis includes the scans listed in Section~\ref{sec:sa-11}.

The following sections are required by STIG rule SV-85011r1\_rule:
\begin{enumerate}
Expand All @@ -300,6 +304,10 @@ \subsubsection{SA-15(10) -- Incident Response Plan}

\subsection{SA-22 -- Unsupported System Components}

\paragraph{Not Applicable CCIs:} CCI-3375

There is no justification to use outdated components. Only supported products and dependencies are accepted.

\paragraph{Applicable CCIs:} CCI-3374, CCI-3376

When a dependency is updated for a security reason, the build revision of STIGQter is automatically updated as well to enforce updates. This includes vulnerabilities in any of the dependent components. For example, if STIGQter 1.0.0 is released and the next day a Qt vulnerability is released that affects STIGQter, STIGQter documentation will be updated and a new release of STIGQter 1.0.1 will occur. New releases are made available on https://www.stigqter.com/.
Expand Down
47 changes: 41 additions & 6 deletions doc/sc.tex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,9 +214,13 @@ \subsection{SC-4 -- Information in Shared Resources}
\subsection{SC-5 -- Denial of Service Protection}
\label{sec:sc-5}

\paragraph{Compliant CCIs:} CCI-1093, CCI-2386

Current DoS attacks are listed under CCI-2385. Mitigation is to not load CKLs or XCCDF files from untrusted sources.

\paragraph{\textcolor{red}{Non-Compliant CCIs:}} CCI-2385

\paragraph{Not-Applicable CCIs:} CCI-2386
A current DoS attack

The software has a known bug involving XML bombs. See \href{Issue #26}{https://github.com/squinky86/STIGQter/issues/26} in the STIGQter issue tracker.

Expand All @@ -230,6 +234,10 @@ \subsubsection{SC-5(1) -- Restrict Internal Users}

See Section~\ref{sec:sc-5} for more details.

\paragraph{Applicable CCIs:} CCI-2387

The software does not connect to services in a way that would launch a DoS attack.

\subsection{SC-8 -- Transmission Confidentiality and Integrity}
\label{sec:sc-8}

Expand Down Expand Up @@ -262,12 +270,39 @@ \subsection{SC-13 -- Cryptographic Protection}
All hashes generated include SHA-3. Database integrity of saved files uses SHA-3-512. All connections to external entities obtain only publicly released information over HTTPS connections.

\subsection{SC-18 -- Mobile Code}
\label{sec:sc-18}

Mobile code is not used in the application.

\subsubsection{SC-18(1) -- Identify Unacceptable Code / Take Corrective Actions}

\paragraph{Applicable CCIs:} CCI-1166, CCI-1662, CCI-2458

Mobile code, when found, should be removed from the application to comply with the policy in Section~\ref{sec:sc-18}.

\subsubsection{SC-18(2) -- Acquisition / Development / Use}

\paragraph{Applicable CCIs:} CCI-1167
\paragraph{Applicable CCIs:} CCI-1167, CCI-1168, CCI-1687, CCI-1688

Mobile code is not used in the application.
Mobile code, when found, should be removed from the application to comply with the policy in Section~\ref{sec:sc-18}.

\subsection{SC-23 -- System and Communications Protection}

\paragraph{Applicable CCIs:} CCI-1184

Communication sessions use HTTPS with authenticated certificates.

\subsubsection{SC-23(1) -- Invalidate Session Identifiers at Logout}

\paragraph{Applicable CCIs:} CCI-1185

On certificate validation failure or session close, HTTPS protocol ends the session.

\subsubsection{SC-23(3) -- Unique Session Identifiers with Randomization}

\paragraph{Applicable CCIs:} CCI-1188, CCI-1189, CCI-1664

Randomness and negotiation of session IDs are inherent in the HTTPS protocol.

\subsection{SC-24 -- Fail in Known State}

Expand All @@ -278,15 +313,15 @@ \subsection{SC-24 -- Fail in Known State}
\subsection{SC-28 -- Protection of Information at Rest}
\label{sec:sc-28}

\paragraph{Applicable CCIs:} CCI-1199
\paragraph{Applicable CCIs:} CCI-1199, CCI-2472

All data handled by the default application is publicly releasable and does not require encryption. If data-at-rest encryption is required by an implementing program, verify that the user's \texttt{\$HOME} directory (Linux) or \texttt{\%APPDATA\%} directory (Windows) are on the encrypted partition.

\subsubsection{SC-28(1) -- Cryptographic Protection}

\paragraph{Applicable CCIs:} CCI-2475, CCI-2476
\paragraph{Applicable CCIs:} CCI-2473, CCI-2475, CCI-2476

Please see Section~\ref{sec:sc-28} for encryption protections.
Please see Section~\ref{sec:sc-28} for encryption protections. Encryption should be commensurate with the protection required for the data.

\clearpage
\printbibliography
Expand Down
Loading

0 comments on commit 0c1a71c

Please sign in to comment.