Cingulara / openrmf-docs

Documentation on the OpenRMF application, including scripts to run the whole stack as well as just infrastructure with documentation on using the tool.
GNU General Public License v3.0
124 stars 26 forks source link

OpenRMF® OSS Documentation (v 1.11)

OpenRMF® OSS is an open source application for managing, viewing, and reporting of your DoD STIG checklists, SCAP Scans and Nessus Patch Scans in one web-based interface using your browser. It also generates a compliance listing of all your checklists across a whole system based on NIST 800-53 for your Risk Management Framework (RMF) documentation and process. This tool helps you manage multiple systems going through the RMF process and allows you to structure your data in a clean interface all in one location for your group or program.

You can export your checklists as CKL files and your test plan and POAM as MS Excel properly formatted files as well.

If you need more than the OSS version, check out OpenRMF® Professional.

TL;DR Description

The OpenRMF® OSS application is a highly advanced alternative to the DISA STIGViewer.jar and MS Excel hell we go through used for DoD STIG checklist files, SCAP Scans, Nessus ACAS scans, RMF process information, and the like. It is necessary to capture and report on this information, please do not mistake what I say for not agreeing with securing services. However, the DISA Java tool itself is horribly designed and not conducive to today's environment and use. And it is only part of the story. Their Java tool has been like this for a loooooonnnnnngggg time and I have wanted to make something better (IMO) for almost as long. So this tool here is the start!

It is a way (currently) to view, report on, dive into, manage, and export your STIG checklists no matter which checklist you are referring to. All the .CKL files have a common format and htis reads and displays/manages that in a web front end using .NET Core APIs, MongoDB and NATS messaging. View the history of this tool on our website.

OpenRMF® OSS also is a single pane of glass for your DISA SCAP scans (to generate checklists), Nessus SCAP scans, Nessus patch scans (to track patch management), and compliance reporting for your systems going through the RMF process. We know: the RMF process is manual and all inclusive! This tool helps to automate as much as possible on the managing and reporting of data so you can:

  1. Know your current Risk Profile
  2. Know your current status
  3. Know what is left to do
  4. Know what your Critical and High items are so you can track and attack them

This particular repository is the repo for all the docs as the OpenRMF® OSS project goes along. Documentation on the OpenRMF® OSS application will be here in MD files and reference images and other documents as well as GH markdown. This application idea has been brewing in my head for well over a decade and specifically since July 4th weekend 2018 when I started to put down code. Then in January 2019 when I scrapped all that July stuff and went for web APIs, microservices, eventual consistency, CQRS (command query responsibility segregation to scale separately), using MongoDB and NATS.

Get OpenRMF® OSS Running Locally

If you want to get it running on your local laptop, desktop, or server follow these instructions below. You need a fairly good internet connection and Docker Desktop / Docker Community Edition to get this going. And then go to the latest release and download the Keycloak zip file and OpenRMF® OSS zip file.

Please read the Minimum Requirements for OpenRMF® OSS. And then follow these Step by Step Instructions.

Note that for Docker Desktop users, you need to have the File Sharing turned on to run OpenRMF® OSS the way it is designed in the docker-compose file. We use persistent volumes for MongoDB, Grafana, and Prometheus.

Install in Air-Gapped / Disconnected Environment

There are separate instructions in the included air-gapped installation MD file.

Running over HTTPS

There are separate instructions in the included HTTPS setup instructions for running OpenRMF® OSS v1.9 or higher over HTTPS. This assumes the full configuration all in one YML file for the software, versus the v1.8.x and earlier separate Keycloak and software YML files in combination.

Other OpenRMF® OSS Deployments

If you want to run on AWS EKS, you can see the Helm Chart and Kubernetes specific information here.

@medined put up a great set of Ansible and Terraform script information at for work he is doing at the Container Working Group for the Veterans Administration.

Why Use OpenRMF® OSS

It will save you weeks of manually checking vulnerability-to-CCI-to-NIST controls and manually generating reports, so you can get on to the value-added work for your cybersecurity hygiene.

When a team has poor visibility of their system’s risk data, it can result in bad decisions, errors, security risks and unforeseen issues. Teams must replace manual RMF and checklist methods that use spreadsheets and emails with an open, web-based solution that your team can leverage to plan, track and govern the entire RMF process. That is where OpenRMF® OSS helps you and your team!

Read more about its genesis here.


Current Functionality

If we are missing something you want, please add it on our main GitHub Issues page.

Metrics Tracking with Prometheus and Grafana

We include metrics tracking for all our major subsystems. See the OpenRMF OSS Metrics document for more information.

Cleaning up the Docker volumes and such every so often

If you want to remove all data from volumes you can run the below. Do at your own risk and know the consequences! I do this on my development machine to clear ALL volumes including those not for OpenRMF® OSS.

Screenshots of the UI

The OpenRMF® OSS Dashboard for all Systems Image

The System Listing Image

A System View Image

Exporting the Nessus Patch file summary to XLSX Image

The Individual Checklist view Image

Generate RMF Compliance Listing with linked Checklists and filtered vulnerabilities! Image

The checklist Upload page Image

Exporting the checklist to XLSX with color coding Image