NUWCDIVNPT / stig-manager

An API and client for managing STIG assessments
Other
120 stars 28 forks source link

FEATURE REQUEST: Example API #305

Open sagansapien opened 3 years ago

sagansapien commented 3 years ago

We've discussed this during office hours and I wanted to track it in an issue. We're interested in using the API to maintain the asset lists. Initially, we simply need the ability to purge old assets from the collection, in the event a system is decommissioned or otherwise removed from the RMF package. For Windows, this usually means if a computer is disabled or moved from its OU in Active Directory, the asset record should be removed from stigman. PowerShell is our tool of choice for performing other maintenance tasks outside of stigman, so if API calls to stigman to delete asset records using PowerShell can be accomplished, this could be integrated into our existing processes.

We don't really know where to start with creating API scripts, so if an example PowerShell script could be provided as a starting point it might get us going.

Thank you

cd-rite commented 3 years ago

Interesting idea...neither of the core team members have much Powershell scripting experience, but we will try to help if we can.

It sounds like what we REALLY need is a formalized, machine-readable way to express the contents of an RMF package (perhaps OSCAL, someday!!?). Once a package is expressed that way, and we have support for it, it could be used to create a Collection or Collections in STIGMan, or shape/trim down an existing Collection if/when it is updated and Assets or Systems are removed.....

NRENJeff commented 3 years ago

I can't necessarily give you an example of a script, but I see the value of this in our environment also so it's something I'm going to take a look at myself.

In the meantime, if you use the following command in PowerShell you should be able to confirm the rest API is functioning and it might give your PowerShell Admins a starting point. Invoke-RestMethod -uri https://FQDN/api/op/configuration This is an unauthenticated API call and should return the Version, Commit, and Classification of your STIG-Manager instance.

If you enable the environment variable (STIGMAN_SWAGGER_ENABLED=TRUE) to expose the API browser you can access it at FQDN/api-docs. That should give you more information on how to target specific things.

thukk commented 3 years ago

In PowerShell, I was able to use the stigman-watcher client_id/secret information to get a valid token. Then used that token to create a Bearer header. Invoke-RestMethod worked to access the different entities in http://fqdn/api/ and I was able to get a list of collections/assets/etc and delete assets via the DELETE method.

cd-rite commented 3 years ago

Hi @thukk Thanks for commenting!

If you have any code you'd like to share so others can use or build on it, I've created a discussion forum in our repo for that purpose: Share code or advice about how you've used the STIGMan API Hopefully the discussion will be easier to find than this issue for people looking for this type of info. If you have a public repo available, feel free to link to it in that discussion.
Thanks!

thukk commented 3 years ago

Posted some PowerShell code under Discussions. Hope it helps someone!