OnDemand should provide a NIST STIG

[MorganRodgers]

In a nutshell STIG is a security self assessment, and we were told that this would assist with uptake for US federal HPC sites.

https://csrc.nist.gov/glossary/term/security-technical-implementation-guide

┆Issue is synchronized with this Asana task by Unito

[nealepetrillo]

I believe the most applicable guide for this project would be this one:

https://www.stigviewer.com/stig/application_security_and_development/2018-12-24/MAC-3_Classified/

I selected the MAC 3 classified profile since a lot of DoE labs operate classified equipment.

A lot of the controls probably aren't applicable. For example, V-70399 "Procedures must be in place to notify users when an application is decommissioned." isn't going to apply to the application. In that case you'd say something like "Not applicable - administrators are responsible for decommissioning their instances should development cease."

Most of the time you see these things as Excel or XML documents. I'm not entirely sure what the best way to collaborate on such a thing might be. Maybe some kind of Google Doc?

[ericfranz]

As for collaborating, what would the table look like? I see on that linked page an Excel or XML or JSON can be downloaded but it looks like that just contains a list of all the Finding IDs and related check text that can be found on the details page of each Finding. Are you imagining we do something like this:

Finding ID	Status
V-69343	It could be said this is possible if the federated authentication that Apache is configured with is properly configured. However, since one of our recommendations is using Keycloak or CILogon, and are considering to default to CILogon, perhaps we should see if this is an option? TODO: Insert link to GitHub issue we opened for this
V-70399	Not applicable - administrators are responsible for decommissioning their instances should development cease
V-70385	TODO: Insert link to coding standards

Or would the table be more complex? If we did something simple like above one option is to use restructured's list tables. GitHub can render this in a restructured file in the root of this repo or as a page in the wiki.

[nealepetrillo]

In practice these things are usually submitted via Excel workbook so the security folks can check off the list. But, it's probably better to start a markdown table then, once that's filled out, move on to an Excel sheet with check texts, fix texts, and whatnot.

[ericfranz]

I setup a checklist and team on https://ondemand.vaulted.io. Maybe a tool like that would be helpful? I took these steps:

1. Downloaded XML export of https://www.stigviewer.com/stig/application_security_and_development/2018-12-24/MAC-3_Classified/
2. Downloaded STIG viewer for Mac: https://public.cyber.mil/stigs/srg-stig-tools/
3. Opened XML file in the STIG viewer, checked "Application and Development Security STIG", Clicked Checklist=> Create Checklist - Check Marked STIG(s)
4. A new tab opened called mac3stig. Selected tab, clicked menu File=>Save Checklist As... and saved the ckl file.
5. Imported ckl file into https://ondemand.vaulted.io/.

288 not reviewed!

Looks like a nice interface with conversation, tags, and text field to put "Finding details" and "Comments":

@nealepetrillo I'm happy to send an invite to you if you are interested. Do you know about this tool?

[nealepetrillo]

Awesome! Haven't heard about that tool but looks like a good fit. I signed up and will review in the next day or two.

[matt257]

review relevant standards, maybe ask Kyle about current efforts