Closed Chiakao closed 1 year ago
Note: I got a 502 Bad Gateway while trying to add ci.fr.cloud.gov and admin.fr.cloud.gov to the internal scan.
I am completing the Nessus and POAM sections, but still having issues running ZAP in both the internal and external contexts.
Todo for me, look at application logs to see if there are any hints.
In order for us to update the JAB on our compliance in a consistent way, we need to run Continuous Monitoring scans on approximately the 23rd of the month. (If this date falls on a weekend or federal holiday, adjust to the last business day before the date.)
For context, see our Continuous Monitoring Strategy, including the monthly reporting summary explanation.
Netsparker
Omit: I am not finding a clear path to using Netsparker for our admin apps, and NetSparker has its own issues with false positives
OWASP ZAP Scans
Preliminary work - Sandbox User Setup
We scan our externally facing apps as sandbox users of cloud.gov, via the cloud.gov IdP, instead of platform admins. This vastly speeds up scans since the spider doesn't crawl every app and org in logs or dashboard, and also avoids issues with ZAP "clicking" on links with undesired impacts.
Create a sandbox account, starting from https://account.fr.cloud.gov/signup, and use an email such as your
fname.lname@{cio.gov, pif.gov, fedramp.gov}
As your "sandbox" user identity, launch a "Hello World" app so there's something in the dashboard and logs apps to spider. (ToDo: Determine if this is really necessary, provide link to steps).
Install, Configure, and Update
Check that you have the latest stable version of ZAP. Install/update via Homebrew with:
brew update; brew install owasp-zap
orbrew update; brew reinstall owasp-zap
xattr -dr com.apple.quarantine '/Applications/OWASP ZAP.app'
Start ZAP and update
-Xmx8192m
Quit and restart ZAP if you change the JVM options
Be sure you have Firefox installed (with Homebrew
brew cask install firefox
or any way you chose). Chrome does not support proxy settings while Firefox does.git clone git@github.com:cloud-gov/product.git
so you have thecontext
files you need.Running ZAP scans
ZAP scans take hours. We recommend you start in the morning. There are two separate scans to run, external and internal, and the internal one takes considerably longer (you may want to run it when VPN traffic is lower)
The following steps are for the
external
scan (except as noted):product
repo, load the cloud.govcloud.gov-conmon-external.context
into ZAP (File > Import Context)context
to see the included web applictions (Context -> Included in Context)external
context, use your "sandbox" identity. VPN not needed.internal
context, use your Cloud Ops (GSA SecureAuth) identity, and join the VPNSites
list to ensure only the cloud.gov sites have a small red circle/sight on them (denoting the site will be included). Remove any sites not needed by CTRL-clicking on them and selectingDelete
.internal
rescan, you can omitlogin.fr.cloud.gov
from the sites before spidering/scanningSpider
scan. This takes a little less than an hour.Spider
scan is complete, again CTRL-click on the context and this time run theActive Scan
.Report
menu, selectGenerate Report ...
Template
options, and use the templates:YYYYMMDD-ZAP-(context).xml/html
. E.g.Quit ZAP, then repeat the "Running ZAP scans" steps for the
internal
context (which will require the VPN)Troubleshooting Zap Scans
In Firefox if you see a Java Unable to Connect Exception, try the following:
Close both Firefox and Zap.
In ~/Library/Application Support/ZAP/log4j2.properties:
Change the following level's to debug so the entries look like this:
Open Zap, follow the above and open Firefox. Try to go to the server that failed previously.
If that works, then change the levels back to info from debug, so they look like this:
For the internal sites, try the following order in Firefox to bring up the sites according to the context:
If the context changes the sites, this list and order will need to be revisited.
Upload and wrap up
Upload all reports to Google Drive: https://drive.google.com/drive/u/0/folders/0B5fn0WMJaYDnaFdCak5WNWRGb1U in a folder named
YYYYMMDD-ZAP-Nessus
.You can shut down ZAP and Firefox.
NEEDS FIXING: Include for 2021-07 the Pages scanning:
Potential ZAP Issues
Acceptance criteria
Disk Usage
A single ZAP scan of the cloud-gov context requires significant disk space (over 100GB). If you have run ZAP previously, you should check to see if you previous sessions have been persisted. If so, you likely need to clear out those directories before proceeding.
You can check ZAP's disk usage with:
If you see an abnormally large
session
orsessions
directory (my last run was 132G), you likely want to delete all files in these directories before proceeding. Choosing to "Not persist" sessions should alleviate this issue.Export Nessus Scans
All Scans
Acceptance criteria:
The following (.xml and .html) are all uploaded to YYYYMMDD-ZAP-Nessus folder:
Update the POAM Inventory sheet
A python script is used to generate the inventory list.
Open the POAM Inventory sheet
Delete the data rows (starting after the manually maintained inventory items) - These rows are locked to prevent inadvertent editing.
For the tooling and production jumpboxes, login to each of them and from the initial home directory you start in, run
python3 cg-scripts/generate-POAM-inventory.py
. This will output data to your terminal window in CSV format. Copy the entire CSV output.Paste the contents in the spreadsheet by selecting the first cell in the first blank row following the manually maintained inventory items, then pasting with CTRL-Shift-V (Command-Shift-V for macOS) to paste without formatting. Then select the paste icon that appears and click
Split text to columns
[x] Verify you have pasted the inventory for both production and tooling.
[x] Verify that the RDS information has not been overwritten