In order for us to update the JAB on our compliance in a consistent way, we need to run Continuous Monitoring scans on approximately the 23rd of the month. (If this date falls on a weekend or federal holiday, adjust to the last business day before the date.)
Omit: I am not finding a clear path to using Netsparker for our admin apps, and NetSparker has its own issues with false positives
OWASP ZAP Scans
From the ZAP documentation: "Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible."
We run ZAP from a platform operator's local machine. ZAP opens a Firefox instance that is configured to proxy all requests through ZAP. ZAP can then analyze and modify the requests.
Preliminary work - Sandbox User Setup
We scan our externally facing apps as sandbox users of cloud.gov, via the cloud.gov IdP, instead of platform admins. This vastly speeds up scans since the spider doesn't crawl every app and org in logs or dashboard, and also avoids issues with ZAP "clicking" on links with undesired impacts.
Create a sandbox account, starting from https://account.fr.cloud.gov/signup, and use an email such as your fname.lname@{cio.gov, pif.gov, fedramp.gov}
As your "sandbox" user identity, launch a "Hello World" app so there's something in the dashboard and logs apps to spider. (ToDo: Determine if this is really necessary, provide link to steps).
Install, Configure, and Update
Make sure no other process is bound to port 8080 by running lsof -i TCP:8080. The ZAP proxy binds to this port.
Install Firefox (with Homebrew brew install firefox --cask or any way you chose). Chrome does not support proxy settings while Firefox does.
git clone git@github.com:cloud-gov/product.git so you have the context files you need.
For "Session persistence", select "No, I do not want to persist my session..."
For "Manage add-ons", select "Update All"
ZAP -> Preferences -> Options:
JVM -> JVM options: -Xmx8192m
Active Scan:
3 hosts
5 threads
Global Exclude URL:
Site - Firefox (select all)
Site - Font CDNs
Site - Mozilla CDN
Spider
Max Depth to Crawl: 5
Number of Threads: 7
Quit and restart ZAP if you change the JVM options.
Running ZAP scans
ZAP scans take hours. We recommend you start in the morning or run them overnight. There are two separate scans to run, external and internal, and the internal one takes considerably longer. (You may want to run it when VPN traffic is lower.)
The following steps are for the external scan (except as noted):
From the cloud.gov product repo, load the cloud.gov cloud.gov-conmon-external.context into ZAP (File > Import Context)
Delete the "Default Context" or any already completed context.
On the top line of icons, there should be a Firefox icon on the far right. Click that to open Firefox preconfigured to proxy through ZAP.
Open the context to see the included web applications (Context -> Included in Context)
In the ZAP-configured Firefox, log in to each site in the context list.
You must type the full URL each time, including the protocol (https://). Using ZAP stops automatic redirects from HTTP to HTTPS from working.
For the external context, use your "sandbox" identity. VPN not needed.
For the internal context, use your Cloud Ops (GSA SecureAuth) identity, and join the VPN
To prevent getting noise in the scan results (since that causes major confusion when the FedRAMP team processes the ConMon report), review the Sites list to ensure only the cloud.gov sites have a small red circle/sight on them (denoting the site will be included). Remove any sites not needed by CTRL-clicking on them and selecting Delete.
CTRL-click on the context and run the Spider scan. This should only take a few minutes.
After the Spider scan is complete, again CTRL-click on the context and this time run the Active Scan.
After the Spider and Active scans are complete, export the results:
From Report menu, select Generate Report ...
Select the Template options, and use the templates:
Traditional HTML report
Traditional XML report
Name the files according to YYYYMMDD-ZAP-(context).xml/html. E.g.
20210623-ZAP-external.xml
20210623-ZAP-external.html
Optional: Check with compliance lead on whether we also need
"Traditional HTML Report with Requests and Responses"
Quit ZAP, then repeat the "Running ZAP scans" steps for the internal context (which will require the VPN)
Make sure you are typing the entire URL, including the https:// protocol, into Firefox. Firefox will appear to automatically redirect from http to https, but if you check the ZAP console, you'll see the requests being made in http and failing with 502 Bad Gateway.
Browser Was Not Found, Java Exceptions
Did you stop all locally running web servers? If they are bound to port 8080, they will prevent Firefox from connecting to the proxy. (You might see the error: "browser was not found".)
Java Unable to Connect Exception
In Firefox if you see a Java Unable to Connect Exception, try the following:
Close both Firefox and ZAP.
In ~/Library/Application Support/ZAP/log4j2.properties:
Change the following level's to debug so the entries look like this:
If the context changes the sites, this list and order will need to be revisited.
Generic Troubleshooting
For when the other troubleshooting has not helped:
Fully close Firefox and restart ZAP.
Uninstall and reinstall FF and ZAP.
ZAP also has a weekly build available. If the current stable build isn't working for some reason, try the weekly build instead. Download the ZIP, cd to it in your terminal, and run it with ./zap.sh. If it outputs a message like Exiting: ZAP requires a minimum of Java 11 to run, run brew install java to install the latest Java and try again.
[x] YYYYMMDD-external.xml ZAP scan is present in YYYYMMDD-ZAP-Nessus folder
[x] YYYYMMDD-internal.xml ZAP scan is present in YYYYMMDD-ZAP-Nessus folder
[ ] YYYYMMDD-pages.xml ZAP scan is present in YYYYMMDD-ZAP-Nessus folder
Disk Usage
A single ZAP scan of the cloud-gov context requires significant disk space (over 100GB). If you have run ZAP previously, you should check to see if you previous sessions have been persisted. If so, you likely need to clear out those directories before proceeding.
You can check ZAP's disk usage with:
du -h -d 1 ~/Library/Application\ Support/ZAP/
If you see an abnormally large session or sessions directory (my last run was 132G), you likely want to delete all files in these directories before proceeding. Choosing to "Not persist" sessions should alleviate this issue.
Click on each vulnerability scan for Tooling and Production, and export the .nessus file (Export > Nessus) and the "Complete List of Vulnerabilities by Host" report (Report > HTML).
Click on each compliance scan for Tooling and Production, and export the .nessus file (Export > Nessus) and the "Compliance" report (Report > HTML).
Click on each scan for RDS Compliance, and export the .nessus file (Export > Nessus) and the "Compliance" report (Report > HTML).
Acceptance criteria:
The following (.nessus and .html) are all uploaded to YYYYMMDD-ZAP-Nessus folder:
[x] Production_Vulnerability_scan
[x] Tooling_Vulnerability_scan
[x] Production_Compliance_scan
[x] Tooling_Compliance_scan
[x] ALL the RDS compliance scans
Update the POAM Inventory sheet
A python script is used to generate the inventory list.
Delete the data rows (starting after the manually maintained inventory items) - These rows are locked to prevent inadvertent editing.
For the tooling and production jumpboxes:
Login to each jumpbox and take note of the container number:
[x] production
[x] tooling
[x] master
Run python3 cg-scripts/generate-POAM-inventory.py > inv.csv, then exit.
Copy the CSV to your local clipboard by running the following, where {environment} is production, master, or tooling and container-number is the number from the first step.
fly -t ci i -j "jumpbox/container-bosh-{environment}" -s jumpbox -b "{container-number}" -- cat inv.csv | pbcopy
Paste the contents in the spreadsheet by selecting the first cell in the first blank row following the manually maintained inventory items, then pasting with CTRL-Shift-V (Command-Shift-V for macOS) to paste without formatting. Then select the paste icon that appears and click Split text to columns
[x] Verify you have pasted the inventory for both production and tooling.
[x] Verify that the RDS information has not been overwritten.
In order for us to update the JAB on our compliance in a consistent way, we need to run Continuous Monitoring scans on approximately the 23rd of the month. (If this date falls on a weekend or federal holiday, adjust to the last business day before the date.)
For context, see our Continuous Monitoring Strategy, including the monthly reporting summary explanation.
Netsparker
Omit: I am not finding a clear path to using Netsparker for our admin apps, and NetSparker has its own issues with false positives
OWASP ZAP Scans
From the ZAP documentation: "Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible."
We run ZAP from a platform operator's local machine. ZAP opens a Firefox instance that is configured to proxy all requests through ZAP. ZAP can then analyze and modify the requests.
Preliminary work - Sandbox User Setup
We scan our externally facing apps as sandbox users of cloud.gov, via the cloud.gov IdP, instead of platform admins. This vastly speeds up scans since the spider doesn't crawl every app and org in logs or dashboard, and also avoids issues with ZAP "clicking" on links with undesired impacts.
Create a sandbox account, starting from https://account.fr.cloud.gov/signup, and use an email such as your
fname.lname@{cio.gov, pif.gov, fedramp.gov}As your "sandbox" user identity, launch a "Hello World" app so there's something in the dashboard and logs apps to spider. (ToDo: Determine if this is really necessary, provide link to steps).
Install, Configure, and Update
lsof -i TCP:8080. The ZAP proxy binds to this port.brew install firefox --caskor any way you chose). Chrome does not support proxy settings while Firefox does.git clone git@github.com:cloud-gov/product.gitso you have thecontextfiles you need.brew update; brew install owasp-zaporbrew update; brew reinstall owasp-zapxattr -dr com.apple.quarantine '/Applications/OWASP ZAP.app'Start ZAP and update
-Xmx8192mQuit and restart ZAP if you change the JVM options.
Running ZAP scans
ZAP scans take hours. We recommend you start in the morning or run them overnight. There are two separate scans to run, external and internal, and the internal one takes considerably longer. (You may want to run it when VPN traffic is lower.)
The following steps are for the
externalscan (except as noted):productrepo, load the cloud.govcloud.gov-conmon-external.contextinto ZAP (File > Import Context)contextto see the included web applications (Context -> Included in Context)https://). Using ZAP stops automatic redirects from HTTP to HTTPS from working.externalcontext, use your "sandbox" identity. VPN not needed.internalcontext, use your Cloud Ops (GSA SecureAuth) identity, and join the VPNSiteslist to ensure only the cloud.gov sites have a small red circle/sight on them (denoting the site will be included). Remove any sites not needed by CTRL-clicking on them and selectingDelete.Spiderscan. This should only take a few minutes.Spiderscan is complete, again CTRL-click on the context and this time run theActive Scan.Reportmenu, selectGenerate Report ...Templateoptions, and use the templates:YYYYMMDD-ZAP-(context).xml/html. E.g.Quit ZAP, then repeat the "Running ZAP scans" steps for the
internalcontext (which will require the VPN)Troubleshooting ZAP Scans
502 Bad Gateway, ZAP Error
If you encounter the following:
ZAP Error [org.apache.hc.core5.http.NoHttpResponseException]Make sure you are typing the entire URL, including the
https://protocol, into Firefox. Firefox will appear to automatically redirect from http to https, but if you check the ZAP console, you'll see the requests being made in http and failing with 502 Bad Gateway.Browser Was Not Found, Java Exceptions
Java Unable to Connect Exception
In Firefox if you see a Java Unable to Connect Exception, try the following:
Close both Firefox and ZAP.
In
~/Library/Application Support/ZAP/log4j2.properties:Change the following level's to debug so the entries look like this:
Open ZAP, follow the above and open Firefox. Try to go to the server that failed previously.
If that works, then change the levels back to info from debug, so they look like this:
For the internal sites, try the following order in Firefox to bring up the sites according to the context:
If the context changes the sites, this list and order will need to be revisited.
Generic Troubleshooting
For when the other troubleshooting has not helped:
cdto it in your terminal, and run it with./zap.sh. If it outputs a message likeExiting: ZAP requires a minimum of Java 11 to run, runbrew install javato install the latest Java and try again.Upload and wrap up
Upload all reports to Google Drive: https://drive.google.com/drive/u/0/folders/0B5fn0WMJaYDnaFdCak5WNWRGb1U in a folder named
YYYYMMDD-ZAP-Nessus.You can shut down ZAP and Firefox.
Potential ZAP Issues
Acceptance criteria
Disk Usage
A single ZAP scan of the cloud-gov context requires significant disk space (over 100GB). If you have run ZAP previously, you should check to see if you previous sessions have been persisted. If so, you likely need to clear out those directories before proceeding.
You can check ZAP's disk usage with:
If you see an abnormally large
sessionorsessionsdirectory (my last run was 132G), you likely want to delete all files in these directories before proceeding. Choosing to "Not persist" sessions should alleviate this issue.Export Nessus Scans
All ScansAcceptance criteria:
The following (.nessus and .html) are all uploaded to YYYYMMDD-ZAP-Nessus folder:
Update the POAM Inventory sheet
A python script is used to generate the inventory list.
Open the POAM Inventory sheet
Delete the data rows (starting after the manually maintained inventory items) - These rows are locked to prevent inadvertent editing.
For the tooling and production jumpboxes:
python3 cg-scripts/generate-POAM-inventory.py > inv.csv, thenexit.{environment}isproduction,master, ortoolingandcontainer-numberis the number from the first step.Paste the contents in the spreadsheet by selecting the first cell in the first blank row following the manually maintained inventory items, then pasting with CTRL-Shift-V (Command-Shift-V for macOS) to paste without formatting. Then select the paste icon that appears and click
Split text to columns[x] Verify you have pasted the inventory for both production and tooling.
[x] Verify that the RDS information has not been overwritten.