A progressive Node.js framework for building efficient and scalable server-side applications, heavily inspired by Angular.
<p align="center">
We're still in early alpha in developing this, so expect this process to become simpler soon, once DB backend is more stable
Using the method of your choice, install a postgres server on your machine.
Then, create two databases, one with a name of your choice, the other (if you want to run tests) with the specific heimdallts_jest_testing_service_db
Edit your bash.profile (or equivalent file/method of setting environment variables) to export the following environment variables:
export DATABASE="localhost"
export DATABASE_USER="your db username"
export DATABASE_PASSWORD="your db password"
export JWT_SECRET="type some random characters here until we get a better method of generating them"
git clone https://github.com/mitre/heimdallts.git heimdallts-server
git clone https://github.com/mitre/heimdallts-db.git heimdallts-db
cd heimdallts-db
npm i && npm run build && npm link
cd ..
cd heimdallts-server
npm i && npm link heimdallts-db
npm run start:dev
# development
$ npm run start
# watch mode
$ npm run start:dev
# production mode
$ npm run start:prod
# unit tests
$ npm run test
# e2e tests
$ npm run test:e2e
# test coverage
$ npm run test:cov
Heimdall is a centralized visualization server for your InSpec evaluations and profiles.
Heimdall supports viewing of InSpec profiles and evaluations in a convenient interface. Data uploads can be automated through usage of curl and added as a step after an InSpec pipeline stage.
There two versions of the MITRE Heimdall - the full Heimdall and the Heimdall-Lite version. We produced each to meet different needs and use-cases.
Heimdall-Lite | Heimdall |
---|---|
Ship the App & Data via simple Email | Multiple Teams Support |
Minimal Footprint & Deployment Time | Timeline and Report History |
Local or disconnected Use | Centralized Deployment Model |
One-Time Quick Reviews | Need to view the delta between one or more runs |
Decentralized Deployment | Need to view subsets of the 800-53 control alignment |
Minimal A&A Time | Need to produce more complex reports in multiple formats |
Features | Heimdall-Lite | Heimdall |
---|---|---|
Installation Requirements | any web server | rails 5.x Server PostgreSQL |
Overview Dashboard & Counts | x | x |
800-53 Partition and TreeMap View | x | x |
Data Table / Control Summary | x | x |
InSpec Code / Control Viewer | x | x |
SSP Content Generator | x | x |
PDF Report and Print View | x | x |
Users & Roles & multi-team support | x | |
Authentication & Authorization | Hosting Webserver | Hosting Webserver LDAP GitHub OAUTH & SAML GitLab OAUTH & SAML |
Advanced Data / Filters for Reports and Viewing | x | |
Multiple Report Output (DISA Checklist XML, CAT, XCCDF-Results, and more) |
x | |
Authenticated REST API | x | |
InSpec Run 'Delta' View | x | |
Multi-Report Tagging, Filtering and Comparison | x |
We publish our latest builds on packackager.io, Docker Hub and Chef Habitat (Coming Soon).
Given that Heimdall requires at least a database service, we use Docker Compose.
The following commands are useful for managing the data in your docker container:
docker-compose run ???
This destroys and rebuilds the dbdocker-compose run ???
This updates the dbdocker-compose run ???
This updates the dbMake sure you have run the setup steps at least once before following these steps!
docker-compose up -d
127.0.0.1:8050
in a web browserA new version of the docker container can be retrieved by running:
docker-compose pull
???
This will fetch the latest version of the container, redeploy if a newer version exists, and then apply any database migrations if applicable. No data should be lost by this operation.
docker-compose down
# From the source directory you started from
Once you install Heimdall, you will have to create your first account. By default this account will have full admin
rights and you will then be able to create other users and grant them access to roles, circles
(groups) and teams as you need. You can add your first user by selecting 'Create Account' and then logging in as that user.
Heimdall also supports connecting to your corporate LDAP and other OAuth authentication services but the authorization of those users in Heimdall is managed via the application itself (PRs Welcome).
Once you have an account you can upload InSpec JSONs (see reporters) for evaluations and profile then view them by clicking on the evaluations and profiles tab at the top of the page.
Heimdall supports separating users into groups we call 'Circles' which is basically just groups and roles. This will allow you to deploy a command service which many teams can use, allow your AO or Security Teams to review and comment on multiple teams work while still providing separation of roles and responsibilities.
The Heimdall Administrator can define Circles and add users to those circles. At the moment, this is done directly in the Heimdall application (PRs Welcome) and teams can push
their results to a circle via curl
. This will allow multiple work streams to happen and easy integration into workflow processes while trying to keep the human element from going blind :).
My default everything goes to the public circle, you should define your circles with respect to the R&R of your organization and project and program structure.
Although it's just a suggestion, we have also found that having a few generic results in the public
circle is useful to help easy demonstrations or conversations to happen. This will allow all visitors to view the profile/evaluation you uploaded.
To upload through curl you'll need an API key. This is located on your profile page which can be reached by clicking on your user name in the top right corner, then on profile.
At its most basic, the upload API takes three parameters: the file, your email address, and your API key.
???
The inspec_tools and heimdall_tools also have useful features that help you manage your results, do integration with your CI/CD and DevOps pipelines and get your teams working.
inspec_tools has the compliance
and summary
functions which will help you define a go/no-go
for your pipeline results and allow you to define your thin blue line
of success or failure. Incorporating these tools, you can scan
, process
, evaluate
and upload
your results to allow your various teams and stages
to define the granularity they need while still following the spirit
of the overall DevSecOps
process as a whole.
For example, the compliance
function will let you easily use Jenkins, GitLab/Hub CICD or Drone to have clean pass/fail with an exit 0
or exit 1
and allow you to define exactly the high
, medium
and low
and overall compliance score
that you and your Security Official agreed to in production
or in development
.
NOTE You should always test like you are in production, that is where you are going to end up after all!!
???
???
???
???
???
???
This project uses the Semantic Versioning Policy.
Please feel free to look through our issues, make a fork and submit PRs and improvements. We love hearing from our end-users and the community and will be happy to engage with you on suggestions, updates, fixes or new capabilities.
Please feel free to contact us by opening an issue on the issue board, or, at inspec@mitre.org should you have any suggestions, questions or issues. If you have more general questions about the use of our software or other concerns, please contact us at opensource@mitre.org.
???
git commit -a -s
)README.md
<your_branch>
???
ensure unit tests still function and add unit tests for your new feature
add new docs to the README.md
(if needed) create and document any example or templates
(if needed) create any supporting scripts
update the version and changelog (see below for instructions)
Open a PRs on the MITRE heimdall repository
???
© 2019-2020 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.
No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.
For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.