nuwcdivnpt / stig-manager Goto Github PK
View Code? Open in Web Editor NEWAn API and client for managing STIG assessments
License: Other
An API and client for managing STIG assessments
License: Other
Not really sure if this is a bug or feature request.
Collections > Assets > asset name > STIG name > "Review on asset name" > "Evaluation" section.
The "Comment" box is pulling text from the CKL "Finding Details" node. As user, this is misleading. Shouldn't this text box be labeled "Finding Details"?
The actual "Comments" node from the CKL is not visible in this area of STIG Manager. For open findings, I need to verify the CKL comments field is populated with a mitigation statement. I would prefer to be able to collapse the "Review Resources" box and have both the CKL Comments and Finding Details boxes available for review/edit.
Thanks!
Describe the bug
api_1 | [INIT] Importing STIGs...
api_1 | Retreiving list of Compilation files from public.cyber.mil...
api_1 | DOWNLOADED 100.00% of 0.07 mb
api_1 | Retreiving https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SRG-STIG_Library_2020_07v2.zip
api_1 | DOWNLOADED 4.68% of 204.13 mb
api_1 | DOWNLOADED 9.35% of 204.13 mb
api_1 | DOWNLOADED 14.03% of 204.13 mb
api_1 | DOWNLOADED 18.70% of 204.13 mb
api_1 | DOWNLOADED 23.38% of 204.13 mb
api_1 | DOWNLOADED 28.05% of 204.13 mb
api_1 | DOWNLOADED 32.73% of 204.13 mb
api_1 | DOWNLOADED 37.40% of 204.13 mb
api_1 | DOWNLOADED 42.08% of 204.13 mb
api_1 | DOWNLOADED 46.75% of 204.13 mb
api_1 | DOWNLOADED 51.43% of 204.13 mb
api_1 | DOWNLOADED 56.10% of 204.13 mb
api_1 | DOWNLOADED 60.77% of 204.13 mb
api_1 | DOWNLOADED 65.45% of 204.13 mb
api_1 | DOWNLOADED 70.12% of 204.13 mb
api_1 | DOWNLOADED 74.80% of 204.13 mb
api_1 | DOWNLOADED 79.48% of 204.13 mb
api_1 | DOWNLOADED 84.16% of 204.13 mb
api_1 | DOWNLOADED 88.83% of 204.13 mb
api_1 | DOWNLOADED 93.51% of 204.13 mb
api_1 | DOWNLOADED 98.19% of 204.13 mb
api_1 | DOWNLOADED 100.00% of 204.13 mb
api_1 | Processing ZIP...
api_1 |
api_1 | [1/207] -----------------------------
api_1 | EXTRACTING: U_A10_Networks_ADC_ALG_V1R1_STIG.zip
api_1 | PROCESSING: U_A10_Networks_ADC_ALG_V1R1_STIG.zip
api_1 | PARSING : U_A10_Networks_ADC_ALG_V1R1_Manual_STIG/U_A10_Networks_ADC_ALG_STIG_V1R1_Manual-xccdf.xml
api_1 | Connection 8 STATS ENTER
api_1 | Connection 8 STATS SELECT
api_1 | Connection 8 STATS UPDATE
api_1 | Connection 8 STATS ERROR Named query contains placeholders, but parameters object is undefined
api_1 | Error: Named query contains placeholders, but parameters object is undefined
api_1 | at toArrayParams (/home/node/node_modules/named-placeholders/index.js:95:13)
api_1 | at compile (/home/node/node_modules/named-placeholders/index.js:144:12)
api_1 | at PoolConnection._resolveNamedPlaceholders (/home/node/node_modules/mysql2/lib/connection.js:486:17)
api_1 | at PoolConnection.query (/home/node/node_modules/mysql2/lib/connection.js:499:10)
api_1 | at /home/node/node_modules/mysql2/promise.js:98:11
api_1 | at new Promise ()
api_1 | at PromisePoolConnection.query (/home/node/node_modules/mysql2/promise.js:93:12)
api_1 | at Object.module.exports.updateStatsAssetStig (/home/node/service/mysql/utils.js:425:39)
api_1 | at runMicrotasks ()
api_1 | at processTicksAndRejections (internal/process/task_queues.js:93:5)
api_1 | at async Object.exports.insertManualBenchmark (/home/node/service/mysql/STIGService.js:733:5)
api_1 | at async processZip (/home/node/utils/fetchStigs.js:140:20)
api_1 | at async processZip (/home/node/utils/fetchStigs.js:153:7)
api_1 | at async Object.fetchCompilation (/home/node/utils/fetchStigs.js:80:7)
api_1 | at async startServer (/home/node/index.js:160:7)
I found a bug in the:
Please include a clear and concise description of what the bug is.
When importing the Docker instance described here (https://hub.docker.com/r/nuwcdivnpt/stig-manager) it appears to fail to retrieve the STIGs from cyber.mil. After this failure the container loads and I am able to log into the localhost instance of STIG_Manager where I also tried to import them into the running STIG_Manager and that failed with the same errors as above. My instance of Docker is for windows with the WSL2 installed. STIG_Manager otherwise appears to be running. I can log in create a collection and add assets and users. Just cannot import STIGs against the assets because the benchmark data from cyber.mil was not imported. All attempts to import completed STIGs are ignored.
To Reproduce
https://hub.docker.com/r/nuwcdivnpt/stig-manager Folow steps here.
Expected behavior
For the STIGs to import as advertised "On initial container startup, STIG Manager will connect to DoD Cyber Exchange and import the latest STIG Library Compilation and any available SCAP content."
Actual behavior
What behavior did you actually experience? Failed to import the STIGS
Screenshots
If applicable, add screenshots to help explain your problem.
Environment or Configuration:
I have a similar project that i am about to release for production I would like to talk about your project and see how we can work together to solve this problem. My project uses Nessus scans which I then enhance with SCAP content. the application tracks the vulnerability and compliance for each SSP, allows users to set False positives, Not applicapables, severity and finding results. The applications tracks assets and scanning. It auto generates findings from approved templates. it reads the output of the nessus results and not just the finding to ensure no false positives. It tracks Test plans and associates findings to them. Users no longer have to look into SCAP files or Nessus CSVs the dashboard shows them every control that fails and which check is associated with it. We just added a STIG dashboard to track stig conpliance by finding and IP. These are just a few of the features.
Describe the bug
I found a bug in the:
Bug Description:
Status report lists a "Checklist: (None)" when grouped by STIG
When grouped by Asset, STIGs that are assigned to an Asset but have no reviews at all are not listed.
Ultimately, this is because the API is not returning sensible statistics (as far as the extjs grid is concerned) for STIG Assignments that have no reviews.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Status report should have row for each stig assigned to an asset
Return 0s rather than nulls
Additional context
The fix for this may require revisiting the current approach to STIG Completion statistics.
(at the very least, calculating them when a new STIG assignment is made, or revisiting the need for pre-calculating them at all vs. on demand)
Mac/cl hard-coded as 5 on create, updates with mac/cl specified fail
Describe the bug
I found a bug in the:
Please include a clear and concise description of what the bug is.
Some STIG text displayed in STIGMan shows invalid/wrong characters due to improper handling of unicode in STIG source files.
To Reproduce
View rule SV-77809r3_rule in the WIN10 STIG. Manual check has line that reads:
"System type" is not "64-bit operating system�", this is a finding."
Issue can be replicated thusly:
Create package with no assets assigned.
Refresh reviews nav tree.
Package displayed in nav tree, but STIGs node can, unintuitively, still be expanded (to empty stig symbol).
Greetings,
I attempted to import approximately 1500 CKLs into a collection last night. It parsed very quickly but the "Importing data" step ran for several hours and did not appear to complete. When I checked again this morning, my session had timed out. There are lots of new Assets but not all of them.
Now attempting to import the same 1500 CKLs again. I got the same warning about the same 3 duplicates from the initial load. Since this is the second import of this batch, I expected it to detect many more (several hundred) duplicates that had been successfully imported from the first attempt and skip them. It appears to be starting over and importing the same CKLs again.
Is there a timeout issue during large imports?
Can the status of previous import operations be found in the logs somewhere? For example, "on this date, 600 files were successfully imported, 35 new assets were created, 500 files failed to import".
What is the expected behavior of the duplicate detection function?
Can the total number of CKLs added to a collection be viewed?
Thank you!
tabs load w/ no data. Incomplete revId in request.
Describe the bug
I found a bug in the:
Assessing the docker-compose up result will never load on http://serverip:54000/ because the call to keycloak is hard coded to be
http://localhost:8080/auth/realms/stigman/protocol/openid-connect/3p-cookies/step1.html
This can be seen in the keycloak.json
which contains
{
"realm": "stigman",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "stig-manager",
"public-client": true,
"confidential-port": 0
}
To Reproduce
Steps to reproduce the behavior:
docker-compose up
http://serverip:54000
Expected behavior
Expected behavior is the STIG manager UI loads to the interface. The example docker will be more useful if it does not require installing on a local machine only. A good fix would be additional docker ENV configurations that one that override the auth-server-url
in the image at runtime.
Actual behavior
api : boolean handling in db utils bindObject
In tables that contain multiple assets, a hyperlink from the asset name " Asset-A" which takes you to the specific STIG checklist shown in that context would be nice. These links could open a new tab.
For instance:
Reports > Findings > Individual Findings table > --- this could link to the STIG details page for that particular asset / stig checklist.
Similarly with Reports > Status > --- this could link to the STIG details page for that particular asset / stig checklist.
This kind of linking would be useful in drilling down to specific problems so corrective action can be taken.
Thanks!
Describe the bug
I found a bug in the:
Please include a clear and concise description of what the bug is.
If it is in the API, please specify endpoint.
Including your actual request may be helpful as well.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Actual behavior
What behavior did you actually experience?
Screenshots
If applicable, add screenshots to help explain your problem.
Environment or Configuration:
Additional context
Add any other context about the problem here.
expected: Validator should only allow properly formed revision strings or "latest."
seen: request with rev string of "current" was passed on to api service, which returned error
For large collections, calls to:
GET collections/{collectionId}/reviews
could return very large result-set if no other parameters or filters are provided.
Possible solutions:
Is your feature request related to a problem? Please describe.
I found the 45-character limit on asset names somewhat limiting.
Some users may always use fqdn for asset names, rather than a shorter name.
(I think)Host name fields from STIG Viewer checklists are not limited to 45 characters.
Describe the solution you'd like
Asset name column/field could be the same length as the FQDN (255 characters)
Describe alternatives you've considered
Manually enforcing shorter host names before import, but that may require editing every checklist before import.
Issue Location
I found an issue in the:
Issue Description:
Several files in the client reference legacy .pl scripts:
collectionReview.js
poamWorkspace.js
reportTab.js
review.js
reviewTab.js
stigAdmin.js
stigmanUtils.js
candidate files for removal:
AssetAdmin.js
scanManagement.js
artifactAdmin.js
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the solution you'd like
In CKL import at individual asset-stig review screen, UI should provide feedback and/or provide basic vetting of the .ckl that is selected.
UI should present summary info about selected .ckl:
Check Asset included in submitted .ckl against asset the import action was selected for, indicate discrepancy.
Check STIG included in submitted .ckl against STIG the import action was selected for, indicate discrepancy.
Check included .ckl rules against current list of displayed rules. Indicate discrepancies, offer to just import rules included in the current rule display, if rules are filtered.
Describe the bug
I found a bug in the:
There is a drop-down filter for "All checks" under the Collection review node which doesn't appear to work. "Manual checks" and "SCAP checks" are visible but nothing happens when you click them. This is not a problem when viewing a specific asset; the issue is only apparent under the collection review node.
Additionally, the free text filter has no effect here either.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Filter should be selectable, free text filter should work
Actual behavior
Filter options are visible but not selectable. Free text can be entered but nothing happens.
Environment or Configuration:
I found a bug in the:
GET /collections/{collectionId}/reviews/{assetId}
and
GET /collections/{collectionId}/reviews/
returning reviews for STIGs the user does not have a grant for.
Describe the solution you'd like
Specifically indicate version of STIGMan running in the UI version badge on the Home tab. Badge could include the portion of the git describe tag that indicates the number of commits since last release. ie "1.0.0-beta.11-2" rather than just "1.0.0-beta.11."
Describe alternatives you've considered
The above info is currently shown in pop-up when hovering over the version badge, and includes a piece of the sha.
When trying to upload the windows 10 STIG CKL file for one of our systems is fails with the attached message. Post request is too large. I assume its referring to the size of the file being imported. The smaller CKL's seem to be importing fine but the 1.5mb Windows 10 CKL files are failing. They are so large because of all the test data generated by Evaluate-STIG (Tool that generates the CKL's for us) there is a lot of text in the comments and finding details that we do not want to lose.
Please let me know if further information is needed to recreate this issue.
Describe the bug
I found a bug in the:
Bug Description:
"Submit All" action in checklist menu on asset-stig review tab is not properly implemented.
Currently tries to call some legacy code (js/review.js line 2427 tries to call pl/submitChecks.pl).
Describe the bug
I found a bug in the:
Please include a clear and concise description of what the bug is.
If it is in the API, please specify endpoint.
Including your actual request may be helpful as well.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Actual behavior
What behavior did you actually experience?
Screenshots
If applicable, add screenshots to help explain your problem.
Environment or Configuration:
Additional context
Add any other context about the problem here.
Greetings,
CKLs that have Not Reviewed items but do have Finding Details written for those items do not import the Finding Details to stigman.
Expected to import this item as NR but show any Finding Details or Comments from the CKL for that item.
Thanks!
GET /assets and GET /assets/{assetId} allow unauthorized users to request stgGrants projection.
Display the autoResult property of a Review in the checklist. Suggest using the status column.
Describe the solution you'd like
In CKL import at individual asset-stig review screen, UI should provide feedback and/or provide basic vetting of the .ckl that is selected.
UI should present summary info about selected .ckl:
Check Asset included in submitted .ckl against asset the import action was selected for, indicate discrepancy.
Check STIG included in submitted .ckl against STIG the import action was selected for, indicate discrepancy.
Check included .ckl rules against current list of displayed rules. Indicate discrepancies, offer to just import rules included in the current rule display, if rules are filtered.
POST of ckl file to /collections/{collectionId}/reviews/{assetId}
is not performing strict asset check or benchmark check
CKL imports should (optionally?) check that they:
A scope value of "" is accepted by the API
I found a bug in the:
Middleware that validates OAuth scope does not handle empty string properly
Lots of various columns would be more useful if there were a filter option, similar to Excel.
Potential locations for filters:
Collections > Collection A > STIGs > STIG A > Collection Review > "Reviews of " > Status, Result columns
Collections > Collection A > Reports > Findings > Aggregated Findings > CAT, STIGs columns
This would help in reviewing large quantities of CKLs and looking for specific attributes, such as NR, Open, etc. findings.
Thanks!
I'm reviewing open findings for a bunch of systems using the Collection Review node. So, I have X number of systems with the same finding. Imagine I have a script that I can use to remediate this finding but I need to get a list of the hostnames or IPs.
In the "Reviews of " pane, it would be super if I could sort/filter by status, then have some ability to copy a the column of asset names. Or, a function to export this view to CSV where I could filter, sort, select-down all relevant asset names. This would help in finding open issues and then remediating them. Or, just for reporting. I might need to send a list of systems with X Open STIG finding to the respective administrators.
Thanks!
Comments are importing now.
I did notice that it didn't like the " & " character from one of our comments fields, It should have read "RDT&E" but is reading "RDT&E"
EDIT: GitHub is formatting the second one automatically. screenshot attached:
Originally posted by @sagansapien in #59 (comment)
The final wizard panel should
Describe the solution you'd like
I'd like a way to import HBSS SCAP evaluations directly into STIG Manager. Thanks, Developers!
Describe alternatives you've considered
Exporting from HBSS every day into ckls and then importing into STIG Manager is very cumbersome.
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
I'd like to be able to look at the contents of a STIG without assigning it to an Asset
Describe alternatives you've considered
Make a dummy asset, assign a STIG just to look at it. But then it shows up in reports! etc.
Additional context
Add any other context or screenshots about the feature request here.
Steps to reproduce the behavior:
Expected behavior
Tab for deleted Collection closes
Greetings,
The STIG collection title filter doesn't appear to be functional after immediately navigating to a collection review node. Initially, typing text into this field clears all rules from the list, as if there were no matches. I had to switch Checklist > Displayed Title > "Rule ID and title" to "Group ID and title" then back to "Rule ID and title". Afterwards the text filter worked as expected and the same text returns some matching rule titles.
This doesn't appear to be an issue with the title filter when browsing a stig > asset, just in the collection review.
Thanks!
Bug Location
I found a bug in the:
Bug Description:
request to DEL collections/{collectionId}/reviews/{assetId}/{ruleId}
always returns a 204 even if review exists, and does not delete the review (Except in case of test user collectionCreator, which has no permissions on the collection. Properly returns a 403 to that user.)
sample request:
curl --location --request DELETE 'localhost:64001/api/collections/21/reviews/42/SV-106179r1_rule?elevate=false&projection=rule&projection=history&projection=stigs' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGSjg2R2NGM2pUYk5MT2NvNE52WmtVQ0lVbWZZQ3FvcXRPUWVNZmJoTmxFIn0.eyJleHAiOjE2NzAzOTQzNDcsImlhdCI6MTYwNTYzMTQxMiwiYXV0aF90aW1lIjoxNjA1NTk0MzQ3LCJqdGkiOiJkYWY4Yjc0MS03M2QxLTRlYmEtOTZhZi1mODU1YWIwYmQyMjYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvc3RpZ21hbiIsImF1ZCI6WyJyZWFsbS1tYW5hZ2VtZW50IiwiYWNjb3VudCJdLCJzdWIiOiJlYjk2NWQxNS1hYTc4LTQzZmMtYTJhNi0zZDg2MjU4YzFlZWMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzdGlnLW1hbmFnZXIiLCJub25jZSI6IjczOTM3YmUzLTRjY2MtNGZhNy04MjAyLTQ1Njg1NTIzZGQyYyIsInNlc3Npb25fc3RhdGUiOiI1YWMyYTkzOC0xMDc0LTRlNmEtOGM0Yi1lODNlNGU3ZDc2M2IiLCJhY3IiOiIwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZV9jb2xsZWN0aW9uIiwiYWRtaW4iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXVzZXJzIiwicXVlcnktZ3JvdXBzIiwicXVlcnktdXNlcnMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHN0aWctbWFuYWdlcjpjb2xsZWN0aW9uIHN0aWctbWFuYWdlcjpzdGlnOnJlYWQgc3RpZy1tYW5hZ2VyOnVzZXI6cmVhZCBzdGlnLW1hbmFnZXI6b3Agc3RpZy1tYW5hZ2VyOnVzZXIgc3RpZy1tYW5hZ2VyOnN0aWciLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InN0aWdtYW5hZG1pbiJ9.IOk6RLhBwX8o29dmAC7QeSzr86B5w8C8gkyetn5uOhhgh-aEjWJSqLk74WvLjwfKnYgonfAMm-gbdiACFwMd7u7O5wNUNV5EQO8-6JKSUYyTvujS5NMY7rO-QtgskvKWvB8Vyrm33DvcUon-Kh_6LeSujcNczadN6oDbe-j1A1w'
Expected behavior
If user has proper grants, return code 200 and JSON representation of deleted review.
OR, remove API endpoint to delete reviews.
TEST NOTE:
Test for proper behavior currently in collection, but commented out starting with note:
"//START AZDO #154"
STIG Manager Classic for Docker:
Init script is a bash script; doesn't run (properly) on Windows.
Collection > Assets > hostname > STIG name > "Checklist" drop down > Import Results...
This CKL import still shows the verbose output, which is probably fine from a performance perspective because you're only importing a single file here anyways.
However, the "Importing file" dialogue appears to be stuck on "Initializing". The results appear to be importing, but it never says "Finished > Done" and remains "Initializing".
Thanks
Discussion from AZDO item: 158:
Research what a lightweight event-stream should look like
Follow NDJSON approach established for clone collection feature
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.