RFC: An open source viewer

[Jonathan Davila]

All,

Internally, at MindPoint Group, we've toyed with the idea of making an open source STIG/CIS viewer and making it a part of ansible-lockdown. Right now there is the Java viewer provided by DISA and then there is the UCS online viewer both of which are suboptimal for at least the following reason:

• DISA Viewer
• You have to manually download files and then upload them to the viewer
• Searching is gloriously painful
• Working with multiple rules (ie RHEL6 + Windows Server) makes it super confusing
• You must have Java installed in order to use it
  
• UCS
• Stale, it's not continuously updated
• Super proprietary (they even have patents on how they do their schema)
  
• A bit rough in terms of UX

A few things I (me speaking as an individual) would like to be able to see/have:

• Ability to select rules and the export them into a new rule set (xml/csv export) so as to allow orgs to have a custom subset of rules that are easy to go through/search/etc
• Smart search to be able to pick up all rules by keywords, think "ssh" returning all rules dealing with ssh 
• Extra input field where as a user you could write any extra info that is pertinent to you
• Automatically updated when new revisions come out (but still being able to look at old revs)

If folks on this list are interested in this kind of viewer I'm interested in hearing from you the following:

• Do you like the idea?
• Any other niceities you would like to see?
• Would you prefer a webapp or a desktop app?
• Any other comments/suggestions

 

[Bas Meijer]

These are not the only CIS security audit tools, CISCAT Pro, Qualys, and probably more (proprietary) tools. In my vagransible demo I used oscap an open source tool that can test Centos 6 on a normative profile (STIG) declared by DISA in a specific xml format. 

https://github.com/bbaassssiiee/vagransible.git

The key point is independence  between hardening and audit.

Rather than creating yet another tool we rather have access an open set of these profiles that allow automation. 

Bas Meijer

@bbaassssiiee

--
You received this message because you are subscribed to the Google Groups "Ansible Lockdown" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-lockdo...@googlegroups.com.
To post to this group, send email to ansible-...@googlegroups.com.
Visit this group at https://groups.google.com/group/ansible-lockdown.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-lockdown/331285ea-17fa-4dca-b374-636c8d96d211%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jonathan Davila]

What I've suggested is for neither auditing or hardening. It's just a viewer with some fancy knobs to make easier for humans to understand and plan their hardening plans.

[Bas Meijer]

A viewer with fancy knobs... for my understanding, is that DISA viewer available from their website? Url?

[Sam Doran]

Jon,

This sounds great! The DISA viewer is ok but it's definitely a janky Java app and lacks a lot of features.

I'd be in favor of a native app, but a web app is probably easier and will work across more platforms with the least amount of work.

I can't think of any other features that would be helpful outside of what you listed.

---

Respectfully,

Sam Doran

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-lockdown/CA%2BxeMYV-h6w45mr3%3D2LijkuP-XZLSG0tJ1zqdh7QJVbkJjpsOA%40mail.gmail.com.