dev-sec
diff --git a/‎.DS_Store‎
8 KB b/‎.DS_Store‎
8 KB
diff --git a/‎config.toml‎
Lines changed: 25 additions & 6 deletions b/‎config.toml‎
Lines changed: 25 additions & 6 deletions
diff --git a/‎content/application.md‎
Lines changed: 74 additions & 0 deletions b/‎content/application.md‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎content/baselines/operating_systems.md‎
Lines changed: 6 additions & 0 deletions b/‎content/baselines/operating_systems.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎content/inspec_tools.md‎
Lines changed: 3 additions & 0 deletions b/‎content/inspec_tools.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎content/project.md‎
Lines changed: 1 addition & 1 deletion b/‎content/project.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎data/archer-baseline.json‎
Lines changed: 1 addition & 0 deletions b/‎data/archer-baseline.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎data/aws-s3-baseline.json‎
Lines changed: 1 addition & 0 deletions b/‎data/aws-s3-baseline.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎data/cis-aws-foundations-baseline.json‎
Lines changed: 1 addition & 0 deletions b/‎data/cis-aws-foundations-baseline.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎data/cms-ars3.1-cis-aws-foundations-baseline.json‎
Lines changed: 1 addition & 0 deletions b/‎data/cms-ars3.1-cis-aws-foundations-baseline.json‎
Lines changed: 1 addition & 0 deletions
@@ -10,32 +10,51 @@ metaDataFormat = "yaml"
   identifier = "project"
   url = "/project/"
 
+[[menu.global]]
+  name = "Tools"
+  weight = 2
+  identifier = "inspec_tools"
+  url = "/inspec_tools"
+
+[[menu.global]]
+  name = "Applications"
+  weight = 3
+  identifier = "application"
+  url = "/application/"
+
+[[menu.sub]]
+  name = "Vulcan"
+  parent = "application"
+  weight = 3
+  identifier = "vulcan"
+  url = "/application/vulcan/"
+
 [[menu.global]]
   name = "Baselines"
-  weight = 1
+  weight = 4
   identifier = "baselines"
   url = "/baselines/"
 
 [[menu.global]]
   name = "Videos"
-  weight = 2
+  weight = 5
   identifier = "videos"
   url = "/videos/"
 
 [[menu.global]]
   name = "Community"
-  weight = 3
+  weight = 6
   identifier = "comunity"
   url = "/community/"
 
 [[menu.global]]
   name = "News"
-  weight = 4
+  weight = 7
   identifier = "blog"
   url = "/blog/"
 
 [[menu.global]]
   name = "GitHub"
-  weight = 5
+  weight = 8
   identifier = "github"
-  url = "https://github.com/dev-sec"
+  url = "https://github.com/mitre/mitre-inspec.github.io"
@@ -0,0 +1,74 @@
+---
+title: "Applications"
+layout: applications
+---
+
+# [Vulcan](https://)
+
+### Description
+
+Vulcan is a tool to help streamline the process of creating STIGs and InSpec security compliance profiles. It models the STIG intent form and
+the process of aligning security controls from SRG items into actual STIG security controls.  Vulcan also gives the option while aligning the security controls to
+insert inspec code and test across any type of system supported by InSpec.     
+
+### Features
+
+* Model the STIG creation process between the creator(vendor) and the approver(sponsor)
+* Write and test InSpec code on a local system, or across SSH, AWS, and Docker
+* Easily view the progress on what the status is of each control
+* Communicate through the application to make the best decisions on controls
+* Confidential data in the database is encrypted using symmetric encryption
+* Authenticate via the local server, through github, and through configuring an LDAP server.
+
+### Screenshots
+
+Dashboard
+
+
+# [Heimdall](https://github.com/mitre/heimdall)
+
+Heimdall is a centralized aggregation tool for InSpec evaluations
+
+### Description
+Heimdall supports viewing of InSpec profiles and evaluations in a convenient
+interface.  Data uploads can be automated through usage of curl, and added as
+a step after an InSpec pipeline stage.   
+
+### Heimdall vs Heimdall-Lite
+
+There two versions of the MITRE Heimdall Viewer - the full [Heimdall](https://github.com/mitre/heimdall/) and the [Heimdall-Lite](https://github.com/mitre/heimdall-lite/)  version. We produced each to meet different needs and use-cases.
+
+### Features
+
+|  | [Heimdall-Lite](https://github.com/mitre/heimdall-lite/) | [Heimdall](https://github.com/mitre/heimdall/) |
+|:--------------------------------------------------------------------------|:--------------|:-------------------------------------|
+| Installation Requirements | any web server | rails 5.x Server <br /> MongoDB instance |
+| Overview Dashboard & Counts | x | x |
+| 800-53 Partition and TreeMap View | x | x |
+| Data Table / Control Summary  | x | x |
+| InSpec Code / Control Viewer | x | x |
+| SSP Content Generator | x | x |
+| PDF Report and Print View | x | x |
+|  |  |  |
+| Users & Roles & multi-team support |  | x |
+| Authentication & Authorization | Hosting Webserver | Hosting Webserver<br />LDAP<br />GitHub OAUTH & SAML<br />GitLab OAUTH & SAML |
+| Advanced Data / Filters for Reports and Viewing |  | x |
+| Multiple Report Output<br />(DISA Checklist XML, CAT, XCCDF-Results, and more) |  | x |
+| Authenticated REST API |  | x |
+| InSpec Run 'Delta' View |  | x |
+| Multi-Report Tagging, Filtering and Compairison |  | x |
+
+### Use Cases
+
+| [Heimdall-Lite](https://github.com/mitre/heimdall-lite/) | [Heimdall](https://github.com/mitre/heimdall/) |
+|:------------------------------------|:--------------------------------------------------------|
+| Ship the App & Data via simple Email | Multiple Teams Support |
+| Minimal Footprint & Deployment Time | Timeline and Report History |
+| Local or disconnected Use | Centralized Deployment Model  |
+| One-Time Quick Reviews | Need to view the delta between one or more runs |
+| Decentralized Deployment  | Need to view subsets of the 800-53 control alignment |
+| Minimal A&A Time | Need to produce more complex reports in multiple formats |
+
+### Screenshots
+
+Dashboard
@@ -0,0 +1,6 @@
+---
+layout: profile
+title: "MITRE Inspec Operating Systems"
+baseline: operating_systems
+inspec: data/cis-docker-benchmark.json
+---
@@ -0,0 +1,3 @@
+# Tools overview
+
+## [Inspec Tools](https://github.com/mitre/inspec_tools)
@@ -1,5 +1,5 @@
 ---
-title: "DevSec Project"
+title: "MITRE Inspec Project"
 layout: project
 ---
 
 
@@ -0,0 +1 @@
+{"platform":{"name":"aws","release":"aws-sdk-v2.11.162"},"profiles":[{"name":"aws-s3-baseline","version":"1.0.0","sha256":"0f445e0d5880b7c8b52c641a9719d5f1f172c29bf9d56c352f9de56ba4be566d","title":"AWS S3 Public Buckets and Objects Benchmark","maintainer":"MITRE InSpec Team","summary":"An example baseline to test if you have any public s3 buckets or objects","license":"Apache-2.0","copyright":"MITRE, 2018","copyright_email":"inspec@mitre.org","supports":[{"platform":"aws"}],"attributes":[],"groups":[{"id":"controls/aws_s3_bucket.rb","controls":["s3-buckets-no-public-access"]},{"id":"controls/aws_s3_bucket_objects.rb","controls":["s3-objects-no-public-access"]}],"controls":[{"id":"s3-buckets-no-public-access","title":"Ensure there are no publicly accessible S3 buckets","desc":"Ensure there are no publicly accessible S3 buckets","descriptions":[{"label":"default","data":"Ensure there are no publicly accessible S3 buckets"}],"impact":0.7,"refs":[],"tags":{"nist":["AC-6","Rev_4"],"severity":"high","check":"Review your AWS console and note if any S3 buckets are set to\n                'Public'. If any buckets are listed as 'Public', then this is\n                a finding.","fix":"Log into your AWS console and select the S3 buckets section. Select\n              the buckets found in your review. Select the permisssions tab for\n              the bucket and remove the Public access permission."},"code":"control \"s3-buckets-no-public-access\" do\n  impact 0.7\n  title \"Ensure there are no publicly accessible S3 buckets\"\n  desc \"Ensure there are no publicly accessible S3 buckets\"\n\n  tag \"nist\": [\"AC-6\", \"Rev_4\"]\n  tag \"severity\": \"high\"\n\n  tag \"check\": \"Review your AWS console and note if any S3 buckets are set to\n                'Public'. If any buckets are listed as 'Public', then this is\n                a finding.\"\n\n  tag \"fix\": \"Log into your AWS console and select the S3 buckets section. Select\n              the buckets found in your review. Select the permisssions tab for\n              the bucket and remove the Public access permission.\"\n\n  aws_s3_buckets.bucket_names.each do |bucket|\n    describe aws_s3_bucket(bucket) do\n      it { should_not be_public }\n    end\n  end\n\n  if aws_s3_buckets.bucket_names.empty?\n    impact 0.0\n    desc \"This control is Non Applicable since no S3 buckets were found.\"\n  end\nend","source_location":{"line":1,"ref":"./controls/aws_s3_bucket.rb"},"results":[{"status":"passed","code_desc":"S3 Bucket s3-demo-bucket-with-public-objects should not be public","run_time":0.130646,"start_time":"2018-11-18T21:02:51-05:00"},{"status":"passed","code_desc":"S3 Bucket s3-demo-private-bucket should not be public","run_time":0.123863,"start_time":"2018-11-18T21:02:51-05:00"},{"status":"failed","code_desc":"S3 Bucket s3-demo-public-bucket should not be public","run_time":0.091162,"start_time":"2018-11-18T21:02:51-05:00","message":"expected `S3 Bucket s3-demo-public-bucket.public?` to return false, got true"}]},{"id":"s3-objects-no-public-access","title":"Ensure there are no publicly accessible S3 objects","desc":"Ensure there are no publicly accessible S3 objects","descriptions":[{"label":"default","data":"Ensure there are no publicly accessible S3 objects"}],"impact":0.7,"refs":[],"tags":{"nist":["AC-6","Rev_4"],"severity":"high","check":"Review your AWS console and note if any S3 bucket objects are set to\n        'Public'. If any objects are listed as 'Public', then this is\n        a finding.","fix":"Log into your AWS console and select the S3 buckets section. Select\n        the buckets found in your review. For each object in the bucket\n        select the permissions tab for the object and remove\n        the Public Access permission."},"code":"control \"s3-objects-no-public-access\" do\n  impact 0.7\n  title \"Ensure there are no publicly accessible S3 objects\"\n  desc \"Ensure there are no publicly accessible S3 objects\"\n  tag \"nist\": [\"AC-6\", \"Rev_4\"]\n  tag \"severity\": \"high\"\n\n  tag \"check\": \"Review your AWS console and note if any S3 bucket objects are set to\n        'Public'. If any objects are listed as 'Public', then this is\n        a finding.\"\n\n  tag \"fix\": \"Log into your AWS console and select the S3 buckets section. Select\n        the buckets found in your review. For each object in the bucket\n        select the permissions tab for the object and remove\n        the Public Access permission.\"\n\n\n  if aws_s3_buckets.bucket_names.empty?\n    impact 0.0\n    desc \"This control is Non Applicable since no S3 buckets were found.\"\n  else\n    aws_s3_buckets.bucket_names.each do |bucket|\n      describe \"Public objects in Bucket: #{bucket}\" do\n        subject { aws_s3_bucket_objects(bucket).where{ public }.keys }\n        it { should cmp [] } \n      end\n    end\n  end\nend\n","source_location":{"line":2,"ref":"./controls/aws_s3_bucket_objects.rb"},"results":[{"status":"failed","code_desc":"Public objects in Bucket: s3-demo-bucket-with-public-objects should cmp == []","run_time":0.3765,"start_time":"2018-11-18T21:02:51-05:00","message":"\nexpected: []\n     got: [\"folder/public-pic.jpg\", \"public-pic.jpg\"]\n\n(compared using `cmp` matcher)\n"},{"status":"passed","code_desc":"Public objects in Bucket: s3-demo-private-bucket should cmp == []","run_time":0.021941,"start_time":"2018-11-18T21:02:52-05:00"},{"status":"passed","code_desc":"Public objects in Bucket: s3-demo-public-bucket should cmp == []","run_time":0.025541,"start_time":"2018-11-18T21:02:52-05:00"}]}],"status":"loaded"}],"statistics":{"duration":0.774471},"version":"3.0.46"}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Tools overview`
	`2`	`+`
	`3`	`+## [Inspec Tools](https://github.com/mitre/inspec_tools)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+{"platform":{"name":"aws","release":"aws-sdk-v2.11.162"},"profiles":[{"name":"aws-s3-baseline","version":"1.0.0","sha256":"0f445e0d5880b7c8b52c641a9719d5f1f172c29bf9d56c352f9de56ba4be566d","title":"AWS S3 Public Buckets and Objects Benchmark","maintainer":"MITRE InSpec Team","summary":"An example baseline to test if you have any public s3 buckets or objects","license":"Apache-2.0","copyright":"MITRE, 2018","copyright_email":"inspec@mitre.org","supports":[{"platform":"aws"}],"attributes":[],"groups":[{"id":"controls/aws_s3_bucket.rb","controls":["s3-buckets-no-public-access"]},{"id":"controls/aws_s3_bucket_objects.rb","controls":["s3-objects-no-public-access"]}],"controls":[{"id":"s3-buckets-no-public-access","title":"Ensure there are no publicly accessible S3 buckets","desc":"Ensure there are no publicly accessible S3 buckets","descriptions":[{"label":"default","data":"Ensure there are no publicly accessible S3 buckets"}],"impact":0.7,"refs":[],"tags":{"nist":["AC-6","Rev_4"],"severity":"high","check":"Review your AWS console and note if any S3 buckets are set to\n 'Public'. If any buckets are listed as 'Public', then this is\n a finding.","fix":"Log into your AWS console and select the S3 buckets section. Select\n the buckets found in your review. Select the permisssions tab for\n the bucket and remove the Public access permission."},"code":"control \"s3-buckets-no-public-access\" do\n impact 0.7\n title \"Ensure there are no publicly accessible S3 buckets\"\n desc \"Ensure there are no publicly accessible S3 buckets\"\n\n tag \"nist\": [\"AC-6\", \"Rev_4\"]\n tag \"severity\": \"high\"\n\n tag \"check\": \"Review your AWS console and note if any S3 buckets are set to\n 'Public'. If any buckets are listed as 'Public', then this is\n a finding.\"\n\n tag \"fix\": \"Log into your AWS console and select the S3 buckets section. Select\n the buckets found in your review. Select the permisssions tab for\n the bucket and remove the Public access permission.\"\n\n aws_s3_buckets.bucket_names.each do \|bucket\|\n describe aws_s3_bucket(bucket) do\n it { should_not be_public }\n end\n end\n\n if aws_s3_buckets.bucket_names.empty?\n impact 0.0\n desc \"This control is Non Applicable since no S3 buckets were found.\"\n end\nend","source_location":{"line":1,"ref":"./controls/aws_s3_bucket.rb"},"results":[{"status":"passed","code_desc":"S3 Bucket s3-demo-bucket-with-public-objects should not be public","run_time":0.130646,"start_time":"2018-11-18T21:02:51-05:00"},{"status":"passed","code_desc":"S3 Bucket s3-demo-private-bucket should not be public","run_time":0.123863,"start_time":"2018-11-18T21:02:51-05:00"},{"status":"failed","code_desc":"S3 Bucket s3-demo-public-bucket should not be public","run_time":0.091162,"start_time":"2018-11-18T21:02:51-05:00","message":"expected `S3 Bucket s3-demo-public-bucket.public?` to return false, got true"}]},{"id":"s3-objects-no-public-access","title":"Ensure there are no publicly accessible S3 objects","desc":"Ensure there are no publicly accessible S3 objects","descriptions":[{"label":"default","data":"Ensure there are no publicly accessible S3 objects"}],"impact":0.7,"refs":[],"tags":{"nist":["AC-6","Rev_4"],"severity":"high","check":"Review your AWS console and note if any S3 bucket objects are set to\n 'Public'. If any objects are listed as 'Public', then this is\n a finding.","fix":"Log into your AWS console and select the S3 buckets section. Select\n the buckets found in your review. For each object in the bucket\n select the permissions tab for the object and remove\n the Public Access permission."},"code":"control \"s3-objects-no-public-access\" do\n impact 0.7\n title \"Ensure there are no publicly accessible S3 objects\"\n desc \"Ensure there are no publicly accessible S3 objects\"\n tag \"nist\": [\"AC-6\", \"Rev_4\"]\n tag \"severity\": \"high\"\n\n tag \"check\": \"Review your AWS console and note if any S3 bucket objects are set to\n 'Public'. If any objects are listed as 'Public', then this is\n a finding.\"\n\n tag \"fix\": \"Log into your AWS console and select the S3 buckets section. Select\n the buckets found in your review. For each object in the bucket\n select the permissions tab for the object and remove\n the Public Access permission.\"\n\n\n if aws_s3_buckets.bucket_names.empty?\n impact 0.0\n desc \"This control is Non Applicable since no S3 buckets were found.\"\n else\n aws_s3_buckets.bucket_names.each do \|bucket\|\n describe \"Public objects in Bucket: #{bucket}\" do\n subject { aws_s3_bucket_objects(bucket).where{ public }.keys }\n it { should cmp [] } \n end\n end\n end\nend\n","source_location":{"line":2,"ref":"./controls/aws_s3_bucket_objects.rb"},"results":[{"status":"failed","code_desc":"Public objects in Bucket: s3-demo-bucket-with-public-objects should cmp == []","run_time":0.3765,"start_time":"2018-11-18T21:02:51-05:00","message":"\nexpected: []\n got: [\"folder/public-pic.jpg\", \"public-pic.jpg\"]\n\n(compared using `cmp` matcher)\n"},{"status":"passed","code_desc":"Public objects in Bucket: s3-demo-private-bucket should cmp == []","run_time":0.021941,"start_time":"2018-11-18T21:02:52-05:00"},{"status":"passed","code_desc":"Public objects in Bucket: s3-demo-public-bucket should cmp == []","run_time":0.025541,"start_time":"2018-11-18T21:02:52-05:00"}]}],"status":"loaded"}],"statistics":{"duration":0.774471},"version":"3.0.46"}