OpenRMF® OSS is an open source application for managing, viewing, and reporting of your DoD STIG checklists, SCAP Scans and Nessus Patch Scans in one web-based interface using your browser. It also generates a compliance listing of all your checklists across a whole system based on NIST 800-53 for your Risk Management Framework (RMF) documentation and process. This tool helps you manage multiple systems going through the RMF process and allows you to structure your data in a clean interface all in one location for your group or program.
You can export your checklists as CKL files and your test plan and POAM as MS Excel properly formatted files as well.
If you need more than the OSS version, check out OpenRMF® Professional.
- custom checklist templates
- CIS scans
- Parsing patch vulnerabilities for hardware, software, PPSM
- history and trends
- deeper level of security on system packages
- live POAM
- bulk editing and locking vulnerabilities and checklists
- Compliance down to the subcontrol level, overlays, tailoring, compliance statements
- Generate SSP, SAR, RAR, CCRI documents
- add in tracking of other vulnerabilities (software, container, infrastructure-as-code, etc.)
- and more...
The OpenRMF® OSS application is a highly advanced alternative to the DISA STIGViewer.jar and MS Excel hell we go through used for DoD STIG checklist files, SCAP Scans, Nessus ACAS scans, RMF process information, and the like. It is necessary to capture and report on this information, please do not mistake what I say for not agreeing with securing services. However, the DISA Java tool itself is horribly designed and not conducive to today's environment and use. And it is only part of the story. Their Java tool has been like this for a loooooonnnnnngggg time and I have wanted to make something better (IMO) for almost as long. So this tool here is the start!
It is a way (currently) to view, report on, dive into, manage, and export your STIG checklists no matter which checklist you are referring to. All the .CKL files have a common format and htis reads and displays/manages that in a web front end using .NET Core APIs, MongoDB and NATS messaging. View the history of this tool on our website.
OpenRMF® OSS also is a single pane of glass for your DISA SCAP scans (to generate checklists), Nessus SCAP scans, Nessus patch scans (to track patch management), and compliance reporting for your systems going through the RMF process. We know: the RMF process is manual and all inclusive! This tool helps to automate as much as possible on the managing and reporting of data so you can:
- Know your current Risk Profile
- Know your current status
- Know what is left to do
- Know what your Critical and High items are so you can track and attack them
This particular repository is the repo for all the docs as the OpenRMF® OSS project goes along. Documentation on the OpenRMF® OSS application will be here in MD files and reference images and other documents as well as GH markdown. This application idea has been brewing in my head for well over a decade and specifically since July 4th weekend 2018 when I started to put down code. Then in January 2019 when I scrapped all that July stuff and went for web APIs, microservices, eventual consistency, CQRS (command query responsibility segregation to scale separately), using MongoDB and NATS.
If you want to get it running on your local laptop, desktop, or server follow these instructions below. You need a fairly good internet connection and Docker Desktop / Docker Community Edition to get this going. And then go to the latest release and download the Keycloak zip file and OpenRMF® OSS zip file.
Please read the Minimum Requirements for OpenRMF® OSS. And then follow these Step by Step Instructions.
Note that for Docker Desktop users, you need to have the File Sharing turned on to run OpenRMF® OSS the way it is designed in the docker-compose file. We use persistent volumes for MongoDB, Grafana, and Prometheus.
There are separate instructions in the included air-gapped installation MD file.
There are separate instructions in the included HTTPS setup instructions for running OpenRMF® OSS v1.9 or higher over HTTPS. This assumes the full configuration all in one YML file for the software, versus the v1.8.x and earlier separate Keycloak and software YML files in combination.
If you want to run on AWS EKS, you can see the Helm Chart and Kubernetes specific information here.
@medined put up a great set of Ansible and Terraform script information at https://github.com/medined/openrmf-at-aws/ for work he is doing at the Container Working Group for the Veterans Administration.
It will save you weeks of manually checking vulnerability-to-CCI-to-NIST controls and manually generating reports, so you can get on to the value-added work for your cybersecurity hygiene.
When a team has poor visibility of their system’s risk data, it can result in bad decisions, errors, security risks and unforeseen issues. Teams must replace manual RMF and checklist methods that use spreadsheets and emails with an open, web-based solution that your team can leverage to plan, track and govern the entire RMF process. That is where OpenRMF® OSS helps you and your team!
Read more about its genesis here.
- Import SCAP scans (DISA STIGs) for automatic checklist documentation
- Import Nessus ACAS scans (patches and updates) for automated reporting and managing critical updates
- Exporting Nessus ACAS scans by host or total summary into MS Excel
- Dashboard showing # of open items per system and # Critical, High, Medium, and Low items from Nessus ACAS Scans
- Generate a Compliance listing of NIST 800-53 Controls to all checklists within a system
- Filter the Compliance Generator for Low/Moderate/High projects as well as PII/Privacy overlay information
- Save/Upload .CKL files for viewing and safekeeping
- List and display active systems with checklists, scoring, and auditing information
- List and display checklists with total open items and quick links to Vulnerabilities by status
- List and display templated checklists (starting points)
- Group and list checklists and reports by System (a group of checklists for a single application, system, etc.)
- Reporting or "scoring" on Open, N/A, "Closed" as well as "not yet reviewed" items in the checklists quickly
- Exporting the .CKL file for quick loading into the STIG Viewer Java application
- Exporting checklists to MS Excel in seconds with color coded rows based on status (Open = RED, Not a Finding = GREEN, etc.)
- Exporting of various charts for download to PNG
- Filter Vulnerabilities on the Checklist page by status
- Live Editing of Checklist data through the web browser
- Bulk Edits of Vulnerabilities across similar checklist types within your System grouping
- Filter vulnerabilities for your Compliance listing based on major controls
- Exporting your list of checklists and their score by status and category to MS Excel
- Metrics exported to Prometheus for API endpoints and NATS messaging, quickly display in Grafana
- Single Docker Compose file to run locally
- YAML to quickly setup this project in OpenShift or K8s natively
- Interactive Nessus Report for searching on latest scan data, filtering, etc. via the web
- Interactive Checklist Vulnerability report for search and filtering on vulnerabilities interactively via the web
- User AuthN and AuthZ for login accounts and Role Based Access Control on functions
- Auditing all creates, deletes, and updates
- Import the Manual XML STIG to create a starting checklist (Automatic and behind the scenes for now)
- Generate the RMF POA&M
- Generate the Risk Assessment Report RAR
- Generate the Test Plan
- Central logging (ledger) for all CRUD and access usage based on NATS
- Make the Keycloak setup easier (scripted)
- Included Jaeger Tracing setup
- Grafana and Prometheus included setup
- External API access to certain functions in OpenRMF® OSS (ext-api-score)
- Export Compliance Report to XLSX
- Meaningful Health Checks in APIs and MSG clients
- Performance improvements
- Separate Reporting API and Database (MSA)
- Use NGINX reverse proxy for all API calls
If we are missing something you want, please add it on our main GitHub Issues page.
We include metrics tracking for all our major subsystems. See the OpenRMF OSS Metrics document for more information.
If you want to remove all data from volumes you can run the below. Do at your own risk and know the consequences! I do this on my development machine to clear ALL volumes including those not for OpenRMF® OSS.
- run
docker volume rm $(docker volume ls -qf dangling=true) - run
docker system pruneand then enteryand press Enter when asked
The OpenRMF® OSS Dashboard for all Systems
The System Listing
A System View
Exporting the Nessus Patch file summary to XLSX
The Individual Checklist view
Generate RMF Compliance Listing with linked Checklists and filtered vulnerabilities!
The checklist Upload page
Exporting the checklist to XLSX with color coding
