Skip to content

Commit

Permalink
added attestations
Browse files Browse the repository at this point in the history
  • Loading branch information
seanlongcc committed Jul 11, 2024
1 parent 54f6ffb commit 0ea3cd2
Show file tree
Hide file tree
Showing 8 changed files with 265 additions and 7 deletions.
31 changes: 27 additions & 4 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ jobs:
REPORT_TO_HEIMDALL: true
HEIMDALL_URL: https://heimdall-demo.mitre.org/evaluations
HEIMDALL_API_KEY: ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}

REPORT_DIR: reports
INSPEC_REPORT_FILENAME: inspec_results.json
ATTESTATION_FILENAME: ${{ secrets.ATTESTATION_FILE}}
ATTESTED_INSPEC_FILE_NAME: inspec_results.json

CA_FILE_BASE64_AA: ${{ secrets.CA_FILE_BASE64_AA }}
CA_FILE_BASE64_AB: ${{ secrets.CA_FILE_BASE64_AB }}
CERTIFICATE_KEY_FILE: ${{ secrets.CERTIFICATE_KEY_FILE }}
Expand Down Expand Up @@ -42,22 +48,39 @@ jobs:
packer init mongo-hardening.pkr.hcl
packer build mongo-hardening.pkr.hcl
- name: Run Packer Validation
run: |
packer build -var 'report={"report_to_heimdall":"${{ env.REPORT_TO_HEIMDALL }}","heimdall_url":"${{ env.HEIMDALL_URL }}","heimdall_api_key":"${{ env.HEIMDALL_API_KEY }}"}' -var 'attestation={"report_dir":"${{ env.REPORT_DIR }}","inspec_report_filename":"${{ env.INSPEC_REPORT_FILENAME }}","attestation_filename":"${{ env.ATTESTATION_FILENAME }}","attested_inspec_filename":"${{ env.ATTESTED_INSPEC_FILE_NAME }}"}' mongo-validate.pkr.hcl
docker ps -a
- name: Get Docker Image Tag
run: |
if docker images | grep -q 'passed'; then
echo "image_tag=passed" >> $GITHUB_ENV
elif docker images | grep -q 'failed'; then
echo "image_tag=failed" >> $GITHUB_ENV
else
echo "No suitable image found"
exit 1
fi
- name: Log in to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Tag and Push Docker Image
- name: Tag and Push Docker Image to GHCR
run: |
docker tag mongo-hardened:latest ghcr.io/${{ github.repository_owner }}/mongo-hardened:latest
docker push ghcr.io/${{ github.repository_owner }}/mongo-hardened:latest
- name: Run Packer Validation
- name: Tag and Push Docker Image to GHCR
run: |
packer build -var 'report={"report_to_heimdall":"${{ env.REPORT_TO_HEIMDALL }}","heimdall_url":"${{ env.HEIMDALL_URL }}","heimdall_api_key":"${{ env.HEIMDALL_API_KEY }}"}' mongo-validate.pkr.hcl
docker ps -a
docker tag mongo-hardened:${{ env.image_tag }} ghcr.io/${{ github.repository_owner }}/mongo-hardened:${{ env.image_tag }}
docker push ghcr.io/${{ github.repository_owner }}/mongo-hardened:${{ env.image_tag }}
if: env.image_tag != ''

- name: Save Scan Artifacts
uses: actions/upload-artifact@v4
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
reports/**
!reports/attestation_template.json
inputs.yml
inspec.lock
spec/ansible/roles/mitre.mongo-stig
Expand Down
44 changes: 44 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,12 @@ mongo_superusers:
cp variables_template.pkrvar.hcl variables.pkrvar.hcl
```

8.1 **Optional: Update the `attestation_template.json` Now if Using a STIG Viewer**

If you have a STIG Viewer available, you can update the `attestation_template.json` now to avoid rerunning the validation Packer file. This allows you to look up the control IDs beforehand and check for compliance in advance.

Follow the instructions [here](#inspec-report) to proceed, and then return to this step once done.

9. **Build the Hardened Image**

Execute the following command to build and save the hardened Mongo image:
Expand Down Expand Up @@ -136,6 +142,44 @@ mongo_superusers:
mongod --config /etc/mongod.conf
```

## Inspec Report

After running the hardening and validation packer files, a report will be generated in `reports/inspec_results.json`.

1. **Upload the Results**:

Upload the `inspec_results.json` file to [Heimdall](https://heimdall-lite.mitre.org/). There should be 19 _Not Reviewed_ controls. These controls need to be attested to.

2. **Edit the Attestation Template**:

Execute the following command to create the `attestation.json` file under `reports` by copying `attestation_template.json` and renaming it to `attestation.json`.

```sh
cp spec/mongo-inspec-profile/inputs_template.yml spec/mongo-inspec-profile/inputs.yml
```

Alternatively, you can also have the SAF CLI guide you through the creation of the attestation file. For instructions on how to use the CLI to create an attestation, please refer to the [SAF CLI documentation](https://saf-cli.mitre.org/#create-attestations).

3. **Review and Provide Explanations**:

Manually review each control and provide an explanation on whether it `passed` or `failed`.

4. **Update `variables.pkrvar.hcl`**:

Update `variables.pkrvar.hcl` with your new attestation file values.

5. **Re-run the Packer Validation to Apply Your Attestations**

Execute the following command to test the hardened Mongo image, it should now produce a docker image tagged with `passed`:

```sh
packer build -var-file="variables.pkrvar.hcl" mongo-validate.pkr.hcl
```

6. **Re-upload to Heimdall**:

Upload the new `inspec_results.json` file back into [Heimdall](https://heimdall-lite.mitre.org/) see your compliance level.

## Notes

### Certificates
Expand Down
21 changes: 19 additions & 2 deletions mongo-validate.pkr.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ variable "report" {
description = "Configuration for reporting to Heimdall"
}

variable "attestation" {
type = map(string)
description = "Configuration for attesting inspec results"
}

# Hardened docker container to be validated
source "docker" "hardened" {
image = "${var.input_hardened_image.name}:${var.input_hardened_image.tag}"
Expand Down Expand Up @@ -67,12 +72,23 @@ build {
"REPORT_DIR=${var.scan.report_dir}",
"REPORT_FILE=${var.scan.inspec_report_filename}",
"INPUT_FILE=${var.scan.inspec_input_file}",
"TARGET_IMAGE=${var.input_hardened_image.name}",
"TARGET_IMAGE=${var.input_hardened_image.name}"
]
valid_exit_codes = [0, 100, 101] # inspec has multiple valid exit codes
script = "spec/scripts/scan.sh"
}

### ATTEST
provisioner "shell-local" {
environment_vars = [
"INSPEC_FILE=${var.attestation.inspec_report_filename}",
"REPORT_DIR=${var.attestation.report_dir}",
"ATTESTATION_FILE=${var.attestation.attestation_filename}",
"ATTESTED_FILE=${var.attestation.attested_inspec_filename}"
]
script = "spec/scripts/attestation.sh"
}

### REPORT
provisioner "shell-local" {
environment_vars = [
Expand All @@ -88,7 +104,8 @@ build {
provisioner "shell-local" {
environment_vars = [
"TARGET_IMAGE=${var.input_hardened_image.name}",
"REPORT_DIR=${var.scan.report_dir}"
"REPORT_DIR=${var.scan.report_dir}",
"ATTESTED_FILE=${var.attestation.attested_inspec_filename}"
]
valid_exit_codes = [0, 1] # the threshold checks return 1 if the thresholds aren't met
# this does not mean we want to halt the run
Expand Down
154 changes: 154 additions & 0 deletions reports/attestation_template.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
[
{
"control_id": "SV-252144",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252147",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252150",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252151",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252152",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252153",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252158",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252161",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252162",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252165",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252166",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252170",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252172",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252173",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252177",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252181",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252183",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252184",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
},
{
"control_id": "SV-252185",
"explanation": "This attestation is provided as a template.",
"frequency": "1y",
"status": "not_reviewed",
"updated": "2024-07-11T17:30:33.627Z",
"updated_by": "MITRE SAF"
}
]
8 changes: 8 additions & 0 deletions spec/scripts/attestation.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
set -uo pipefail

### Apply attestion to inspec results ###
# Note - Packer has an InSpec provisioner plugin, but it doesn't work well with Docker containers
echo "--- Applying Attestation Against InSpec Profile ---"

saf attest apply -i $REPORT_DIR/$ATTESTATION_FILE $REPORT_DIR/$INSPEC_FILE -o $REPORT_DIR/$ATTESTED_FILE
6 changes: 5 additions & 1 deletion spec/scripts/verify_threshold.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,17 @@
set -uo pipefail

### Validate the compliance and status counts of the HDF file ###
saf validate threshold -F inspec.threshold.yml -i "$REPORT_DIR/inspec_results.json"
echo "--- Validating the compliance and status counts of the HDF file ---"

saf validate threshold -F inspec.threshold.yml -i $REPORT_DIR/$ATTESTED_FILE
INSPEC_THRESHOLD_CHECK=$?

if [ $INSPEC_THRESHOLD_CHECK -eq 0 ]; then
docker tag $TARGET_IMAGE:latest $TARGET_IMAGE:passed
echo "$TARGET_IMAGE:passed created"
exit 0
else
docker tag $TARGET_IMAGE:latest $TARGET_IMAGE:failed
echo "$TARGET_IMAGE:failed created"
exit 1
fi
7 changes: 7 additions & 0 deletions variables_template.pkrvar.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,11 @@ report = {
"report_to_heimdall" = true
"heimdall_url" = "https://heimdall-demo.mitre.org/evaluations"
"heimdall_api_key" = "your_actual_api_key_here"
}

attestation = {
"report_dir" = "reports",
"inspec_report_filename" = "inspec_results.json",
"attestation_filename" = "attestation_template.json"
"attested_inspec_filename" = "inspec_results_attested.json"
}

0 comments on commit 0ea3cd2

Please sign in to comment.