An accreditation-helper toolkit to make FISMA easier.
The GovReady vision is to make FISMA easier for innovators by
- making compliance part of Agile/DevOps
- sharing compliance progress data among Dev, Ops, Sec, and Mgt
- making baseline development collaborative
- providing trusted SCAP content with open source friendly licenses
- embracing compliance as a practice distinct from security
Our first product is "govready", a toolkit for running FISMA scans and managing results with a git-like feel.
Govready uses (and is a contributor to) the NIST Certified SCAP 1.2 toolkit OpenSCAP and Scap-Security-Guide.
Our design goal is to make scanning easier and more collaborative regardless of your knowledge of FISMA.
Copyright 2013, 2014 Greg Elin and GovReady. All Rights Reserved.
License: GPL 3.0
Govready is under heavy development and is pre-release. The current version is 0.6.x.
We recommend only using govready currently on non-production virtual machines.
Feedback via GitHub issues is appreciated!
The govready toolkit is funded by a generous grant from the John S and James L Knight Foundation
Below are several quickstarts. Use the quickstart for your preferred OS.
( Need a vm to test GovReady? Try: https://github.com/GovReady/testmachines )
# Update nss to pre-emptively avoid problems with EPEL certificates (https://github.com/GovReady/govready/issues/64)
# Alternate if epel installed: sudo yum --disablerepo="epel" update nss -y
sudo yum clean all
sudo yum update nss -y
# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash
# Switch to root so scanner can run all tests properly
# It's OK. You are using a non-production vm, right?
su -
# Create a directory and cd into it
mkdir myfisma
cd myfisma
# Initialize the directory
govready init
# Run a scan
govready scan
# List results
ls -l scans
# View repoort from most recent scan
lynx scans/results.html
# Run fix script generated by most recent OpenSCAP scan
govready fix
# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare
# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail
# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs
# See available profiles (e.g., baselines)
govready profiles
# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server
# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh
Note: CentOS is NOT RHEL without subscription. There is a general assumption that SSG tests for RHEL work on CentOS, but that is not guaranteed.
# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash
# Switch to root so scanner can run all tests properly
su -
# Create a directory and cd into it
mkdir myfisma
cd myfisma
# Initialize the directory
govready init
# Import CentOS cpe-dictionary.xml and cpe-oval.xml SCAP data into local scap/content directory
govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml
govready import https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml
# Update GovReadyfile using sed command (or update the CPE line manually using a text editor)
sed -i 's:^CPE.*:CPE = scap/content/ssg-centos6-cpe-dictionary.xml:' GovReadyfile
# Run a scan
govready scan
# List results
ls -l scans
# View repoort from most recent scan
lynx scans/results.html
# Run fix script generated by most recent OpenSCAP scan
govready fix
# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare
# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail
# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs
# See available profiles (e.g., baselines)
govready profiles
# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server
# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh
# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash
# Switch to root so scanner can run all tests properly
su -
# Create a directory and cd into it
mkdir myfisma
cd myfisma
# Initialize the directory
govready init
# Run an oscap command just to see things fail because we have no SCAP content installed for Ubuntu
oscap xccdf eval --profile test --results scans/test-results-0822-1319.xml --report scans/test-results-0822-1319.html /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
# Sorry - this is all you can do on Ubuntu at the moment. :-(
# Fork the code and help us include Ubuntu and Debi
Additional Quickstarts available in the repo. See "Quickstart-platform.md"
The recently released oscap-ssh enables Scanning Remote Machines with OpenSCAP. As a user-friendly frontend to the OpenSCAP tools, GovReady has been enhanced to make use of this exciting new feature. There are two ways to make use of this new feature (which may be used separately or together):
# All three vars must be set 'OSCAP_USER@OSCAP_HOST OSCAP_PORT' for remote scanning.
# Note that openscap-scanner ('oscap') must be installed on the remote server.
OSCAP_USER = root
OSCAP_HOST = example.com
OSCAP_PORT = 22This will scan the RHEL 7 machine badwolf.example.com via port 22 as the root user:
export GOVREADY_OSCAP_USER=root
export GOVREADY_OSCAP_HOST=badwolf.example.com
export GOVREADY_OSCAP_PORT=22
export GOVREADY_XCCDF=ssg-rhel7-ds.xml
govready scan- All values in the GovReadyfile can be overridden with
GOVREADY_*environment variables. This facilitates integration with many site management tools such as Ansible, Chef and Puppet. - As @mpreisler notes, currently
oscap-sshmust be run as root, while remote ssh access is generally considered a security hole to be remediated. A future release will resolve this. - OVAL and CPE files can not be separately named on the command line. Rather, use a "datastream" object as the XCCDF file (which can contain OVAL and CPE definitions within it).
Using curl
# Uninstall
curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo UNINSTALL=1 bash
# Install branch other than master
curl -Lk https://raw.githubusercontent.com/GovReady/govready/master/install.sh | sudo BRANCH=branch_name bash
# Use an installer from a different branch
curl -Lk https://raw.githubusercontent.com/GovReady/govready/branch_name/install.sh | sudo BRANCH=branch_name bash
Use https://github.com/GovReady/testmachines for virtual machines to test GovReady.