diff --git a/.github/ISSUE_TEMPLATE/conmon-0-run.md b/.github/ISSUE_TEMPLATE/conmon-0-run.md deleted file mode 100644 index dc241c2..0000000 --- a/.github/ISSUE_TEMPLATE/conmon-0-run.md +++ /dev/null @@ -1,225 +0,0 @@ ---- -name: ConMon - Run Scans -title: "Run [month] [year] ConMon scans" -about: INTERNAL ONLY schedule conmon runs -labels: compliance -assignees: "" ---- - -In order for us to update the JAB on our compliance in a consistent way, we need to run Continuous Monitoring scans on approximately the 23rd of the month. (If this date falls on a weekend or federal holiday, adjust to the last business day before the date.) - -For context, see our [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), including [the monthly reporting summary explanation](https://cloud.gov/docs/ops/continuous-monitoring/#monthly-reporting-summary). - -## Netsparker - -Omit: I am not finding a clear path to using Netsparker for our admin apps, and NetSparker has its own issues with false positives - -# OWASP ZAP Scans - -From the [ZAP documentation](https://www.zaproxy.org/getting-started/): "Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible." - -We run ZAP from a platform operator's local machine. ZAP opens a Firefox instance that is configured to proxy all requests through ZAP. ZAP can then analyze and modify the requests. - -## Preliminary work - Sandbox User Setup - -We scan our externally facing apps as _sandbox users_ of cloud.gov, via the cloud.gov IdP, instead of _platform admins_. This vastly speeds up scans since the spider doesn't crawl every app and org in _logs_ or _dashboard_, and also avoids issues with ZAP "clicking" on links with undesired impacts. - -Create a sandbox account, starting from https://account.fr.cloud.gov/signup, and use an email such as your `fname.lname@{cio.gov, pif.gov, fedramp.gov}` - -As your "sandbox" user identity, launch a ["Hello World" app](https://github.com/cloud-gov/cf-hello-worlds) so there's something in the dashboard and logs apps to spider. (ToDo: Determine if this is really necessary, provide link to steps). - -## Install, Configure, and Update - -- Make sure no other process is bound to port 8080 by running `lsof -i TCP:8080`. The ZAP proxy binds to this port. -- Install Firefox (with Homebrew `brew install firefox --cask` or any way you chose). Chrome does not support proxy settings while Firefox does. -- `git clone git@github.com:cloud-gov/product.git` so you have the `context` files you need. -- Install the [latest stable version of ZAP](https://www.zaproxy.org/download/). Install/update via Homebrew with: - - `brew update; brew install owasp-zap` or - - `brew update; brew reinstall owasp-zap` - > NOTE: If you see an error running ZAP as an unsigned application, run the following from the command line: - - `xattr -dr com.apple.quarantine '/Applications/OWASP ZAP.app'` -- Start ZAP and update - - For "Session persistence", select "No, I do not want to persist my session..." - - For "Manage add-ons", select "Update All" - - ![Screenshot of ZAP tool with an arrow pointing to the Manage add-ons button in the toolbar](https://user-images.githubusercontent.com/1001694/226946792-3257c427-47a3-4ece-a8f8-d1ee37fd3379.png) - - - ZAP -> Preferences -> Options: - - JVM -> JVM options: `-Xmx8192m` - - Active Scan: - - 3 hosts - - 5 threads - - Global Exclude URL: - - Site - Firefox (select all) - - Site - Font CDNs - - Site - Mozilla CDN - - Spider - - Max Depth to Crawl: 5 - - Number of Threads: 7 - -**Quit and restart ZAP if you change the JVM options.** - -## Running ZAP scans - -ZAP scans take hours. We recommend you start in the morning or run them overnight. There are two separate scans to run, external and internal, and the internal one takes considerably longer. (You may want to run it when VPN traffic is lower.) - -The following steps are for the `external` scan (except as noted): - -- From the cloud.gov `product` repo, load the cloud.gov `cloud.gov-conmon-external.context` into ZAP (File > Import Context) - - Delete the "Default Context" or any already completed context. -- On the top line of icons, there should be a Firefox icon on the far right. Click that to open Firefox preconfigured to proxy through ZAP. -- Open the `context` to see the included web applications (Context -> Included in Context) -- In the ZAP-configured Firefox, log in to each site in the context list. - - You must type the full URL each time, including the protocol (`https://`). Using ZAP stops automatic redirects from HTTP to HTTPS from working. - - For the **`external` context, use your "sandbox" identity**. VPN not needed. - - For the **`internal` context, use your Cloud Ops (GSA SecureAuth) identity**, and join the VPN -- To prevent getting noise in the scan results (since that causes major confusion when the FedRAMP team processes the ConMon report), review the `Sites` list to ensure only the cloud.gov sites have a small red circle/sight on them (denoting the site will be included). Remove any sites not needed by CTRL-clicking on them and selecting `Delete`. -- CTRL-click on the context and run the `Spider` scan. This should only take a few minutes. -- After the `Spider` scan is complete, again CTRL-click on the context and this time run the `Active Scan`. -- After the Spider and Active scans are complete, export the results: - - From `Report` menu, select `Generate Report ...` - - Select the `Template` options, and use the templates: - - Traditional HTML report - - Traditional XML report - - Name the files according to `YYYYMMDD-ZAP-(context).xml/html`. E.g. - - 20210623-ZAP-external.xml - - 20210623-ZAP-external.html - - Optional: Check with compliance lead on whether we also need - "Traditional HTML Report with Requests and Responses" - -**Quit ZAP, then repeat the "Running ZAP scans" steps for the `internal` context (which will require the VPN)** - -## Troubleshooting ZAP Scans - -### 502 Bad Gateway, ZAP Error - -If you encounter the following: - -`ZAP Error [org.apache.hc.core5.http.NoHttpResponseException]` - -Make sure you are typing the entire URL, including the `https://` protocol, into Firefox. Firefox will appear to automatically redirect from http to https, but if you check the ZAP console, you'll see the requests being made in http and failing with 502 Bad Gateway. - -### Browser Was Not Found, Java Exceptions - -- Did you stop all locally running web servers? If they are bound to port 8080, they will prevent Firefox from connecting to the proxy. (You might see the error: "browser was not found".) - -### Java Unable to Connect Exception - -In Firefox if you see a Java Unable to Connect Exception, try the following: - -Close both Firefox and ZAP. - -In `~/Library/Application Support/ZAP/log4j2.properties`: - -Change the following level's to debug so the entries look like this: - -```text -logger.paros.name = org.parosproxy.paros -logger.paros.level = debug - -logger.zap.name = org.zaproxy.zap -logger.zap.level = debug -``` - -Open ZAP, follow the above and open Firefox. Try to go to the server that failed previously. - -If that works, then change the levels back to info from debug, so they look like this: - -```text -logger.paros.name = org.parosproxy.paros -logger.paros.level = info - -logger.zap.name = org.zaproxy.zap -logger.zap.level = info -``` - -For the internal sites, try the following order in Firefox to bring up the sites according to the context: - -```text -https://ci.fr.cloud.gov -https://alertmanager.fr.cloud.gov -https://logs-platform.fr.cloud.gov -https://grafana.fr.cloud.gov -https://prometheus.fr.cloud.gov -https://opslogin.fr.cloud.gov -``` - -If the context changes the sites, this list and order will need to be revisited. - -### Generic Troubleshooting - -For when the other troubleshooting has not helped: - -- Fully close Firefox and restart ZAP. -- Uninstall and reinstall FF and ZAP. -- ZAP also has a [weekly build](https://www.zaproxy.org/download/#weekly) available. If the current stable build isn't working for some reason, try the weekly build instead. Download the ZIP, `cd` to it in your terminal, and run it with `./zap.sh`. If it outputs a message like `Exiting: ZAP requires a minimum of Java 11 to run`, run `brew install java` to install the latest Java and try again. - -## Upload and wrap up - -Upload all reports to Google Drive: https://drive.google.com/drive/u/0/folders/0B5fn0WMJaYDnaFdCak5WNWRGb1U in a folder named `YYYYMMDD-ZAP-Nessus`. - -You can shut down ZAP and Firefox. - -## Potential ZAP Issues - -## Acceptance criteria - -- [ ] YYYYMMDD-external.xml ZAP scan is present in YYYYMMDD-ZAP-Nessus folder -- [ ] YYYYMMDD-internal.xml ZAP scan is present in YYYYMMDD-ZAP-Nessus folder -- [ ] YYYYMMDD-pages.xml ZAP scan is present in YYYYMMDD-ZAP-Nessus folder - -### Disk Usage - -A single ZAP scan of the cloud-gov context requires significant disk space (over 100GB). If you have run ZAP previously, you should check to see if you previous sessions have been persisted. If so, you likely need to clear out those directories before proceeding. - -You can check ZAP's disk usage with: - -```sh -du -h -d 1 ~/Library/Application\ Support/ZAP/ -``` - -If you see an abnormally large `session` or `sessions` directory (my last run was 132G), you likely want to delete all files in these directories before proceeding. Choosing to "Not persist" sessions should alleviate this issue. - -## Export Nessus Scans - -- Log in to Nessus: https://nessus.fr.cloud.gov/ -- Select `All Scans` - - You should see more than a dozen scans. If you see fewer, ask on Slack to be added to the Scan Admins group under Groups: https://nessus.fr.cloud.gov/#/settings/groups -- Click on each vulnerability scan for Tooling and Production, and export the .nessus file (Export > Nessus) and the "Complete List of Vulnerabilities by Host" report (Report > HTML). -- Click on each compliance scan for Tooling and Production, and export the .nessus file (Export > Nessus) and the "Compliance" report (Report > HTML). -- Click on each scan for RDS Compliance, and export the .nessus file (Export > Nessus) and the "Compliance" report (Report > HTML). - -## Acceptance criteria: - -The following (.nessus and .html) are all uploaded to YYYYMMDD-ZAP-Nessus folder: - -- [ ] Production_Vulnerability_scan -- [ ] Tooling_Vulnerability_scan -- [ ] Production_Compliance_scan -- [ ] Tooling_Compliance_scan -- [ ] ALL the RDS compliance scans - -## Update the POAM Inventory sheet - -A python script is used to generate the inventory list. - -- Open the [POAM Inventory sheet](https://docs.google.com/spreadsheets/d/1_9Neq8fGO4NdQhsqLXDn445g3GUa1k_FZUrUXc7hulY/edit#gid=1371600163) - -- Delete the data rows (**starting after the manually maintained inventory items**) - These rows are locked to prevent inadvertent editing. - -- For the tooling and production jumpboxes: - - Login to each jumpbox and take note of the container number: - - [ ] production - - [ ] tooling - - [ ] master - - Run `python3 cg-scripts/generate-POAM-inventory.py > inv.csv`, then `exit`. - - Copy the CSV to your local clipboard by running the following, where `{environment}` is `production`, `master`, or `tooling` and `container-number` is the number from the first step. - - ```shell - fly -t ci i -j "jumpbox/container-bosh-{environment}" -s jumpbox -b "{container-number}" -- cat inv.csv | pbcopy - ``` - -- Paste the contents in the spreadsheet by selecting the first cell in the first blank row following the manually maintained inventory items, then pasting with CTRL-Shift-V (Command-Shift-V for macOS) to paste without formatting. Then select the paste icon that appears and click `Split text to columns` - -- [ ] Verify you have pasted the inventory for both production and tooling. -- [ ] Verify that the RDS information has not been overwritten. diff --git a/.github/ISSUE_TEMPLATE/conmon-1-deliver.md b/.github/ISSUE_TEMPLATE/conmon-1-deliver.md deleted file mode 100644 index ef7a19b..0000000 --- a/.github/ISSUE_TEMPLATE/conmon-1-deliver.md +++ /dev/null @@ -1,193 +0,0 @@ ---- -name: ConMon - Deliver Scans -title: 'Deliver [month] [year] ConMon results by [due date]' -about: INTERNAL ONLY deliver conmon results -labels: compliance -assignees: '' - ---- -In order for us to update the JAB on our compliance in a consistent way, we need to deliver a Continuous Monitoring report monthly (our standard due date is the 2nd of the month. If these dates fall on a weekend or federal holiday, adjust to the last business day before the date.) - -For context, see our [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), including [the monthly reporting summary explanation](https://cloud.gov/docs/ops/continuous-monitoring/#monthly-reporting-summary). - -We need to process our scan results and prepare documentation for any updated or new items, including updating the [vulnerability tracker](https://docs.google.com/spreadsheets/d/1tAYNmiEUwMSquRcQ0MrqtP-VIo7oxh1OzD6rmkWl-9w/edit#gid=1701775784) and [POA&M](https://docs.google.com/spreadsheets/d/16igVl8cD3SqeX5_SOn5Su34KmwMRnP20gPbfQlqIwfM/edit#gid=1701775784). -(Vulnerabilities that are patched within RA-05/SI-02 deadlines are not reported on the POA&M sheet). - - - -## Workstation Processing - -### First time setup - -* *Set up Google Drive* - install from GSA SelfService -* Have `cg-scripts` in your `$PATH` -* PIP install `nessus-file-reader` - -I keep all the conmon materials locally in `~/Documents/ConMon`, and have a symlink -to the few scripts that I use for parsing the conmon materials, as follows: - -* Clone [cg-compliance](git@github.com:cloud-gov/cg-compliance.git) to the location of your choice -* Make a symlink from ~/Documents/Conmon to the scripts' bin directory: - ``` - cd ~/Documents/ConMon - # Note - pending merge of PR https://github.com/cloud-gov/cg-compliance/pull/264 - ln -s (cg-compliance-path)/conmon/bin . - ``` - -## Monthly processing - - -* `cd ConMon; source bin/conmon.sh` - Set up functions for conmon -* `setup_dirs YYYY MM DD` - Set up the correct names, env vars, and places for our copies of the scan -* Open in separate finder windows - * the new target folder (e.g. `ConMon/2021/11`) - * the Google Drive with `ZAP and Nessus results/2021-11-22` -* Drag scans from Drive to their local targets - * ZAP: copy both XML and HTML to the top level - * RDS *.nessus into the RDS folders - * Compliance and Vuln *.nessus scans into "Production-and-Tooling..." folders. End result: - ``` - tree $MonthDir - /Users/peterdburkholder/Documents/ConMon/2023/11 - ├── 20231122-ZAP-external.html - ├── 20231122-ZAP-external.xml - ├── 20231122-ZAP-internal.html - ├── 20231122-ZAP-internal.xml - ├── 20231128-ZAP-pages.html - ├── 20231128-ZAP-pages.xml - ├── Production-and-Tooling-Vulnerability-and-Compliance-scans_2023-11-22 - │   ├── Production Compliance scan_6zil6h.nessus - │   ├── Production Vulnerability scan_awsge2.nessus - │   ├── Tooling Compliance scan_e16nva.nessus - │   └── Tooling Vulnerability scan_amokaf.nessus - └── RDS_Compliance_Scans_2023-11-22 - ├── RDS Compliance - Credhub Prod_v4ek1g.nessus - ├── RDS Compliance - Credhub Tooling_vwal0v.nessus - ├── RDS Compliance - OpsUAA Tooling_hc5sqs.nessus - ├── RDS Compliance Scan - ATC Tooling_l6a0hm.nessus - ├── RDS Compliance Scan - Bosh Tooling_enkk7f.nessus - ├── RDS Compliance Scan BOSH Prod_9r1y4q.nessus - └── RDS Compliance Scan CF Prod_ipvc66.nessus - ``` -* Replace spaces in filenames with underscores: - ```shell - pushd Production-and-Tooling-Vulnerability-and-Compliance-scans_2021-03-23 - spaces2underscores - cd ../RDS_Compliance_Scans_2021-03-23 - spaces2underscores - popd - ``` -* Run `nessus_log4j`. This generates a table something like this: - ``` - ------- Log4J REPORT ------ - Log4j plugin: 155999 - Log4J violations on Diego cells on phantom paths (safe): 0 - Log4J violations on Diego cells in customer path (safe): 6 - Log4J violations on Logstash nodes at known path (safe): 27 - Log4J violations of unknown origins found (UNSAFE) : 0 - ``` - * If there are any UNSAFE findings: - * Create a new issue in https://github.com/cloud-gov/private - * Link to the issue in a comment, below - * Immediately assign to CloudOps and discuss with them - * Once clean, screenshot and attach to this issue. -* Run `nessus_daemons` - * Review any findings, if they're legitimate daemon, open an issue in [cg-scripts](https://github.com/cloud-gov/cg-scripts) to patch `parse-nessus-xml.py`. - * Link to the issue, or PR, in the comments below - * If they're suspicious, follow our IR processes. - * Once clean, screenshot and attach to this issue. -* Run `prep_nessus` function - * This generates `MM.nessus_summary.txt` and `MM.nessus_work.txt` - This month's summary is compared, using `comm` to last month's summary. -* Review `MM.nessus_summary.txt`, see if it's OK. -* The file `MM.nessus_work.txt` looks like this: -``` -LAST MONTH (fixed) - THIS MONTH (new) - BOTH (persisting) - 147163, Risk: Medium, Plugin Name: Apache Tomcat 7.0.0 < 7.0.108 RCE, https://www.tenable.com/plugins/nessus/147163 - ..hostnames or number of impacted hosts -``` -The items left-aligned are ones that we're in last months' report but are now fixed, the next indent are those that are new (present now, absent last month), and the third indent are present in both months' scans (persisting issues) -* Run `nessus_csv` to generate the `MM.csv` file -* Copy the new `.txt` and the CSV files to [Google Drive](https://drive.google.com/drive/folders/1A4jVPmlnO2KHiSFVFxfp4Gp2nl5CFGPD) for the other team members to processing - -Be sure to: - -* Review the RDS scans: - - cd to the directory with the RDS compliance scans, - - run `../../../bin/parse-rds.sh` - - if there are version out-of-date findings, see latest version in AWS with: - - `aws rds describe-db-engine-versions --output=table --engine postgres --engine-version X.Y` -* Review the Compliance scans: - * No good parsing yet, review manually - -## Google Drive processing - -### Process the Nessus and Zap `_work.txt` and CSV file - -* Review the findings and compare them to the Google Sheets vulnerability tracker -* Move the fixed items to Done in the vulnerability tracker, updating the status date -* Add the new items - * run function (from `conmon.sh`) `nessus_csv` - * paste CSV output into vulnerability tracker, then use the `Data` menu to convert to `Split Text to Columns` - * fix up the entry - * copy down the formula for Column M, "Scheduled Completion Date", to generate the due date based on severity - -### Manage the POA&Ms, Inventory, and ConMon Summary - -* Any Java and Tomcat findings will require work outside our normal stemcell patching. See [closed issues in the private repository](https://github.com/cloud-gov/private/issues?q=is%3Aissue+is%3Aopen+in%3Atitle+OpenJDK+OR+Java+OR+Tomcat) for examples -* Work through the `MM.zap_work.txt` file produced by `prep_zap`, above -* Pay special attention to the High and Moderate findings -* Move fixed issues from Open to Closed tabs. Be sure to - * Update the Status Date - * Update the Supporting Documents, unless routine stemcell patch covered by the scan output - -* Review the Inventory - * Update RDS postgres versions if necessary - -* Address all gravely late POA&Ms - * Go to the [POA&M Dashboard](https://docs.google.com/spreadsheets/d/1Of4psOutBmZHVekV-_n_CuG8lOqbdpmrSQQJeSwobm0/edit#gid=232277195) - * For each 90+day late POA&M, be sure to update the Milestone Changes filed - of the POA&M sheet -* Manage the container scans: - * Create a scan folder: "container-scans-YYYY-MM-DD/" - * Go to https://groups.google.com/a/gsa.gov/g/cloud-gov-compliance and get the emailed container scan attachments. - * Download the scans from the 22nd of the month to the scan folder - * Review the Scan results with TKTK - -### Be sure you've done all the following - -* List any new identified vulnerabilities in the vulnerability tracker. -* Move any scanner items that should be moved to closed (items originally found by a scanner where we have new scans that prove these things are fixed). -* Update all columns to include the most recent info about remediations, milestones, statuses, etc., including updating the status date column. -* Cloud Operations needs to review the Nessus findings and ensure all daemons are managed by BOSH (see CG04 for context). -* Add any late vulnerabilities to the POA&M worksheet (i.e. vulnerabilities that will be remediated later than 30, 90 or 180 days old). -* Update cell D3 to be the current date for this POA&M (date of submission). -* Copy the [the summary cover sheet template](https://drive.google.com/drive/folders/1oUmCq_YHJoE3EeR6a-pfE3i4D1ZzFUiL) and fill it out. - -Depending on scan results, we sometimes also have to do these tasks: - -* For any items that require a monthly checkin with a vendor, Cloud Operations needs to make the appropriate support request to the vendor. -* Write Deviation Requests for operational requirements, risk adjustments, and false positives. -* Update our boards with current info about vulnerabilities and open POAM items and any necessary followup stories about compliance work and related technical work to prepare for the next month's report. -* Open a PR to update our [ConMon checklist template](https://github.com/18F/cg-product/blob/master/ConMonChecklist.md). - -## Upload to the FedRAMP repository - -* (Needs updating once the new repository is ready) - -## Acceptance criteria - -- [ ] We have created/resolved any issues with Nessus Log4J findings -- [ ] We have created/resolved any issues with Nessus unknown daemon findings -- [ ] We have added the Container scan results -- [ ] We uploaded our POA+M summary to MAX.gov https://community.connect.gov/display/FedRAMPExternal/18F+Continuous+Monitoring 'POA&M and Inventory' folder -- [ ] We uploaded our Inventory sheet to MAX.gov https://community.connect.gov/display/FedRAMPExternal/18F+Continuous+Monitoring 'POA&M and Inventory' folder -- [ ] We uploaded our Nessus and OWASP scan results to MAX.gov to https://community.connect.gov/display/FedRAMPExternal/18F+Vulnerability+Scans -- [ ] We uploaded our container scans .... -- [ ] We uploaded the Summary Excel sheet to https://community.connect.gov/display/FedRAMPExternal/18F+Continuous+Monitoring -- [ ] We updated, if necessary, the issue template for next month - -There! You've completed KHAN!-mon - -![Kirk's KHAN](https://media.tenor.com/zpkXBVeJPXAAAAAC/star-trek-the-wrath-of-khan-star-trek2.gif) diff --git a/.github/ISSUE_TEMPLATE/conmon-2-ssp.md b/.github/ISSUE_TEMPLATE/conmon-2-ssp.md deleted file mode 100644 index 43794d2..0000000 --- a/.github/ISSUE_TEMPLATE/conmon-2-ssp.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -name: Compliance - Ship SSP -title: "Ship new version of cloud.gov SSP" -about: INTERNAL ONLY schedule SSP delivery -labels: compliance -assignees: "" ---- - -Download from Google, open in Word, clean up table, etc. - -Save as PDF, Docusign it. We ship SSPs as PDFs so they're more or less immutable - -Save as DOCX, upload back to Google Drive as the 'indev' version. - -## Acceptance Criteria - -* SSP has been Docusigned by: - * [ ] ISSO - * [ ] System Owner - * [ ] Product Lead or Biz Lead or Eng Supervisor -* Signed SSP delivered to - * [ ] Max - * [ ] Google Drive Archive folder -* SSP update notification (with highlights) emailed to - * [ ] cloud-gov-team - * [ ] JAB TRRs -* [ ] Google Drive updated with latest .docx - - -## Security Considerations - -Safe. The existence of this issue provides no useful public info to a malicious actor. Regularly -update our SSP is good for compliance & security - diff --git a/.github/ISSUE_TEMPLATE/run_conmon_pages.md b/.github/ISSUE_TEMPLATE/run_conmon_pages.md deleted file mode 100644 index fd57667..0000000 --- a/.github/ISSUE_TEMPLATE/run_conmon_pages.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -name: Run Pages ConMon Scans -title: "Run [month] [year] Pages ConMon scans" -about: INTERNAL ONLY schedule pages conmon runs -labels: compliance -assignees: "" ---- - -Re: [link to platform conmon ticket] - -cloud.gov Pages also provides continuous monitoring artifacts. The process for creating them is detailed below. Current we only run ZAP Scans. - -# ZAP Scans - -From the [ZAP documentation](https://www.zaproxy.org/getting-started/): "Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of The Software Security Project (SSP). ZAP is designed specifically for testing web applications and is both flexible and extensible." - -We run ZAP from a Pages operator's local machine. ZAP opens a Firefox instance that is configured to proxy all requests through ZAP. ZAP can then analyze and modify the requests. - -## Preliminary work - Support User Setup - -We scan our externally facing apps as _support users_ of cloud.gov Pages, via the cloud.gov IdP, instead of _admins_. This avoids issues with ZAP "clicking" on links with undesired impacts. - -Each user should have a support user account created in the `zap-scans` organization prior to their first run. - -## Install, Configure, and Update - -- Check that you have the [latest stable version of ZAP](https://www.zaproxy.org/download/). Install/update via Homebrew with: - - `brew update; brew install --cask zap` or - - `brew update; brew reinstall zap` - > NOTE: If you have used ZAP in the past on your workstation you may have an older version installed from when it was known as OWASP ZAP and distributed using the Homebrew formula `owasp-zip`. If you need to remove such an older Homebrew installation, run the following from the command line: - - `brew uninstall owasp-zap` - > NOTE: If you see an error running ZAP as an unsigned application, run the following from the command line: - - `xattr -dr com.apple.quarantine '/Applications/ZAP.app'` - - ZAP also has a [weekly build](https://www.zaproxy.org/download/#weekly) available. If the current stable build isn't working for some reason, try the weekly build instead. Download the ZIP, `cd` to it in your terminal, and run it with `./zap.sh`. If it outputs a message like `Exiting: ZAP requires a minimum of Java 11 to run`, run `brew install java` to install the latest Java and try again. -- Start ZAP and update - - For "Session persistence", select "No, I do not want to persist my session..." - - Use the Add-ons button in the toolbar to open "Manage add-ons". Check for available updates, and update all. - - ZAP -> Settings -> Options: - - Active Scan: - - 3 hosts - - 5 threads - - JVM -> JVM options: `-Xmx8192m` - - Network -> Global Exclusions: - - Site - Firefox (select all) - - Site - Font CDNs - - Site - Mozilla CDN - - Spider - - Max Depth to Crawl: 5 - - Number of Threads: 7 - -### Quit and restart ZAP if you change the JVM options - -- Be sure you have Firefox installed (with Homebrew `brew cask install firefox` or any way you chose). Chrome does not support proxy settings while Firefox does. - -- `git clone git@github.com:cloud-gov/product.git` so you have the `context` files you need. - -## Running the ZAP scans - -Running the ZAP scan takes approximately one hour but can consume a large amount of system resources during the final step: - -- From the cloud.gov `product` repo, load the cloud.gov `cloud.gov-conmon-pages.context` into ZAP (File > Import Context) - - Delete the "Default Context" or any already completed context. -- On the top line of icons, there should be a Firefox icon on the far right. Click that to open Firefox preconfigured to proxy through ZAP. -- Open the `context` to see the included web applications (Context -> Included in Context) -- In the ZAP-configured Firefox, log in to each site in the context list. -> NOTE: These steps should start to populate ZAP's `Sites` list. If nothing is showing up there, you may need to disable Zscaler and try these steps again. `Sites` may not populate and the `Spider` scan may reported 0 URLs until Zscaler is disabled. -- To prevent getting noise in the scan results (since that causes major confusion when the FedRAMP team processes the ConMon report), review the `Sites` list to ensure only the cloud.gov sites have a small red circle/sight on them (denoting the site will be included). Remove any sites not needed by CTRL-clicking on them and selecting `Delete`. -- CTRL-click on the context and run the `Spider` scan. -- After the `Spider` scan is complete, again CTRL-click on the context and this time run the `Active Scan`. - - It is possible that this scan will pause at an arbitrary percentage complete (~72%) and fail to proceed. If you note no activity for at least 30 minutes, you can stop the scan here and proceed to the next step. -- After the Spider and Active scans are complete, export the results: - - From `Report` menu, select `Generate Report ...` - - Select the `Template` options, and use the templates: - - Traditional HTML report - - Traditional XML report - - Name the files according to `YYYYMMDD-ZAP-pages.xml/html`. E.g. - - 20210623-ZAP-pages.xml - - 20210623-ZAP-pages.html - - Optional: Check with compliance lead on whether we also need - "Traditional HTML Report with Requests and Responses" - -## Troubleshooting ZAP Scans - -Ensure you are not running any other local webservers as the ports can infere with the scan. - -If ZAP's `Sites` does not show the sites being visited, or if the scan operations do not seem to be successfully visiting sites, it may be necessary to disable Zscaler for the duration of the ConMon scan. - -If a SecureAuth login loop occurs when trying to login to either of the production sites, it may be necessary to disable ZAP Firefox proxy settings prior to logging in by navigating to `Settings` -> `Network Settings` within Firefox and selecting the `No proxy` radio button . After successful authentication navigate back to `Network Settings` and select the `Manual proxy configuration` radio button. Reload both pages to update the site tree within ZAP. - -If when you open ZAP's Firefox it fails to open displaying the "Explore your application with ZAP" landing page _even though you've stopped Zscaler..._ try rebooting. Sometimes it's time, and it works. - -In Firefox if you see a Java Unable to Connect Exception, try the following: - -Close both Firefox and ZAP. - -In `~/Library/Application Support/ZAP/log4j2.properties`: - -Change the following level's to debug so the entries look like this: - -``` -logger.paros.name = org.parosproxy.paros -logger.paros.level = debug - -logger.zap.name = org.zaproxy.zap -logger.zap.level = debug -``` - -Open ZAP, follow the above and open Firefox. Try to go to the server that failed previously. - -If that works, then change the levels back to info from debug, so they look like this: - -``` -logger.paros.name = org.parosproxy.paros -logger.paros.level = info - -logger.zap.name = org.zaproxy.zap -logger.zap.level = info -``` - -## Upload and wrap up - -Upload all reports to Google Drive: https://drive.google.com/drive/u/0/folders/0B5fn0WMJaYDnaFdCak5WNWRGb1U in a folder named `YYYYMMDD-ZAP-Nessus`. - -You can shut down ZAP and Firefox. - -## Acceptance criteria - -- [ ] YYYYMMDD-ZAP-pages.xml ZAP scan is present in YYYYMMDD-ZAP-Nessus folder -- [ ] YYYYMMDD-ZAP-pages.html ZAP scan is present in YYYYMMDD-ZAP-Nessus folder