forked from mitre/mitre-saf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfaqs.json
142 lines (142 loc) · 9.66 KB
/
faqs.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
{
"faqs": [
{
"question": "How many NIST SP 800-53 Security Controls are assessed under the MITRE SAF?",
"answer": "Currently, about 162 NIST SP 800-53 security controls are assessed under this framework. Note that assessment coverage varies based on the component type. For more information, explore this Control Assessment Range table!",
"links": [
{
"name": "Control Assessment Range table",
"router_link": "/control-table"
}
],
"tag" : "security-control-table"
},
{
"question": "How are NIST SP 800-53 Security Control associations included in the assessment tests used in this framework?",
"answer": "NIST SP 800-53 associations are included in all InSpec profiles and output from other security tools processed through Heimdall_tools. See our presentation to learn more!",
"links": [
{
"name": "InSpec, HDF, and NIST SP 800-53 Security Controls",
"download_link": "MITRE_InSpec_Profiles_and_HDF_include_NIST_SP-800-53_Associations.pdf"
}
],
"tag" : "security-control-associations"
},
{
"question": "What is a recommended best practice for Code Review?",
"answer": "Teams should follow the code review recommendations given here:",
"links": [
{
"name": "MITRE SAF Code Review Recommendations",
"download_link": "MITRE_SAF_Code_Review_Recommendations.pdf"
}
],
"tag" : "code-review"
},
{
"question": "Which tools are supported by the MITRE SAF?",
"answer": "",
"links": [
{
"name": "InSpec (and our InSpec profiles)",
"router_link": "/validate",
"desc": " for assessing configuration settings, vulnerabilities, and least functionality"
},
{
"name": "InSpec Tools",
"link": "https://inspec-tools.mitre.org",
"desc": "to create and format InSpec data like profiles and results"
},
{
"name": "Heimdall Server",
"link": "https://heimdall.mitre.org",
"desc": " to visualize security data using a full viewer instance to store results, coordinate across the development team, and more"
},
{
"name": "Heimdall Lite",
"link": "https://heimdall-lite.mitre.org",
"desc": " to visualize security data easily from anywhere, using a lightweight in-browser version of Heimdall for simple use cases"
},
{
"name": "Heimdall Tools",
"link": "https://heimdall-tools.mitre.org/",
"desc": " to convert data from common security tools into Heimdall Data Format (HDF) to be viewed in Heimdall"
},
{
"name": "HDF-to-Splunk",
"link": "http://hdf-json-to-splunk.mitre.org/",
"desc": " converter to use Splunk to store HDF security data"
}
],
"tag" : "tools"
},
{
"question": "What happened to Heimdall_Tools and InSpec_Tools?",
"answer": "MITRE SAF has combined a number of its tools, including Heimdall_Tools and InSpec_Tools, into a single utility called SAF CLI. The new tool covers the same use cases as the old ones in a more convenient package. Similarly, our GitHub Actions for the older tools have been replaced by the SAF CLI GitHub Action. Action. See our page for SAF CLI for details.",
"links": [
{
"name": "SAF CLI",
"link": "http://saf-cli.mitre.org/"
},
{
"name": "SAF CLI GitHub Action",
"link": "https://github.com/mitre/saf_action"
}
],
"tag" : "deprecated_tools"
},
{
"question": "How can I use InSpec tests in my CI/CD pipeline?",
"answer": "InSpec tests can be integrated as part of a test battery in your favorite CI platform. For example, you can add InSpec testing to your Travis CI file to run InSpec automatically. For further details, please see our Advanced InSpec Developer's Course.",
"code": "// travis.yml\n\nsudo: required\n\n# blocklist\n#branches:\n# except:\n# - development\n\n# safelist\n#branches:\n# only:\n# - master\n# - stable\n\nlanguage: ruby\nrvm:\n - 2.6.1\n\ncache: bundler\n\naddons:\n apt:\n sources:\n - chef-current-xenial\n # packages:\n # - chef-workstation\n #artifacts: true\n\n# Don't `bundle install` which takes about 1.5 mins\ninstall:\n\nservices: docker\n\nenv:\n matrix:\n - INSTANCE=default-ubuntu-1604\n\nbefore_script:\n - wget https://packages.chef.io/files/stable/chef-workstation/0.5.1/ubuntu/16.04/chef-workstation_0.5.1-1_amd64.deb\n - sudo dpkg -i chef-workstation_*.deb\n - rm chef-workstation_*.deb\n - sudo iptables -L DOCKER || ( echo \"DOCKER iptables chain missing\" ; sudo iptables -N DOCKER )\n - eval\\$(chef shell-init bash)\"\n - gem install bundler:2.0.1\n - gem install inspec_tools\n - inspec --version\n - CHEF_LICENSE=accept chef gem update inspec\n - CHEF_LICENSE=accept chef gem update inspec-bin\n - /opt/chef-workstation/embedded/bin/gem update inspec\n - /opt/chef-workstation/embedded/bin/gem update inspec-bin\n - inspec --version\n - bundle update --bundler\n - bundle install\n - chef --version\n - cookstyle --version\n - foodcritic --version\n\nscript: \n - CHEF_LICENSE=accept-no-persist KITCHEN_LOCAL_YAML=kitchen.dokken.yml CHEF_VERSION=\\${CHEF_VERSION} kitchen verify \\${INSTANCE} || true\n - export RESULTS=\\$(ls results/*.json)\n - inspec_tools compliance -j $RESULTS -f threshold.yml",
"links": [
{
"name": "InSpec Pipeline Integration Example",
"link": "https://mitre-inspec-advanced-developer.netlify.com/course/4.html"
}
],
"tag" : "pipeline"
},
{
"question": "How is InSpec deployed?",
"answer": "It is intended and recommended that InSpec be installed on a \"runner\" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) and run against the target remotely. However, InSpec may be deployed in various ways depending on the needs of the user:",
"images": [
{
"name": "Inspec Runners",
"path": "inspec-runner.png"
}
],
"tag": "runners"
},
{
"question": "What is the difference between Chef InSpec and CINC Auditor?",
"answer": "<p> All Chef software source code, including Chef InSpec, is open source under the Apache-2.0 license. </p> <p> Use of Chef's binary builds requires a paid license for use in production. </p> <p> Use of Chef binaries and releases in development, test, evaluation and demonstration do not require a formal support agreement. </p> <p> This is a common model in Enterprise Open Source software companies. The first major example of this was when Red Hat updated its licensing model. The open-community created the CentOS project to produce distributions of the RedHat OSS licensed code as a fully open-source software distribution. </p> <p> For more information about Chef's goals and intentions for this update, please see <a href='https://blog.chef.io/chef-software-announces-the-enterprise-automation-stack/' >https://blog.chef.io/chef-software-announces-the-enterprise-automation-stack/</a > and the <a href='https://www.chef.io/subscription-model-faq/' >https://www.chef.io/subscription-model-faq/</a >. </p> <p> Chef Inc. is working with the Cinc Project and the OSU Open Source Lab in support of the open source community. Chef and Cinc have worked hard to ensure that both the commercial-support and community-support model is easy for the end-user community. </p> <p> Cinc project is creating community distributions that follow the Apache-2.0 and Chef End User License Agreement (EULA) for the community to use freely and without a license. </p> <p> If you need Chef support for production use and deployment of Chef binaries, please <a href='https://pages.chef.io/2020-OSS-LandingPage.html' >https://pages.chef.io/2020-OSS-LandingPage.html</a > about their various options. </p> <p> The Cinc project is not a fork, the Cinc and Chef binaries are functionally identical and build from the exact same OSS code on GitHub. </p> <p> The Cinc distributions remove all trademarked and Chef owned intellectual property and images, etc. This makes them compliant with the Chef Software Trademark policy and EULA, and provides the community with a freely distributable and purely open-source option to use Chef's open source technology. </p> <p> The <a href='https://cinc.sh/goals/'>Cinc project's goals</a> are to provide the community with a freely distributable and purely open-source option to use Chef's open source technology. </p>",
"links": [
{
"name": "CINC Project",
"link": "https://cinc.sh"
},
{
"name": "Chef EULA Changes",
"link": "https://blog.chef.io/chef-software-announces-the-enterprise-automation-stack/"
},
{
"name": "Chef Subscription Model FAQ",
"link": "https://www.chef.io/subscription-model-faq/"
}
],
"tag" : "cinc"
},
{
"question": "How can I as a MITRE, government or vendor employee contribute to MITRE SAF?",
"answer": "<p>MITRE SAF has created the Continuous Collaboration Agreement to help sponsors for MITRE projects easily work with the SAF, and have MITRE support their contributions to the shared community. For more information, please review the MITRE SAF CCA Template.</p><p>Vendors and the open source community can contribute to MITRE SAF via the Apache 2.0 OSS License.</p>",
"links": [
{
"name": "MITRE SAF CCA Template",
"download_link": "MITRE-SAF-CCA-Template.docx"
}
],
"tag" : "cca"
}
]
}