This repository has been replaced by https://github.com/mitre/heimdall2, please update any links accordingly.
Heimdall is a centralized visualization server for your InSpec evaluations and profiles.
Heimdall supports viewing of InSpec profiles and evaluations in a convenient interface. Data uploads can be automated through usage of curl and added as a step after an InSpec pipeline stage.
There two versions of the MITRE Heimdall - the full Heimdall and the Heimdall-Lite version. We produced each to meet different needs and use-cases.
| Heimdall-Lite | Heimdall |
|---|---|
| Ship the App & Data via simple Email | Multiple Teams Support |
| Minimal Footprint & Deployment Time | Timeline and Report History |
| Local or disconnected Use | Centralized Deployment Model |
| One-Time Quick Reviews | Need to view the delta between one or more runs |
| Decentralized Deployment | Need to view subsets of the 800-53 control alignment |
| Minimal A&A Time | Need to produce more complex reports in multiple formats |
| Features | Heimdall-Lite | Heimdall |
|---|---|---|
| Installation Requirements | any web server | rails 5.x Server PostgreSQL |
| Overview Dashboard & Counts | x | x |
| 800-53 Partition and TreeMap View | x | x |
| Data Table / Control Summary | x | x |
| InSpec Code / Control Viewer | x | x |
| SSP Content Generator | x | x |
| PDF Report and Print View | x | x |
| Users & Roles & multi-team support | x | |
| Authentication & Authorization | Hosting Webserver | Hosting Webserver LDAP GitHub OAUTH & SAML GitLab OAUTH & SAML |
| Advanced Data / Filters for Reports and Viewing | x | |
| Multiple Report Output (DISA Checklist XML, CAT, XCCDF-Results, and more) |
x | |
| Authenticated REST API | x | |
| InSpec Run 'Delta' View | x | |
| Multi-Report Tagging, Filtering and Comparison | x |
Heimdall supports running via RPM packages, Docker and Chef Habitat(coming soon). For production installations we recommend one of these three methods.
We publish our latest builds on packackager.io, Docker Hub and Chef Habitat (Coming Soon).
You can easily run a local instance for demo and testing purposes using our provided Vagrantfile in the project which installs a simple centos7 VM locally and uses the above RPM method to install, configure and start Heimdall.
- Install Vagrant
- Install a Virtualbox or some other Vagrant support VM system
- Grab our Vagrantfile or just clone the github repository.
- run
vagrant upin the directory where you cloned theheimdallrepo or downloaded theVagrantfile - Navigate to
localhost:3000once the process is complete - Create your first account
- Enjoy
To run Heimdall you just need to add the Heimdall Packager.io repository to your Yum configuration and you can easily deploy and update Heimdall on RHEL7/CentOS7 system.
curl -o /etc/yum.repos.d/heimdall.repo https://dl.packager.io/srv/mitre/heimdall/master/installer/el/7.repoyum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpmyum updateyum install -y heimdall/usr/pgsql-11/bin/postgresql-11-setup initdbecho "local all all trust" > /var/lib/pgsql/11/data/pg_hba.confsystemctl enable postgresql-11systemctl start postgresql-11sudo -u postgres createuser --superuser heimdallheimdall config:set DATABASE_URL=postgresql:///heimdall_productionheimdall run rake db:create db:schema:load || trueheimdall run rake db:migrateheimdall scale web=1- Navigate to
hostname:6000 - Create your first account
- Enjoy
Given that Heimdall requires at least a database service, we use Docker Compose.
- Install Docker
- Download heimdall by running
git clone https://github.com/mitre/heimdall.git. - Navigate to the base folder where
docker-compose.ymlis located - Run the following commands in a terminal window from the heimdall source directory:
./setup-docker-secrets.sh- Optional: Set a custom root URL by editing the
docker-compose.ymland changingHEIMDALL_RELATIVE_URL_ROOTto the path of your choosing, for example/heimdall. docker-compose up -ddocker-compose run --rm web rake db:create db:migrate
- Navigate to
http://127.0.0.1:3000
The following commands are useful for managing the data in your docker container:
docker-compose run --rm web rake db:resetThis destroys and rebuilds the dbdocker-compose run --rm web rake db:migrateThis updates the dbdocker-compose run --rm web rake data:migrateThis updates the db
Make sure you have run the setup steps at least once before following these steps!
- Run the following command in a terminal window:
docker-compose up -d
- Go to
127.0.0.1:3000in a web browser
A new version of the docker container can be retrieved by running:
docker-compose pull
docker-compose up -d
docker-compose run web rake db:migrate
docker-compose run web rake data:migrate
This will fetch the latest version of the container, redeploy if a newer version exists, and then apply any database migrations if applicable. No data should be lost by this operation.
docker-compose down # From the source directory you started from
(Coming Soon)
This mode is primarily for developers, shared heimdall instances should be deployed in production mode. Since this is a Ruby application it is suggested to use rbenv or RVM for ruby version management.
- Install
rbenvorRVM - Install dependencies
apt-get install -y build-essential libpq-dev nodejs libxml2-dev libmagick++-dev postgresql-server
- Install ruby by running
rbenv installorrvm install $(cat .ruby-version)from the root directory of this project - Clone the Heimdall Github repository
- Run the following in a terminal
bundle installbundle exec rake db:setupbundle exec rake db:migratebundle exec rails s(Start the server on localhost)
- Pull the latest master from the Heimdall Github repository
- Run the following in a terminal
bundle exec rake db:migratebundle exec rake data:migratebundle exec rails s(Start the server on localhost)
Once you install Heimdall, you will have to create your first account. By default this account will have full admin rights and you will then be able to create other users and grant them access to roles, circles (groups) and teams as you need. You can add your first user by selecting 'Create Account' and then logging in as that user.
Heimdall also supports connecting to your corporate LDAP and other OAuth authentication services but the authorization of those users in Heimdall is managed via the application itself (PRs Welcome).
Once you have an account you can upload InSpec JSONs (see reporters) for evaluations and profile then view them by clicking on the evaluations and profiles tab at the top of the page.
Heimdall supports separating users into groups we call 'Circles' which is basically just groups and roles. This will allow you to deploy a command service which many teams can use, allow your AO or Security Teams to review and comment on multiple teams work while still providing separation of roles and responsibilities.
The Heimdall Administrator can define Circles and add users to those circles. At the moment, this is done directly in the Heimdall application (PRs Welcome) and teams can push their results to a circle via curl. This will allow multiple work streams to happen and easy integration into workflow processes while trying to keep the human element from going blind :).
My default everything goes to the public circle, you should define your circles with respect to the R&R of your organization and project and program structure.
Although it's just a suggestion, we have also found that having a few generic results in the public circle is useful to help easy demonstrations or conversations to happen. This will allow all visitors to view the profile/evaluation you uploaded.
To upload through curl you'll need an API key. This is located on your profile page which can be reached by clicking on your user name in the top right corner, then on profile.
At its most basic, the upload API takes three parameters: the file, your email address, and your API key.
curl -F "file=@FILE_PATH" -F "email=EMAIL" -F "api_key=API_KEY" http://localhost:3000/evaluation_upload_api
If you are an owner or member of any circles, you can have the uploaded evaluation added to your circle by supplying a circle name parameter:
curl -F "file=@FILE_PATH" -F "email=EMAIL" -F "api_key=API_KEY" -F "circle=CIRCLE NAME" http://localhost:3000/evaluation_upload_api
You can also added parameters for Hostname, UUID, FISMA System, and Environment. The first three can by any string, but the environment needs to be one of ['sandbox, 'dev', 'test', 'impl', 'prod']
curl -F "file=@FILE_PATH" -F "email=EMAIL" -F "api_key=API_KEY" -F "hostname=HOSTNAME" -F "uuid=UUID" -F "fisma system=FISMA" -F "environment=test" http://localhost:3000/evaluation_upload_api
The inspec_tools and heimdall_tools also have useful features that help you manage your results, do integration with your CI/CD and DevOps pipelines and get your teams working.
inspec_tools has the compliance and summary functions which will help you define a go/no-go for your pipeline results and allow you to define your thin blue line of success or failure. Incorporating these tools, you can scan, process, evaluate and upload your results to allow your various teams and stages to define the granularity they need while still following the spirit of the overall DevSecOps process as a whole.
For example, the compliance function will let you easily use Jenkins, GitLab/Hub CICD or Drone to have clean pass/fail with an exit 0 or exit 1 and allow you to define exactly the high, medium and low and overall compliance score that you and your Security Official agreed to in production or in development.
NOTE You should always test like you are in production, that is where you are going to end up after all!!
See docker-compose.yml for container configuration
Contact us for advice, we'll be able to send most people our setup.
Edit RAILS_RELATIVE_URL_ROOT line from docker-compose.yml
Set RAILS_ENV = to development in docker-compose.yml
You can setup a deployment/development environment through bundler or docker.
If you wish to use docker, then the dependencies are:
- Docker
- docker-compose
If you wish to use ruby and are on Ubuntu 16, then the dependencies are:
- Ruby 2.4.4
- build-essentials (your distribution's gcc package)
- Bundler
- libpq-dev
- nodejs
- postgresql
This project uses the Semantic Versioning Policy.
Please feel free to look through our issues, make a fork and submit PRs and improvements. We love hearing from our end-users and the community and will be happy to engage with you on suggestions, updates, fixes or new capabilities.
Please feel free to contact us by opening an issue on the issue board, or, at [email protected] should you have any suggestions, questions or issues. If you have more general questions about the use of our software or other concerns, please contact us at [email protected].
- A signed PR ( aka
git commit -a -s) - Code for the new functionality
- Updates to the CLI
- New unit tests for the functionality
- Updates to the docs and examples in
README.md - (if needed) Example / Template files
- Scripts / Scaffolding code for the Example / Template files
- Example Output of the new functionality if it produces an artifact
-
open an issue on the main heimdall website noting the issues your PR will address
-
fork the repository
-
checkout your repository
-
cd to the repository
-
git co -b
<your_branch> -
bundle install
-
hack as you will -
test via rake
-
ensure unit tests still function and add unit tests for your new feature
-
add new docs to the
README.md -
(if needed) create and document any example or templates
-
(if needed) create any supporting scripts
-
update the version and changelog (see below for instructions)
-
Open a PRs on the MITRE heimdall repository
There are rake tasks to help with the Semantic Versioning Policy and updating the Changelog. The rake tasks use the rake-version and github_changelog_generator gems.
The github_changelog_generator gem requires the use of a access token setup with GitHub. Read the gem's GitHub page for instructions on how to setup this token.
If you have the token setup, you should use this set of steps:
- run
bundle exec rake change:patchfor bug fixes, orbundle exec rake change:minorif you're adding a new feature. This will update the Version number and generate the Changelog. git add VERSIONandgit add CHANGELOG.mdto add the files to your commit.git commit -m "commit message". If your commit fixes an outstanding issue, put the issue number in the commit message, like "Fixes #34"git push origin <your_branch>- In GitHub, open a Pull Request on the MITRE heimdall repository
If you don't have a token setup for the github_changelog_generator, you can run the rake task bundle exec rake version:bump:patch to bump the Version number without modifying the Changelog. Then, in your Pull Request, add a comment requesting the Changelog be updated after merging.
After the Pull Request has been merged, switch back to the master branch and pull the merged code. You can run the bundle exec rake change:tag to create a release tagged with the new Version number.
There are a set of tests developed using rspec. Run rake spec to run the tests.
- Robert Thew
- Aaron Lippold
- Robert Clark
- Matthew Dromazos
- Luke Malinowski
© 2018-2019 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.
No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.
For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.