STIG Manager OSS on Docker Hub

STIG Manager is an API and Web client for managing the assessment of Information Systems for compliance with security checklists published by the United States (U.S.) Defense Information Systems Agency (DISA). STIG Manager supports DISA checklists distributed as either a Security Technical Implementation Guide (STIG) or a Security Requirements Guide (SRG).

Documentation: https://stig-manager.readthedocs.io/en/latest/

Source: https://github.com/NUWCDIVNPT/stig-manager

Supported tags

Built from the current HEAD of our main branch:

• nuwcdivnpt/stig-manager:latest

  • uses the node:lts-alpine base image

• nuwcdivnpt/stig-manager:latest-ironbank

  • uses the Iron Bank Node.js base image

Built from a point release tag on our main branch:

• nuwcdivnpt/stig-manager:s<point-release>

  • uses the node:lts-alpine base image

• nuwcdivnpt/stig-manager:<point-release>-ironbank

  • uses the Iron Bank Node.js base image

• For example, nuwcdivnpt/stig-manager:1.2.7 or nuwcdivnpt/stig-manager:1.2.7-ironbank

Quick Start Orchestration

IMPORTANT: The Quick Start orchestration is not a production-ready deployment. It is offered as a basic example showing how the API can be configured to integrate with a MySQL instance and an OAuth2 Provider. It is offered for demonstration purposes only and is missing key features such as, but not limited to: CAC authentication, Active Directory integration, persistent data storage, MTLS database connections, logfile archiving, etc.

The Quick Start steps require the official MySQL 8 image and a custom Keycloak image.

docker-compose.yml

# STIG Manager docker-compose orchestration

version: '3.7'

services:
  auth:
    image: nuwcdivnpt/stig-manager-auth
    ports:
      - "8080:8080"
  db:
    image: mysql:8.0
    ports:
      - "50001:3306"
    environment:
      - MYSQL_ROOT_PASSWORD=rootpw
      - MYSQL_USER=stigman
      - MYSQL_PASSWORD=stigman
      - MYSQL_DATABASE=stigman
    cap_add:
      - SYS_NICE  # workaround MySQL logging bug => mbind: Operation not permitted 
  api:
    image: nuwcdivnpt/stig-manager:latest
    environment:
      - STIGMAN_OIDC_PROVIDER=http://auth:8080/realms/stigman
      - STIGMAN_CLASSIFICATION=U
      - STIGMAN_DB_HOST=db
      - STIGMAN_DB_PASSWORD=stigman
      - STIGMAN_INIT_IMPORT_STIGS=true
      # Change envvar below if non-localhost browsers will access the API
      - STIGMAN_CLIENT_OIDC_PROVIDER=http://localhost:8080/realms/stigman
      # Customize the Welcome widget on the Home tab
      # - STIGMAN_CLIENT_WELCOME_IMAGE=<client-relative-url-to-your-logo>
      - STIGMAN_CLIENT_WELCOME_TITLE=Deployment Information
      - STIGMAN_CLIENT_WELCOME_MESSAGE=Your deployment's Support process can be described here. You can provide a link below.
      - STIGMAN_CLIENT_WELCOME_LINK=http://link_to_help_pages

    init: true
    ports:
      - "54000:54000"

Steps

• Create a docker-compose.yml file with the content above.

• From the directory containing docker-compose.yml, run:

$ docker-compose up -d && docker-compose logs -f

• STIG Manager will wait for MySQL and Keycloak to become ready

• When MySQL is ready, STIG Manager will perform an initial migration and create the necessary schema objects.

• STIG Manager will then connect to DoD Cyber Exchange and import the latest STIG Library Compilation and any available SCAP content.

• When STIG Manager is ready to handle requests, it will output a JSON log entry similar to:

{"date":"2022-02-18T18:25:50.749Z","level":3,"component":"index","type":"started","data":{"durationS":0.956811184,"port":"54000","api":"/api","client":"/","documentation":"/docs","swagger":"/api-docs"}}

• Navigate to http://localhost:54000

• Login using credentials “admin/password”, as documented for the demonstration Keycloak image

• Refer to the documentation to create your first Collection

STIG Manager OSS Environment Variables

Refer to our documentation for the environment variables consumed by STIG Manager

STIG Manager Container Healthcheck

The container’s Healthcheck starts 120 seconds after startup, and polls the API /op/configuration endpoint every 30 seconds for an acceptable status code.

Running as individual containers

Keycloak

docker run --name stig-manager-auth \
  -p 8080:8080 \
  -p 8443:8443 \
  nuwcdivnpt/stig-manager-auth

Mysql

docker run --name stig-manager-db \
  -p 50001:3306 \
  -e MYSQL_ROOT_PASSWORD=rootpw \
  -e MYSQL_DATABASE=stigman \
  -e MYSQL_USER=stigman \
  -e MYSQL_PASSWORD=stigman \
  mysql:8

API

docker run --name stig-manager-api \
  -p 54000:54000 \
  -e STIGMAN_DB_HOST=<DATABASE_IP> \
  -e STIGMAN_DB_PORT=<DATABASE_PORT> \
  -e STIGMAN_OIDC_PROVIDER=http://<KEYCLOAK_IP>:<KEYCLOAK_PORT>/auth/realms/stigman \
  nuwcdivnpt/stig-manager