eop-omb / opal Goto Github PK

https://github.com/marazmiki/django-webdav-storage

Just wanted to share this new document with this project. Hopefully it's useful.

https://raw.githubusercontent.com/GSA/fedramp-automation/master/documents/Guide_to_OSCAL-based_FedRAMP_System_Security_Plans_(SSP).pdf

Published July 28th, 2021

After following the installation instruction using docker container and running the command to start the container I get the following error:

PermissionError: [Errno 13] Permission denied: '/usr/src/app/debug.log'

Complete log:

2024-03-22 12:17:04 + set -e
2024-03-22 12:17:04 + python manage.py migrate --noinput
2024-03-22 12:17:04 Running in Development mode!
2024-03-22 12:17:04 DJANGO_SETTINGS_MODULE: opal.settings
2024-03-22 12:17:04 GPG_KEY: <** removed by me ** >
2024-03-22 12:17:04 HOME: /home/opal
2024-03-22 12:17:04 HOSTNAME: d22b222e39c4
2024-03-22 12:17:04 LANG: C.UTF-8
2024-03-22 12:17:04 PATH: /usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2024-03-22 12:17:04 PWD: /usr/src/app
2024-03-22 12:17:04 PYTHONDONTWRITEBYTECODE: 1
2024-03-22 12:17:04 PYTHONUNBUFFERED: 1
2024-03-22 12:17:04 PYTHON_GET_PIP_SHA256: <** removed by me **
2024-03-22 12:17:04 PYTHON_GET_PIP_URL: https://github.com/pypa/get-pip/raw/dbf0c85f76fb6e1ab42aa672ffca6f0a675d9ee4/public/get-pip.py
2024-03-22 12:17:04 PYTHON_PIP_VERSION: 24.0
2024-03-22 12:17:04 PYTHON_SETUPTOOLS_VERSION: 65.5.1
2024-03-22 12:17:04 PYTHON_VERSION: 3.11.8
2024-03-22 12:17:04 SHLVL: 1
2024-03-22 12:17:04 _: /usr/local/bin/python
2024-03-22 12:17:04 Traceback (most recent call last):
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/logging/config.py", line 573, in configure
2024-03-22 12:17:04 handler = self.configure_handler(handlers[name])
2024-03-22 12:17:04 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/logging/config.py", line 757, in configure_handler
2024-03-22 12:17:04 result = factory(**kwargs)
2024-03-22 12:17:04 ^^^^^^^^^^^^^^^^^
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/logging/init.py", line 1181, in init
2024-03-22 12:17:04 StreamHandler.init(self, self._open())
2024-03-22 12:17:04 ^^^^^^^^^^^^
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/logging/init.py", line 1213, in _open
2024-03-22 12:17:04 return open_func(self.baseFilename, self.mode,
2024-03-22 12:17:04 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-22 12:17:04 PermissionError: [Errno 13] Permission denied: '/usr/src/app/debug.log'
2024-03-22 12:17:04
2024-03-22 12:17:04 The above exception was the direct cause of the following exception:
2024-03-22 12:17:04
2024-03-22 12:17:04 Traceback (most recent call last):
2024-03-22 12:17:04 File "/usr/src/app/manage.py", line 22, in
2024-03-22 12:17:04 main()
2024-03-22 12:17:04 File "/usr/src/app/manage.py", line 18, in main
2024-03-22 12:17:04 execute_from_command_line(sys.argv)
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/site-packages/django/core/management/init.py", line 442, in execute_from_command_line
2024-03-22 12:17:04 utility.execute()
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/site-packages/django/core/management/init.py", line 416, in execute
2024-03-22 12:17:04 django.setup()
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/site-packages/django/init.py", line 19, in setup
2024-03-22 12:17:04 configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/site-packages/django/utils/log.py", line 76, in configure_logging
2024-03-22 12:17:04 logging_config_func(logging_settings)
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/logging/config.py", line 823, in dictConfig
2024-03-22 12:17:04 dictConfigClass(config).configure()
2024-03-22 12:17:04 File "/usr/local/lib/python3.11/logging/config.py", line 580, in configure
2024-03-22 12:17:04 raise ValueError('Unable to configure handler '
2024-03-22 12:17:04 ValueError: Unable to configure handler 'file'

As a user I need to be able to edit my SSP without opening multiple tabs or losing my position on the page.

Something like this: https://github.com/agusmakmun/django-markdown-editor

Divide the Component List screen (https://opal.omb.gov/component/) to organize components by Component Type. List each component type in a separate table with an appropriate heading.

Scenario: system a inherits from system b. I create a new statement for a control in system a, it is linked to the baseline control instead of a new control. This causes the naming convention to fail but also the new control is propagated to all other systems that inherit from b

Describe the bug
The system treats all documents as PDF when retrieving them from the database. A .pdf extension is applied to the temporary file which causes the browser to return an error.

To Reproduce
Steps to reproduce the behavior:

1. Upload a word document
2. Click on the link for the new document
3. Note the inline display has an error
4. click on the Download link to see another error

Expected behavior
Since OPAL is intended as a repository and not a tool for working on live attachments. It might make the most sense to limit uploads to PDF or to convert files to PDF on upload.

Is there a getting started guide or any sort of documentation?

Not an issue, but I thought I'd share something...

django-extensions is already part of the project. I ran a few commands and generated an SVG of the model classes. You'll need graphviz on your machine to run dot.

python manage.py graph_models -g ssp > opal.dot
dot -T svg opal.dot > opal.svg

It's a big image. Here's a snippet.

I've installed OPAL locally based on the instructions in the repo. I'm able to go to "NIST Catalog" on the site and import the following catalog:

https://github.com/EOP-OMB/opal/blob/main/media/uploads/catalogs/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.json

After import, the control baseline does appear correctly in the admin section:

However, when I try to create a new SSP, none of the controls are showing up:

Is there something I need to do after importing the catalog to be able to select the controls?

authorization_boundary can be a diagram but can also include a text description

The SSP Detail View should display a list of NIST controls included in the system baseline that do not have at least one system control defined

Component name should be unique

Left navigation pane doesn't float, so can get lost at the top of the screen

@dan-omb Hi. Any interest in a PR to streamline usage with Docker?

• rearrange layers to reduce image build size (1.22GB -> 0.56GB?) and faciliate layer caching for faster rebuilds
• remove extraneous packages added during the build
• cleanup package (apt, pip) install cache
• run as an unprivileged user
• tweak ENTRYPOINT and CMD to make Django play nice with Docker

After saving a component I should be redirected to the component detail view

Each system is rated according to FIPS 199. It would be nice to pick the system categorization and have a set of controls automatically become selected accordingly.