Vulcan is a tool to help streamline the process of creating STIG-ready securiy guidance documentation and InSpec automated validation profiles.
Vulcan models the STIG intent form and the process of aligning security controls from high-level DISA Security Requirements Guides (SRGs) into Security Technical Implementation Guides (STIGs) tailored to a particular system component. STIG-ready content developed with Vulcan can be provided to DISA for peer review and formal publishing as a STIG. Vulcan allows the guidance author to develop both human-readable instructions and machine-readable automated validation code at the same time.
- Model the STIG creation process between the creator (vendor) and the approver (sponsor)
- Write and test InSpec code on a local system, or across SSH, AWS, and Docker targets
- Easily view control status and revision history
- Enable distributed authorship with multiple authors working on sets of controls and reviewing each others' work.
- Enable looking up related controls (controls using the same SRG ID) in published STIGs while auhtoring or reviewing a control.
- View DISA published STIG Contents.
- Confidential data in the database is encrypted using symmetric encryption
- Authenticate via the local server, through GitHub, and through configuring an LDAP server.
- Email and Slack notification enabled
Latest Release: v2.1.8
You can pull the Docker image for the latest release with the following command:
docker pull mitre/vulcan:v2.1.8
For more details on this release and previous ones, check the Changelog.
Deploying Vulcan in Production
For Ruby (on Ubuntu):
- Ruby
build-essentials
- Bundler
libq-dev
- nodejs
- Install the version of Ruby specified in
.ruby-version
- Install postgres and rbenv
- Run
gem install foreman
- Run
rbenv install
- Run
bin/setup
Note:
bin/setup
will install the JS dependencies andprepare the database.
- Run
rails db:seed
to seed the database.
Make sure you have run the setup steps at least once before following these steps!
- ensure postgres is running
- foreman start -f Procfile.dev
- Navigate to
http://127.0.0.1:3000
For testing purposes in the development environment, you can use the following credentials:
Email: admin@example.com
Password: 1234567ab!
- Stop Vulcan by doing
ctrl + c
- Stop the postgres server
See docker-compose.yml
for container configuration options.
Documentation on how to configure additional Vulcan settings such as SMTP, LDAP, etc, are available on the Vulcan website.
This application includes a rake task that pulls published Security Requirements Guides (SRGs) and Security Technical Implementation Guides (STIGs) from public.cyber.mil and saves them locally. This task can be executed manually or set up to run on a schedule in a production environment.
You can manually execute the STIG/SRG puller task by running the following command in your terminal:
bundle exec rails stig_and_srg_puller:pull
If you wish to automate the execution of this task in a production environment, you can set up a task scheduler on your hosting platform. The configuration will depend on your specific hosting service.
Generally, you will need to create a job that runs the following command:
bundle exec rails stig_and_srg_puller:pull
You can set the frequency of this task according to your preference or needs. However, it's important to consider the volume of data being pulled and the impact on the application's performance when deciding on the frequency.
Please refer to your hosting platform's documentation or support services for specific instructions on how to set up scheduled tasks or cron jobs.
For detailed information about creating a release, please refer to the release documentation.
© 2022 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.
No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.
For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.