Releases: SSC-ICT-Innovatie/nl-kat-coordination
v1.2.3
What's Changed
- Update docs to build with pre built containers by @noamblitz in #46
Full Changelog: v1.2.0...v1.2.3
Contributors
Assets 2
v1.2.0
Introduction
This new release of OpenKAT includes many small and large updates: OpenKAT has become easier to install, use and maintain. One of the main novelties is Keiko, the reporting module. We also introduced container images based on a GitHUB action, introduced a settings scheme for Boefjes and removed Flower from the system. Read the full changelog to see all the work that has been done. We look forward to comments on this release, here on GitHUB or by email @ meedoen@openkat.nl.
IMPORTANT
Before using this update, delete your .env file in the main directory and prune docker, or make sure that your .env contains all new variables (KEIKO_API is new and required to make reports, also, USE_SCHEDULER=1 should be added).
Summary
Keiko
Keiko is a new module added to KAT responsible for creating informative reports in LateX. In this version, you can check out some of Keiko's capabilities by going to a findings report and clicking on the generate PDF report button. By using Keiko, we will be able to create different and more versatile reports in the future which will become one of KATs most important features.
Containers
In this version, people that want to use KAT without actively developing it can use pre-built containers which are built using GitHub workflows. This saves a lot of time and risks of compiling errors.
Celery and Flower
As Flower is not actively maintained we decided to remove KATs dependency on it. Previously, jobs were placed in a celery queue by the scheduler and the Boefjes would use that queue to know what to do. Since this release, the Boefje runner pops directly from the scheduler's queue. Not only is this method more secure (flower contained some vulnerabilities), but it also opens up the possibility for Boefjes to pop only jobs that they are capable of running. Think of two Boefje runners of which only one has access to IPv6.
Boefje settings
In this version, we laid the foundation of settings for Boefjes. For example, API keys, endpoints, but also "how many ports should NMAP scan?". Settings can be set per boefje, per organisation. In the next version, those settings will be fetched by the runner and injected into the Boefje job. Also, minimal settings for a Boefje to run will be added.
Model changes
For ease-of-use purposes we added a URL discovery bit, enabling users to also choose Hostnames as "starting points" instead of only URLs. Also, Subject Alternative Names were added to the Certificate object removing false positives that we were made aware of by the community.
Full Changelog
Coordination
What's Changed
- Update boefje entrypoints by @Donnype
- Add
make checkout branch=xcommand by @reincode050 - feat(keiko): implement keiko in env, docker and makefile by @Lisser
- feature(keiko): update entrypoint by @Lisser
- Build production suitable container images in CI by @dekkers
- Run build-rocky-frontend outside docker by @dekkers
- refactor(keiko): change keiko api invocation by @Lisser
- Remove celery by @Rieven
- Use local octopoes when developing by @dekkers
New Contributors
- @dekkers made their first contribution
Rocky
What's Changed
- Robot framework implementation by @Reinaard
- Add note for SMTP by @Rieven
- Bug fix by @Rieven
- Implement PR and issue templates by @reincode050 in
- Implement baseline Python linters on Rocky by @reincode050
- feat(): Remove inline JS and add separate script to handle this by @TwistMeister
- Filter boefjes on object detail when scan level exceeds objects clearance level by @TwistMeister
- Change django password requirements to allow rdo-default by @sigio
- More functional Robot tests by @reincode050
- Remove 90% confidence lines by @reincode050
- Initial GA translation check by @reincode050
- Celery to scheduler by @Rieven
- Send Content-Security-Policy header using django-csp by @dekkers
- Add autocomplete to token field of form by @Rieven
- General settings for KAT-alogus by @Rieven
- Beautified Health Checks by @Rieven
- feat(keiko): add option to generate pdf report by @Lisser
- Refactoring CSV upload for Hostname, IPAddressV4, IPAddressV6 by @Rieven
- Password fixes for Robot tests by @reincode050
- Build production suitable container images in CI by @dekkers
- Fix collectstatic and by @dekkers
- Fix upgrading deb package by @errieman
- Enable uwsgi thunder lock to workaround bug by @dekkers
- Make password settings configurable using env variables by @dekkers
- Use local boefjes and octopoes when developing by @dekkers
- More features added to Task List by @Rieven
- Feature/settings per boefje by @Rieven
- remove inline JS by @Rieven
- Feature/translations by @Rieven
New Contributors
- @Reinaard made their first contribution
Mula
What's Changed
- Fix pylint suggestions by @jpbruinsslot
- Add commit to update by @jpbruinsslot
- Start database session for every method by @jpbruinsslot
- Remove obsolete sesssion by @jpbruinsslot
- Build production suitable container images in CI by @dekkers
- Support using Postgres as database by @dekkers
- Fix upgrading deb package by @errieman
- Remove references to dispatcher by @jpbruinsslot
New Contributors
- @dekkers made their first contribution
Bytes
What's Changed
- Build production suitable container images in CI by @dekkers
- Add log statements in log manager by @Donnype
- templated repos url in changelog by @errieman
- Requirements bump by @Donnype
- Fix debian package upgrade by @errieman
- Reconnect and retry basic_publish on pika.exceptions.ConnectionClosed by @Donnype
- Longer plugin_id, normalizer_name and boefje_id character fields by @Donnype
New Contributors
- @dekkers made their first contribution
Boefjes
What's Changed
- Build production suitable container images in CI by @dekkers
- Remove removed boefje requirements.txt from Dockerfile by @dekkers
- Update requirements.txt by @underdarknl
- Deb upgrade fix by @errieman
- Feature/create org on request by @noamblitz
- Feature/pop from scheduler pq worker update by @Donnype
- Add plugin_id parameter and filter on it for the all() method. by @Donnype
- Cherry picked local octopoes by @Donnype
- Add certificate subject alternative names to certificate boefje by @noamblitz
- Longer plugin_id, normalizer_name and boefje_id character fields by @Donnype
New Contributors
- @dekkers made their first contribution
Octopoes
What's Changed
- Release 2.4.0 by @noamblitz
- Fix debian package upgrade by @errieman
- fix(netblock model): fix human-readable by @Lisser
- fix path to debian build script by @errieman
- Main by @noamblitz
- fix netblock human_readable by @Lisser
- Fix openapi schema endpoint by @dekkers
- Build production suitable container images in CI by @dekkers
- Add makefile and debian package target by @errieman
- remove nginx dep from deb by @errieman
- URL discovery bit by @noamblitz
- Add certificatealternativenames and make bits work by @noamblitz
New Contributors
- @dekkers made their first contribution
Contributors
Assets 2
v1.1.0
Introduction
Welcome to the first release of OpenKAT after we let her play out in the real world under the EU PL 1.2 license. The response has been fantastic, many thanks for this.
The goal of this release is to give OpenKAT nice and round edges in many areas that were a bit rough, reduce dependencies, make Octopoes persistent, introduce the debian packages etc: basically to improve OpenKAT in all corners. Also, OpenKAT now uses Manon open for the front end design.
It also includes some fixes that should warrant a more smooth installation. Please share your experience @ meedoen@openkat.nl
Before you upgrade your current installation please follow the advice below:
IMPORTANT
Make sure that your DB has no users with the same email address before migrating.
Delete your .env file in the main directory before making, or make sure that your .env contains all new variables. SCHEDULER_DB_DSN and SCHEDULER_API are new, rockydb credentials are renamed, see .env-dist.
To use email password recovery, make sure to set the SMTP env variables.
Summary
Debian installer and security improvements
Debian packages arrived! Some notes:
Rocky works out of the box due to a self-signed certificate. This certificate does have to be replaced by the user. Secondly, the default configuration of Nginx is strict. For example it sets the client body limits to protect against DoS attacks and only allows strong TLS ciphers and protocols. The installer also generates a random password for the RabbitMQ user.
Login has been changed internally. Instead of using the Django user model with a username field, we now use the email field for logging in. Also first and last name are changed to full name. The database will automatically enforce these changes while migrating. Therefore, the migration will fail when the database contains two users with the same email address.
When using docker containers, the Rocky user now owns the application directory so that it is able to write yarn error logs.
The UID and GID of the host in the containers is used to resolve permission errors caused by mounting the application code in the containers, which changes permission levels to the host UID and GID.
For end-users
Octopoes is now persistent, which means that data will not be lost after an update or reboot. To get a new version of KAT without cleaning all data, "make update" is now available which skips the cleaning step. This will pull new versions, do all necessary database migrations and spin all containers back up.
As usual, Rocky got a lot of small UI improvements, but most noticeably, Rocky now forces users to set the correct clearance level before running a boefje. Before, on an object without a clearance level when running a boefje, a clearance level would be set. Now, this is not possible anymore. Rocky also migrated to use open Manon which was previously open-sourced.
Flower and celery are now not dependencies of Rocky anymore. This means that when manually running a boefje, a call will be made to a new scheduler API which will schedule that job with a high priority. All jobs (boefjes and normalizers) are now shown in Rocky with that same scheduler API, not only those that are run manually.
Full Changelog
Coordination
What's Changed
- Update README.adoc by @ring-ring-ring
- Pinned RabbitMQ version by @ammar92
- .dockerignore by @Donnype
- use persistent xtdb by @noamblitz
- Correct LinkedIn url in link to openKAT by @reincode050
- Provide current user id to docker builds, defaulting to 1000 by @Donnype
- make update by @noamblitz
- Add SCHEDULER_DB_DSN by @jpbruinsslot
- fix makefile for macos by @noamblitz
- add scheduler api endpoint in env-dist by @noamblitz
New Contributors
- @reincode050 made their first contribution
Rocky
What's Changed
- Github workflow for creating .deb installer by @errieman
- Add robots.txt by @Rieven
- Upgrade requirements to use django 3.2.14 by @TwistMeister
- fix description kat-581 by @noamblitz
- Hide CVSS link in report when 0 findings by @TwistMeister
- Change crisis room total findings list to table by @TwistMeister
- Add temporary classes to fix recommendation labels by @TwistMeister
- Fix/graph ooi by @Rieven
- Bump lxml from 4.6.5 to 4.9.1 by @dependabot
- Delete ro-logo.svg by @TwistMeister
- Update manon-dev.css, by removing the reference to deleted icons by @TwistMeister
- Remove hyperlink on bit name on object detail by @TwistMeister
- Add formatter by @ppvg
- Temporarily hide add indemnification button by @TwistMeister
- Clearance level form initial value for declared levels by @ammar92
- Hide "scan object" form from boefje detail when no scannable objects by @TwistMeister
- Fix exported migrations to match migrate by @dekkers
- Feature/user model and auth by @Rieven
- Bump terser from 5.14.1 to 5.14.2 by @dependabot
- Fix shebang in run_rock.sh CI script by @dekkers
- Move mixins by @Rieven
- Set permissions for organization view and members by @Rieven
- Chown app dir to rocky user by @Donnype
- Add .editorconfig by @ppvg
- Fix for make build by @Rieven
- Configure rabbitmq user and pass by @errieman
- Fix/django bump by @underdarknl
- Increase items per page for oois and findings lists by @TwistMeister
- use repository name in deb changelog by @errieman
- Login and recovery by @Rieven
- Feature/objects filter on boefje detail jesse by @Lisser
- Provide current user id to docker builds and bump node version by @Donnype
- generate self-signed cert on install by @errieman
- Use manon from npm by @ppvg
- NL + PAP translations before release by @Rieven
- Feature/scheduler client by @Lisser
New Contributors
- @errieman made their first contribution
- @ppvg made their first contribution
- @dekkers made their first contribution
Mula
What's Changed
- Boefje error handling by @jpbruinsslot
- Update docs for job status endpoints by @jpbruinsslot
- Feature/error handling by @jpbruinsslot
Bytes
What's Changed
- Debian installer for bytes by @errieman
- Small docs update by @Donnype
- configure rabbitmq user on deb install by @errieman
- Add event for received normalizer_meta and fix Makefile issue by @Donnype
- Provide current user id to docker builds, defaulting to 1000 by @Donnype
New Contributors
- @errieman made their first contribution
Boefjes
What's Changed
- remove SPF boefje tests by @errieman
- Fix/better caching of boefjes requirements by @Donnype
- Debian installer by @errieman
- add manual trigger to deb build by @errieman
- fix version number on manual build by @errieman
- Catch boefje errors by @ammar92
Octopoes
What's Changed
- Debian installer for octopoes by @errieman
- temp fix for hostname objects from server headers by @noamblitz
- Configure rabbitmq user and pass on install by @errieman
- templated repos url in changelog by @errieman
- Provide current user id to docker builds, defaulting to 1000 by @Donnype
New Contributors
- @errieman made their first contribution
