initial commit

CMS-Enterprise · Dec 12, 2023 · 936af71 · 936af71
commit 936af71
Show file tree

Hide file tree

Showing 23 changed files with 5,839 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,11 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+*.DS_Store
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+*.env
diff --git a/.npmignore b/.npmignore
@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
diff --git a/LICENSE.md b/LICENSE.md
@@ -0,0 +1,34 @@
+# License
+
+As a work of the [United States government](https://www.usa.gov/), this project
+is in the public domain within the United States of America.
+
+Additionally, we waive copyright and related rights in the work worldwide
+through the CC0 1.0 Universal public domain dedication.
+
+## CC0 1.0 Universal Summary
+
+This is a human-readable summary of the [Legal Code (read the full
+text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
+
+### No Copyright
+
+The person who associated a work with this deed has dedicated the work to the
+public domain by waiving all of their rights to the work worldwide under
+copyright law, including all related and neighboring rights, to the extent
+allowed by law.
+
+You can copy, modify, distribute, and perform the work, even for commercial
+purposes, all without asking permission.
+
+### Other Information
+
+In no way are the patent or trademark rights of any person affected by CC0, nor
+are the rights that other persons may have in the work or in how the work is
+used, such as publicity or privacy rights.
+
+Unless expressly stated otherwise, the person who associated a work with this
+deed makes no warranties about the work, and disclaims liability for all uses
+of the work, to the fullest extent permitted by applicable law. When using or
+citing the work, you should not imply endorsement by the author or the
+affirmer.
diff --git a/README.md b/README.md
@@ -0,0 +1,35 @@
+# BatCAVE SDL Daily Reporting
+
+This repo contains the code for the BatCAVE Security Data Lake daily reporting automation.
+
+## Overview
+
+The BatCAVE SDL reporting automation allows for the BatCAVE security team to get daily analytics from the CMS Security Data Lake and post them into the #BatCAVE-Security-Alerts slack channel for ease of use. Current data reported:
+-  Latest SecurityHub Issues (excluding Nessus, GuardDuty, and Inspector) across BatCAVE environments in the last 24 hours
+- Vulnerabilities from Nessus present in the CISA KEV list
+- Vulnerabilities from Nessus above a preconfigured EPSS threshold (set with EPSS_THRESHOLD Lambda environment variable)
+
+## Architecture
+![Architecture Diagrams](batcave_sdl_reporting_automation.png)
+
+1. AWS EventBridge Cron Rule triggers the Reporting Lambda daily
+2. Reporting Lambda retrieves slack webhook and snowflake credentials from secrets manager
+3. Reporting Lambda retrieves EPSS and KEV list from respective URLs into a Pandas dataframe
+4. Reporting Lambda executes queries against the SDL to retrieve Nessus and SecurityHub data
+5. Report is formatted into slack blocks, and post payload to BatCAVESecurityHubFindings slack app incoming webhook
+
+## Deployment and Maintenance 
+
+Lambda is deployed as a [container image](code/reporter/Dockerfile) deployment package by the CDK template
+
+Assuming the account is bootstrapped:
+
+`cdk deploy -r arn:aws:iam::863306670509:role/delegatedadmin/developer/cdk-hnb659fds-cfn-exec-role-863306670509-us-east-1`
+
+Generate arch diagram (with [mingrammer](https://diagrams.mingrammer.com) and graphviz installed):
+
+`python diagram.py`
+
+Teardown:
+
+`cdk destroy -r arn:aws:iam::863306670509:role/delegatedadmin/developer/cdk-hnb659fds-cfn-exec-role-863306670509-us-east-1`
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,17 @@
+# Security and Responsible Disclosure Policy
+
+*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
+email or via GitHub Issues. Please use our website to submit vulnerabilities at
+[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
+HHS maintains an acknowledgements page to recognize your efforts on behalf of
+the American public, but you are also welcome to submit anonymously.
+
+Review the HHS Disclosure Policy and websites in scope:
+[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).
+
+This policy describes *what systems and types of research* are covered under this
+policy, *how to send* us vulnerability reports, and *how long* we ask security
+researchers to wait before publicly disclosing vulnerabilities.
+
+If you have other cybersecurity related questions, please contact us at
+[[email protected].](mailto:[email protected]).
diff --git a/batcave_sdl_reporting_automation.png b/batcave_sdl_reporting_automation.png
diff --git a/bin/cdk.ts b/bin/cdk.ts
@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { CdkStack } from '../lib/cdk-stack';
+
+const app = new cdk.App();
+new CdkStack(app, 'CdkStack', {
+  /* If you don't specify 'env', this stack will be environment-agnostic.
+   * Account/Region-dependent features and context lookups will not work,
+   * but a single synthesized template can be deployed anywhere. */
+
+  /* Uncomment the next line to specialize this stack for the AWS Account
+   * and Region that are implied by the current CLI configuration. */
+  // env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },
+
+  /* Uncomment the next line if you know exactly what Account and Region you
+   * want to deploy the stack to. */
+  // env: { account: '123456789012', region: 'us-east-1' },
+
+  /* For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html */
+});