/security-benchmarking-tool

Security Bench-marking Tool (SBT), that can import a set of audits files, create some custom audit policies and export them, audit (inspect) the workstation regarding each rule and enforce a single or a set of rules

Primary LanguageTypeScript

CS-2021 SBT - Security Benchmarking Tool

FAF 192 Y3-S1

Pasecinic Nichita

Tech Stack

  • Electron - for building cross-platform desktop apps (the app is configured to run in browser too)
  • React with TS - for UI (antd components)
  • Express - for our NodeJS api (multer for file storage, crypto used for encryption / decryption)
  • PassportJS - for OAuth authentication (providers Google, GitHub, Twitter)
  • MongoDB - application database (mongoose odm)
  • Nodemailer - sending emails (email confirmation)

Topics


Get Started

$ # clone the project
$ git clone https://github.com/nichitaa/CS-Labs
$
$ # install dependencies (electron deps)
$ cd app\electron-ts 
$ npm install # or yarn install
$
$ # install dependencies (express api)
$ cd app\express-api
$ npm install 
$
$ # run the app (api should start first)
$ cd app\express-api
$ npm run dev # available on http://localhost:8080
$
$ # run the desktop app
$ cd app\electron-ts
$ npm run dev # will open desktop app
$ # but the app could be open in browser too on: http://loclahost:3000

Environment variables

The API requires several environment variables to be configured in order to run locally on your machine. Please create the .env file in the root of the express API (folder: \app\express-api ) with your specific configurations

MONGODB_URL= # mongo db connection url

GOOGLE_CLIENT_ID= # google client id
GOOGLE_CLIENT_SECRET= # google client secret

GITHUB_CLIENT_ID= # github client id
GITHUB_CLIENT_SECRET= # github client secret 

TWITTER_CONSUMER_KEY= # twitter api key
TWITTER_CONSUMER_SECRET= # twitter secret key

SMTP_HOST = # e.g. smtp.gmail.com
SMTP_PORT = # defaults to 587
SMTP_FROM_NAME = # emails will be send with this name
SMTP_AUTH_USER = # email will be send from this email address
SMTP_AUTH_PASS = # nodemailer.createTransport password for email provider


Demos

  • Importing an audit file
  • Parsing it to a JSON structure and saving it as a mongodb document
  • Saving the document on the local server (uploads folder)
  • Displaying each policy item in a separate section
  • Select / deselect a custom policy item from an audit document
  • Search bar for quick search an audit custom item by attribute value
  • Select / deselect all custom items in one click
  • Create and save and display in the app a new policy with selected custom items under a new name

recording1

  • Perform an audit of the workstation, using the selected custom items
  • Display the scan results as icons, where green checkbox is a passed test, red - failed, yellow is warning this means that the values from expected are not the same but still is valid the optional "CAN_NOT_BE_NULL" || "CAN_BE_NULL"

recording2

  • As a backup system, the application will export all current system registry key : HKLM, HKCU, HKCR, HKU and HKCC to a folder on desktop (ex: regedit-backup1632761699)
  • Apply a single fix (enforce), on a single failed custom item
  • Apply a batch fix over all failed items
  • Live results
  • Adding more custom items rule types that can be enforced by the system

recording4

  • Adding user authentication with SSO
  • PassportJS (SSO providers are Google, GitHub and Twitter)
  • The raw data from passportjs is displayed on the UI as a JSON structure

recording6

7 - Database Security

  • Some of the fields (e.g. audit filename) is saved as an encrypted value in database (aes-256-ctr algorithm)

  • The email confirmation token used for user email verification is encrypted as well

  • "token": {
    	"iv": "7b54d294024a965daed91065f86b83f0",
    	"content": "c84a154d23bf78a6ccc61127c44beb1626880e7c"
    }

8 - Email Confirmation

  • Registered users have the possibility to verify their email address (extracted from SSO providers)
  • The verification tokens are encrypted and stored together with a user mapping in a mongodb collection
  • Nodemailer is used for sending email via our express api
  • Token confirmation page is server side rendered
  • The electron SBT app will display the current status of the user email verification