Heimdall Server
Heimdall (Lite) vs Heimdall with Backend (Server)
There are two ways to deploy MITRE Heimdall - Heimdall-Lite and the full Heimdall with Backend Server. Both share the same frontend but have been produced to meet different needs and use-cases.
As a single-page javascript app - you can run Heimdall-Lite from any web-server, a secured S3 bucket or directly via GitHub Pages (as it is here). Heimdall-Lite gives you the ability to easily review and produce reports about your InSpec run, filter the results for easy review and hot-wash, print out reports, and much more.
Heimdall with Backend (Server)
Heimdall with Backend, or Heimdall Server runs the same front end as Heimdall-Lite, but is supported with a backend database to store persistent data overtime.
Features
Heimdall-Lite
Heimdall with Backend
Additional Installation Requirements
Postgres Server
Overview Dashboard & Counts
✅
✅
Deep Dive View of Security Control Results and Metadata
✅
✅
800-53 Partition and TreeMap View
✅
✅
Comparison View
✅
✅
Advanced Data / Filters for Reports and Viewing
✅
✅
Multiple Report Output (DISA Checklist XML, CAT, XCCDF-Results, and more)
✅
✅
View Multiple Guidance Formats (InSpec profile, Checklist, DISA & CIS XCCDF)
✅
✅
Automatic Conversion of Various Security Formats
✅
✅
Authenticated REST API
✅
Users & Roles & multi-team support
✅
Authentication & Authorization
Hosting Webserver
Hosting Webserver LDAP OAuth Support for: GitHub, GitLab, Google, and Okta.
Heimdall-Lite
Heimdall with Backend
Just-in-Time Use
Multiple Teams
Minimal Footprint & Deployment Time
Timeline and Report History
Local or disconnected Use
Centralized Deployment Model
Minimal Authorization & Approval Time
Getting Started / Installation
Heimdall Lite is published to npmjs.org and is available here .
To run Heimdall Lite locally, just use the npm
built-in utility npx
:
If you use this tool often and want to have it installed locally, use the following command:
npm install -g @mitre/heimdall-lite
Then, any subsequent npx @mitre/heimdall-lite
will use the local version and load much more quickly.
It is also possible to run Heimdall-Lite using Docker, using the following command:
docker run -d -p 8080:80 mitre/heimdall-lite:release-latest
You can then access Heimdall-Lite at http://localhost:8080
.
If you would prefer to run the bleeding edge version of Heimdall-Lite, replace mitre/heimdall-lite:release-latest
with mitre/heimdall-lite:latest
.
Given that Heimdall requires at least a database service, we use Docker and Docker Compose to provide a simple deployment experience. This process will also deploy an NGINX webserver in front of Heimdall to handle TLS.
Setup Docker Container (Clean Install)
Install Docker
Download and extract the most recent Heimdall release from our releases page . Alternatively, you can clone this repository and navigate to the heimdall2
folder.
Navigate to the base folder where docker-compose.yml
is located
By default Heimdall will generate self-signed certificates that will last for 7 days. For production use, place your certificate files in ./nginx/certs/
with the names ssl_certificate.crt
and ssl_certificate_key.key
respectively. For development use, you can use the default generated certificates which means you do not need to put any certificate files in the ./nginx/certs/
folder.
NGINX Configuration Note: You can configure NGINX settings by changing values in the nginx/conf/default.conf
file.
Run the following commands in a terminal window from the Heimdall source directory. For more information on the .env file, visit Environment Variables Configuration.
./setup-docker-env.sh
# If you would like to further configure your Heimdall instance, edit the .env file generated after running the previous line
docker-compose up
Navigate to https://127.0.0.1
. You should see the application's login page. (Note that if you used the option to generate your own self-signed certs, you will get warnings about them from your browser.)
Updating Docker Container
Starting with version 2.5.0, Heimdall on Docker uses SSL by default. Place your certificate files in ./nginx/certs/
with the names ssl_certificate.crt
and ssl_certificate_key.key
respectively.
A new version of the docker container can be retrieved by running:
docker-compose pull
docker-compose up -d
This will fetch the latest version of the container, redeploy if a newer version exists, and then apply any database migrations if applicable. No data should be lost by this operation.
From the source directory you started from run:
https://github.com/mitre/heimdall2-helm
Cloud.gov is a FEDRAMP moderate Platform-as-a-Service (PaaS) . This repository includes a sample manifest.yml.example file ready to be pushed and run the latest version of Heimdall2 as a container. Make a copy of the example file and update the key values as appropriate.
$ cp manifest.yml.example manifest.yml
Setup a cloud.gov account - https://cloud.gov/docs/getting-started/accounts/
Install the cf-cli - https://cloud.gov/docs/getting-started/setup/
Run the following commands in a terminal window from the Heimdall source directory.
$ cd ~/Documents/Github/Heimdall2
$ cf login -a api.fr.cloud.gov --sso
# Follow the link to copy the Temporary Authentication Code when prompted
Setup a demo application space
$ cf target -o sandbox-rename create-space heimdall2-rename
Create a postgresql database
# Update manifest.yml file to rename application and database key name
$ cf marketplace
$ cf create-service aws-rds medium-psql heimdall2-rename
$ cf create-service-key heimdall2-db-rename heimdall2-db-test-key
$ cf push
You should be returned the URL for your new test instance to navigate to.
Note: This is only for demonstration purposes, in order to run a production level federal/FISMA system. You will need to contact the cloud.gov program and consult your organization's security team (for risk assessment and an Authority to Operate).
Heimdall currently supports AWS S3 for loading external HDF data.
In order to allow Heimdall to Connect to your AWS S3 bucket, you need to add a Cross-Origin Resource Sharing policy within the AWS Console. The following configuration is sufficent, however you need to change the allowed origin to where you are deploying Heimdall.
[
{
"AllowedHeaders" : [
" *"
],
"AllowedMethods" : [
" GET" ,
" HEAD"
],
"AllowedOrigins" : [
" https://heimdall.your.site.here"
],
"ExposeHeaders" : [],
"MaxAgeSeconds" : 3000
}
]
API usage only works when using Heimdall Enterprise Server (AKA "Server Mode").
Proper API documentation does not exist yet. In the meantime here are quick instructions for uploading evaluations to Heimdall Server.
# To use API Keys, ensure you have set the API_KEY_SECRET environment variable. To create a secret run: openssl rand -hex 33
# Create an API key using the Heimdall frontend (within the edit user profile modal) and upload an evaluation with the following command
curl -F " data=@<Path to Evaluation File>" -F " filename=<Filename To Show in Heimdall>" -F " public=true/false" -F " evaluationTags=<tag-name>,<another-tag-name>..." -H " Authorization: Api-Key apikeygoeshere" " http://localhost:3000/evaluations"
# You can upload multiple files at once (up to 100)
curl -F " data=@<Path to first evaluation File>" -F " data=@<Path to second evaluation File>" ... -F " public=true/false" -F " evaluationTags=<tag-name>,<another-tag-name>..." -H " Authorization: Api-Key apikeygoeshere" " http://localhost:3000/evaluations"
If you would like to change Heimdall to your needs, you can use Heimdall's 'Development Mode' to ease the development process. The benefit to using this mode is that it will automatically rebuild itself and use those changes as soon as you make them. Please note that you should not run development mode when deploying Heimdall for general usage.
Install system dependencies with your system's package manager.
Ubuntu:
# grab nodesource for recent version of nodejs
sudo curl -sL https://deb.nodesource.com/setup_16.x -o /tmp/nodesource_setup.sh
sudo /tmp/nodesource_setup.sh
# use apt to install dependencies
sudo apt install postgresql nodejs nano git
sudo npm install -g yarn
OSX:
brew install postgresql node@16 nano git
sudo npm install -g yarn
Clone this repository:
git clone https://github.com/mitre/heimdall2
Run the Postgres server:
Ubuntu:
# Switch to the OS postgres user
sudo - u postgres - i
# Start the Postgres terminal
psql postgres
# Create the database user
CREATE USER < username> with encrypted password ' <password>' ;
ALTER USER < username> CREATEDB;
\q
# Switch back to your original OS user
exit
OSX:
# Start the server
pg_ctl - D / opt/ homebrew/ var/ postgres start
# Start the Postgres terminal
psql postgres
# Create the database user
CREATE USER < username> with encrypted password ' <password>' ;
ALTER USER < username> CREATEDB;
\q
# Switch back to your original OS user
exit
Install project dependencies:
cd heimdall2
yarn install
Edit your apps/backend/.env file using the provided setup-dev-env.sh
script. Make sure to set a DATABASE_USERNAME and DATABASE_PASSWORD that match what you set for the PostgresDB in step 3.
You can also open the apps/backend/.env file in a text editor and set additional optional configuration values. For more info on configuration values see Enviroment Variables Configuration .
Create the database:
yarn backend sequelize-cli db:create
yarn backend sequelize-cli db:migrate
yarn backend sequelize-cli db:seed:all
Start Heimdall:
This will start both the frontend and backend in development mode, meaning any changes you make to the source code will take effect immediately. Please note we already have a Visual Studio Code workspace file you can use to organize your workspace.
Debugging Heimdall Server
If you are using Visual Studio Code, it is very simple to debug this application locally. First open up the Visual Studio Code workspace and ensure the Node debuger Auto Attach feature in Visual Studio Code is enabled. Next, open the integrated Visual Studio Code terminal and run:
Visual Studio Code will then automatically attach a debugger and stop and any breakpoints you place in the application.
Developing Heimdall Lite Standalone
If you only want to make changes to the frontend (heimdall-lite) use the following command:
To validate and lint your code run:
Compile and minify the frontend and backend for production
To test your code to make sure everything still works:
# Run Frontend Vue Tests
yarn frontend test
# Run Backend Nest Tests
yarn backend test:ci-cov
Run Cypress End to End Tests
The application includes E2E frontend + Backend tests (built using the cypress.io framework). These perform automated checking that Heimdall Server is running as intended. In order to run these tests, a running instance of the application is required.
CYPRESS_TESTING=true yarn start:dev
CYPRESS_BASE_URL=http://localhost:8080 yarn test:ui:open
The first command will start an instance of Heimdall Server and exposes additional routes required to allow the tests to run. The second will open the Cypress UI which will run the tests any time code changes are made.
Note: This action requires appropriate privileges on the repository to perform.
The steps to create a release are now on the wiki .
Versioning and State of Development
This project uses the Semantic Versioning Policy
Contributing, Issues and Support
Please feel free to look through our issues, make a fork and submit PRs and improvements. We love hearing from our end-users and the community and will be happy to engage with you on suggestions, updates, fixes or new capabilities.
Please feel free to contact us by opening an issue on the issue board, or, at [email protected] should you have any suggestions, questions or issues. If you have more general questions about the use of our software or other concerns, please contact us at [email protected] .
© 2019-2021 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.
No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.
For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.