Software Evaluation

Evaluation for Web-enabled Temporal Analysis System (WebTAS) Enterprise

Reposted with permission

NOTE: The formatting has been changed to fit the style of this site.

Introduction

The Web-enabled Temporal Analysis System (WebTAS Enterprise, or just WebTAS) is both a collection of tools for intelligence analysts that can pull data from databases or websites and then chart, manipulate, and disseminate their conclusions as well as being a suite of tools and secruity frameworks for use by software developers to enable quicker development of applications designed for use in secure environments.

For the analysts, WebTAS provides Topic Builder (which has its own evaluation and is discussed only briefly here) and the Project Tool, which enables the integration of data from multiple sources and provides ways of visualizing and manipulating that data for analysis, display, and dissemination.

For the software developer, WebTAS provides a suite of open source tools inside an accredited security umbrella. Any particular deployment of WebTAS can use some or all of the available tools, enabling customization without having to write any specialized software. WebTAS also supports including custom applications both by enabling those custom applications to integrate with existing ones and by exposing interfaces to the installed tools. WebTAS makes extensive use of Docker. Consequently, WebTAS will integrate well in any software ecosystem that also uses Docker.

The following is a summary of each of the identified sections and the applications installed by default:

  • Topic Builder. Enables the scanning and collecting of data from multiple text sources, such as news websites.
  • GeoServer. A map server that, among other possible uses, enables Topic Builder to generate maps for displaying spatial data without the need for Google Maps.
  • Information Model Editor ( IME). Sets up database connections between existing databases and WebTAS. Various SQL and NoSQL databases are supported. This enables WebTAS to pull data from multiple existing database systems.
  • Web-based WebTAS Enterprise Project Tool. Enables users to employ most of the rest of the functionality built into the default install of WebTAS. Additional functionality would require the native version of the Project Tool or a custom application developed inside of WebTAS. Through the web app, users can create and manage database queries, create and manage map views and integrations (using GeoServer and or Google Earth), chart and display data in numerous ways, perform basic data management tasks, and create and administer electronic surveys.
  • Security Services. Provides for user authentication, single sign on (SSO), user management, and auditing.
  • Security Perimeter. These tools provide the interface between applications and tools in WebTAS and those using WebTAS. Applications deployed inside of WebTAS can be added as Docker containers to the servers that run the rest of WebTAS. Applications that use WebTAS can get security authentications and tokens from the WebTAS security services, but are generally deployed on different servers.
  • Service Registry. Tracks and reports on all of the available services in WebTAS.
  • Data Services (recommended tools). Provides a unified interface to a variety of external databases and data sources. This would enable an application to retrieve and manage data from multiple divisions without having to make redundant copies of the data. In other words, these tools extend the capability of the IME.
  • Monitoring Services (optional tools). Can create an overall view of the system health, traffic, usage, etc. Dashboards and other similar services can be optionally configured, but are not available by default.
  • Messaging Services (optional tools). This is, essentially, a RabbitMQ instance. This provides a quick and efficient path for different programs to communicate with each other without every service knowing about all of the other services.
  • Mission Services (optional tools). Various content acquisition and export services.

How Do You Use It

WebTAS is installed onto a local cluster of at least 3 nodes with a fourth node serving as a host for the local file repository. A web portal is available for Internet Explorer and Firefox that exposes all of the tools inside of WebTAS.

Potential Use-Cases

WebTAS is government owned software and some organizations are encouraged to use such software.

WebTAS’s Topic Builder can, for example, parse the news reports from the past year from popular news outlets and create a report of everything related to North Korea, broken down by a variety of customizable criteria.

The Project Tool can be used to create a dashboard which combines results from database queries, derived graphs, maps, and google earth all in one display.

Scope of Evaluation

A full evaluation was performed for WebTAS. This included reading the provided documentation, researching the asset on Google, installation onto our own network, loading data from sources other than the asset provider, generating and performing various tests on the software, completing all of the checklist questions, and writing all of the summaries and explanatory content. As part of this evaluation we worked with the asset provider, especially in regard to installation.

Architecture Summary

WebTAS is architected as a distributed micro-service suite of tools which can support Single Page Applications (SPA) and Progressive Web Apps (PWA). In other words, the functionality of WebTAS has been split up into multiple Docker containers. Picking and choosing which Docker containers to deploy brings flexibility to a deployment, but dependencies between containers can make debugging more difficult.

Installation Summary

Installing WebTAS is very difficult without direct support from the developers. Very large (based on the typical system sizes at the time of writing) computer nodes are required for installation and the long term stability of the system was questionable at best during our testing.

Testing Summary

Only limited testing was possible on our install of WebTAS. Although all of the default tools were eventually installed, we were unable to ingest data from an external database (a core feature of WebTAS) which limited the scope of the tests that could be run. All of the other tools appeared to be functional.

Conclusion

For developers, WebTAS provides a good collection of commonly used tools inside an accredited security framework. Using WebTAS can allow for abstracting out many of the tedious details associated with creating such a framework from scratch, but WebTAS itself brings with it a difficult install and potential integration issues.

For analysts, WebTAS provides a lot of functionality, especially in the Topic Builder and Project Tool applications.

In summary, the key take-aways for this report are the following:

  • WebTAS is both a set of ready to go tools for analysts and a set of open source building blocks for developers.
  • WebTAS is of value to the DI2E community because it can provide an accredited security umbrella for development with common open source tools for developers and provides Topic Builder and the Project Tool for analysts, both of which can be incorporated into other, higher level, projects.
  • The remainder of the report includes and addresses the following areas:
    1. Architecture Overview
    2. Installation details
    3. Test cases and details
    4. Checklist questions
    5. Checklist summary

Architecture Overview

WebTAS divides its various tools and services into Docker containers. These containers are the minimum pieces that WebTAS can be broken down into. Thus, to deploy an application in WebTAS, a Docker container with the new application code would be added to the set of existing WebTAS Docker containers. The specific Docker containers available are shown in Table 1 below.

Some of the Docker containers provide for basic WebTAS functionality such as user management, security, access controls, service registries, etc., and are marked as "core" types in the table. Those services which the developers recommend to be deployed in a typical configuration have also been so marked. Note that the specific breakdown can change from version to version.

Conceptually, each of the WebTAS services interacts with other services to provide utility. Typically, this means that WebTAS provides much of the framework and support for Single Page Applications (SPA), which are used via a browser. Figure 1 shows the services available and which of the services are optional. Note that the figure is service-oriented and not Docker-container oriented and so shows some of the inter-container dependencies inherent in the WebTAS framework.

Class and Service Diagram
Figure 1. WebTAS Architecture

Many of the provided services in WebTAS are open source. The list of open source programs included in WebTAS is shown in Table 2 below.

The following information is from the Software Development Kit (SDK) documentation:

The Core Data Framework (CDF) provides a flexible framework of query and persistence capabilities that operate on a unified logical data model that hides the details of how to access the various data. In addition, CDF allows itself to be configured to work in an existing security infrastructure. As such, any piece of data (a request or a response) coming into or leaving CDF is run through a security interface to make sure a particular user is allowed to perform an action on a particular request and permitted to see the response from that request.

CDF consists of the following components:

  • Metadata–This component defines the overall Information Model that includes the following:
    • A logical model of the data to be used by applications to define their models
    • A physical data model that provides the information that data sources require to access the information
  • Data Access Infrastructure–This component provides the primary services for getting information from the applications to the data source implementation. These services include routing query requests, defining the CQL (Common Query Language), and providing an isolation container for data sources to operate in.
  • Data Source Implementations–Data source implementations are separate components from the infrastructure. Several implementations will be contained with the CDF with the ability for additional ones to be developed separately.
  • Search–This component is used to search for unstructured queries.
  • Link/Relationship–This component is used to search for graph-related data and shows data in a graph structure.

The main concern of CDF is the description, retrieval, and persistence of the data. It also has some cross-cutting concerns: auditing and security.

Table 1. List of Docker Containers in WebTAS
Service Purpose Docker Container Type
Application Proxy Provides a proxy end point that accepts OpenID tokens from clients and exchanges them for STS tokens which are used internally; also performs a service lookup against the service registry ensuring availability and load balancing. we​-​app​-​proxy​-​docker core
Audit Service Records all system access attempts by category. we​-​audit​-​data​-​docker core
CAPCO Service Provides security markings, support to include rollup, marking validation, and mandatory access control. we​-​capco​-​service​-​docker optional
we​-​capco​-​cdf​-​docker recommended
Client Proxy Provides a proxy end point for desktop client mission applications to perform a service lookup against the service registry ensuring availability and load balancing. we​-​client​-​proxy​-​docker optional
Content Service A data store for binary objects, supports full life cycle management of media entities, including binary data, media title, description, and classification. we​-​content​-​docker optional
we​-​content​-​cdf​-​docker recommended
Content Acquisition The Content Acquisition Mule application can be configured to receive content from RSS feeds, file, and Sharepoint. It puts the content into a standard format and sends it off to a RabbitMq message queue for later processing. It provides a single point for other applications to obtain content. we​-​content​-​acquisition​-​docker optional
Data Service Secure data access and persistence. we​-​data​-​docker optional
ElasticSentry Secure Elasticsearch service. we​-​elastic​-​sentry optional
Export Service Jasper reporting service to support exporting to several external formats (xls, ppt, pdf). we​-​export​-​docker optional
Geoserver Open source Open Geospatial Consortium (OGC) compliant map server that provides map data and geospatial calculations. we​-​geospatial​-​geoserver​-​docker optional
we​-​geonames​-​docker optional
we​-​geospatial​-​postgres​-​docker optional
Graph Service Obtains link information from a link service and adds display property information so that a GUI can render it into a link analysis graph display. we​-​graph​-​docker optional
Jackrabbit Open source binary data store. we​-​jackrabbit​-​docker optional
MongoAdapter Secure MongoDB service without CDF backing. we​-​mongo​-​adapter optional
MongoDB Open source Mongo NoSQL database. we​-​mongodb​-​mission optional
Notification Provides the ability to send alert notifications and messages to users. we​-​notification​-​cdf​-​docker recommended
we​-​notification​-​docker optional
Object History Change management for stored objects. we​-​object​-​history​-​cdf​-​service recommended
we​-​object​-​history​-​service optional
OpenID Provides user authentication and single sign​-​on. we​-​openid​-​docker core
OpenLDAP OpenLDAP manages Native (non​-​Enterprise) user and non​-​person entity (NPE) accounts, accessing proxied Enterprise accounts, local attributes associated with such accounts, and self​-​service account creation and maintenance. we​-​openldap core
OpenSearch Provides an OpenSearch compatible endpoint backed by CDF search. we​-​opensearch​-​docker optional
Piwik Open source web metrics framework that provides detailed usage stats and user profiles; supports system metrics aggregation and usage profiling. centos7_piwik optional
PostgreSQL Open source Postgres relational database. we​-​postgres​-​system core
we​-​postgres​-​mission optional
Pref/Config Service Provides an access to, and storage of, text​-​based preferences and system configurations. we​-​configuration​-​docker​-​service​-​ resources optional
RabbitMQ AMQP messaging system, provides distributed pub/ sub messaging; we​-​rabbitmq​-​notif is associated with the Notification service. we​-​rabbitmq​-​notif core
Reverse Proxy Provide an air gap entry point into the security boundry of the WE framework. we​-​reverse​-​proxy: core
Rexster Used by the Graph service. we​-​rexster​-​docker optional
Role Based Access Control (RBAC) Makes authorization decisions for a subject. we​-​rbac​-​service​-​docker core
Secure Token Service (STS) Issues STS tokens that are used to pass a user’s identity throughout the service stack and assists in making authorization decisions. we​-​sts​-​docker core
Service Registry Utilized Netflix's Eureka service registry to allow dynamic resource utilization. Keeps track of available services and automatically removes from rotation services which are down. we​-​eureka core
User Management Supports the User Management application, providing service endpoints for querying and managing organizations, groups and users. This includes CRUD operations on those objects, assigning membership in organizations and groups, and setting permissions for groups. we​-​security​-​mgmt​-​docker core
WE Search Secure SOLR search services provided to an application we​-​solr​-​docker optional
Zipkin Provides distributed tracing of user request across the services. centos7​_​zipkin​_​cassandra optional
Table 2. Open Source Software in WebTAS
Software Package Version Description
Apache Abdera 1.1.2 A high-performance implementation of the IETF Atom Syndication Format (RFC 4287) and Atom Publishing Protocol (RFC 5023) specifications.
Apache httpclient 4.3.3 A set of low level HTTP transport components that can be used to build custom client and server side HTTP services with a minimal footprint. HttpClient provides efficient, up-to- date, and feature-rich package implementing the client side of the most recent HTTP standards and recommendations.
Apache httpd 2.4.25 Reverse proxy, used for SSL termination at the security border and to ensure internal and external connectivity are air gapped.
Apache Thrift 0.9.0 The Apache Thrift software framework, for scalable cross-language services development, combines a software stack with a code generation engine to build services that work efficiently and seamlessly between C++, Java, Python, PHP, Ruby, Erlang, Perl, Haskell, C#, Cocoa, JavaScript, Node.js, Smalltalk, OCaml and Delphi, and other languages.
Apache Tomcat 7.0.77 Open source web server and servlet container developed by the Apache Software Foundation. Tomcat implements the Java Servlet and the JavaServer pages.
ApacheXerces 2.9.0 High performance, fully compliant XML parser.
Apache Xalan 2.7.0 Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types.
BouncyCastle 1.46 Open source collection of encryption APIs and provider implementations.
Cassandra 2.0.16 Highly available, highly scalable, highly performant big table no-SQL database, used primarily as a storage for system metrics data.
CentOS 7.3 minimal Linux operating system.
Docker 1.13.0 Docker is an open-source project that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating-system-level virtualization on Linux.
Drop Wizard 3.1.2 A lightweight JAVA framework for exposing RESTful web services, used for services that do not require the overhead of a full Tomcat container.
Elasticsearch 1.2.1 Elasticsearch is a search engine based on Lucene. It provides a distributed, multitenant-capable search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is Java based and is released as open source under the terms of the Apache License. It provides for JSON indexing and full- text searching with supporting utilities.
ESAPI 2.0.1 ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications.
erlang 19.2 Used by the RabbitMQ Docker for SSL support
Eureka 1.1.145 REST-based service registry that is responsible for load balancing traffic across a dynamic list of services.
Fuseki 1.1.1 Tinkerpop-compliant Graph database used to store graph data and triple store data for CDF.
Geoserver 2.8.5 Geoserver provides services to geospatial content over standard Open Geospatial Consortium (OGC) protocols.
Gridster 0.6.8 Javascript library that allows the user to drag and drop div elements around the page and remember the size and location of the grid components.
Jackrabbit 2.8.0 Apache Jackrabbit is a content repository that is a fully conforming implementation of the Content Repository for Java Technology API (JCR, specified in JSR 170 and JSR 283).
Jackson 2.6.2 Jackson is a suite of data-processing tools for Java, including the flagship streaming JSON parser / generator library.
JasperReports 6.0.4 The JasperReports Library is the world's most popular open source reporting engine, used as the backing implementation for the export service.
Java JRE 1.8.0-131 (Java Runtime Environment) Used for deploying Java applications on servers. Includes tools for JVM monitoring and tools commonly required for server applications, but does not include browser integration (the Java plug-in), auto-update, nor an installer.
Jaxen 1.1.4 Jaxen is an open source XPath library written in Java.
Jersey 2.12 Jersey is a REST JAX-RS Reference Implementation used as the basis for web service implementations.
Ldaptive 1.1.0 The Ldaptive client is an extensible Java API for interacting with LDAP servers.
Log4j 1.2.17 Apache log4j is a Java-based logging utility.
MongoDB 2.6.12 Schemaless document-oriented database system.
Mozilla NSS 3.16.2.3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
Mule ESB 3.7 Standalone, lightweight, Java-based enterprise service bus (ESB) and integration platform that allows developers to connect applications together quickly and easily, enabling them to exchange data. Mule ESB enables easy integration of existing systems, regardless of the different technologies that the applications use, including JMS, Web Services, JDBC, HTTP, and more. The key advantage of an ESB is that it allows different applications to communicate with each other by acting as a transit system for carrying data between applications within the enterprise.
NASA World Wind 2.0.0 3D Map engine, similar to Google Earth, used in Project Tool mission application.
Neo4j 1.9.M05 Neo4j is an open-source graph database, implemented in Java. It is used primarily as the data store for RBAC permissions.
OpenLDAP 2.4.39 Open source Lightweight Directory Access Protocol (LDAP) used for address directory and centralized authentication.
OpenSC 0.16.0 OpenSC is an open source suite of smart card tools and middleware, including PKCS#11 card drivers. Used for interacting with the DoD Common Access Card (CAC).
OpenSSL 1.0.2k + fips 2.0.9 Cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.
Piwik 2.14.1 Open-source analytic platform that provides the ability to track usage analytics for the application.
PostGIS 2.1.8-1 Spatial database extender for PostgreSQL object-relational database. It adds support for geographic objects allowing location queries to be run in SQL.
PostgreSQL 9.4.12 Object-relational database system that has the features of traditional proprietary database systems with enhancements to be found in next-generation DBMS systems.
Quartz 2.2.1 Quartz is a richly featured, open source job scheduling library that can be integrated within virtually any Java application.
RabbitMQ 3.3.5 Powerful Message Queue implementing AMQP (wire-level protocol and semantic framework for high performance enterprise messaging) broker that accepts and forwards application messages.
Redis 3 Open source key-value memory cache, used as a session cache for web-based mission applications.
Rexster 2.3.0 Graph server that exposes any Blueprints graph through REST and a binary protocol called RexPro. The HTTP web service provides standard low-level GET, POST, PUT, and DELETE methods, a flexible extensions model that allows plug-in like development for external services.
Ruby 2.0.0.598-25 Interpreted scripting language for quick and easy object-oriented programming.
SLF4j 1.7.6 Simple facade for Logging; a lightweight API which can be backed by multiple implementations such as log4j.
Solr 4.8.1 An Enterprise search platform.
Spring Security 3.2 Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
Xstream 1.4.3 XStream is a simple library to serialize objects to XML and back again.
Zabbix 3.2.3 Zabbix is software that monitors numerous parameters of a network and the health and integrity of servers.
Zipkin 1.5.1 Zipkin is a distributed tracing system that helps to gather timing data for all the disparate services.

Dependencies

WebTAS is designed to be deployed onto a three-node cluster of RedHat / CentOS computers with a fourth install server. Most dependencies are included with the installer. The dependencies that are not included are available through yum:

audit-libs-python, bind-utils, bzip2 , centos-indexhtml, checkpolicy, dos2unix, iptables-services, libcgroup, libsemanage-python, libyaml, lynx, ntp, policycoreutils-python, python-IPy, ruby, ruby-devel, ruby-irb, ruby-libs, rubygem-bigdecimal, rubygem-io-console, rubygem-json, rubygem-psych, rubygem-rdoc, rubygems, screen, setools-libs, unzip, unixODBC, vim

Each of the three WebTAS nodes requires the following minimum specs:

  • 4 core processor
  • 32 GB memory
  • 200 GB free disk space

The install server requires the following minimum specs:

  • 2 core processor
  • 4 GB memory
  • 50 GB free disk space

WebTAS also requires the following to be installed on each node:

  • A unique Fully Qualified Domain Name (FQDN)
  • A Certificate Authority (CA) certificate, formatted in a particular way
  • firewalld must be installed and running
  • SELinux must be installed and set to permissive
  • NTPd must be installed, configured, and running

Although most of the testing was done in Chrome, offically, WebTAS only supports Internet Explorer 11 and Firefox 24 ESR.

Installation

Installing WebTAS is not a trivial process. After much experimentation, an internal set of scripts was developed to help get through the pre-installation steps. The scripts were written in Python fabric and are used to set up and maintain the three worker nodes from the master Docker node.

The test installation was performed on four CentOS 7 virtual machines in VMware with one master Docker node and three worker nodes. Each node has the following specifications:

  • 16GB RAM
  • 2 VCPU
  • 200GB Disk
  • Linux Kernel 3.10.0
  • Docker 1.13.0

The above is technically less than the minimum required according to the documentation, but fully compliant resources were not available. The system usage was closely monitored and none of the nodes appeared to be bottlenecked due to insufficient RAM, disk space, or CPU.

The steps in Table 1 detail the test install process. All of the commands in this table assume that they are being run from the same directory as the fabric scripts on the same node as the Docker repository, unless otherwise stated. NOTE: These scripts were developed for internal use and so the IP addresses, fully qualified domain names, and root password need to be hard coded into the fabric config.py file in order for the scripts to work.

Unfortunately, even with a successful install, not all of the functionality appeared to work. Errors were encountered often and WebTAS required frequent restarts.

Step What To Do How To Do It ($ indicates a new command to be entered into the terminal) Result
1. Create a WebTAS user on all the nodes $ USERNAME='webtas' $ PASSWORD='super-secret' $ echo "$USERNAME : $PASSWORD" $ sudo adduser $USERNAME $ sudo echo $PASSWORD | sudo passwd --stdin $USERNAME $ sudo usermod -aG wheel $USERNAME Creates a user with admin privelages.
2. Allow ssh access from WebTAS user into all the nodes $ sudo su $ echo -e "\n\n​Match User webtas\n\t​Password​Authentication yes" >> /etc/ssh/sshd​_​config $ service sshd restart $ exit $ #test logging in with the password $ ssh webtas@localhost Appends ssh permissions to the sshd​_​config file for the WebTAS user and restarts the sshd service.
3. Install Python fabric and upload the fabric.zip $ # install the latest python pip $ curl https://​bootstrap.pypa.io/​get-pip.py | sudo python $ sudo pip install fabric $ fabric --version  
4. Disable selinux on all nodes $ fab test.run:"sed -i 's/​enforcing/​permissive/g' /etc/​selinux/​config" $ fab test.run:"reboot now" $ fab test.run:"getenforce"  
5. Create and set hosts file on all nodes (note that the IP Address will need to be filled in as per the needs of a particular deployment) $ # create hosts file for docker node $ # put on all the other nodes $ echo -e " ip.address ri1-​webtas-​docker ip.address ri1-​webtas-​docker.di2e.net ip.address ri1-​webtas-​01 ip.address ri1-​webtas-​01.di2e.net ip.address ri1-​webtas-​02 ip.address ri1-​webtas-​02.di2e.net ip.address ri1-​webtas-​03 ip.address ri1-​webtas-​03.di2e.​net " >> /etc/hosts $ cp /etc/​hosts ./hosts $ fab setup.hosts Creates a new host file for docker node. `fab setup.hosts` copies this host file to all the nodes.
6. Create certificates for all nodes $ mkdir certs && cd certs $ fab certs.​generate_​and_​check_​all $ fab certs.​intall The OpenSSL commands have been wrapped by functions in the supplied fabric module.
7. Install dependencies on all the nodes $ fab setup.dep Fabric will install all the listed dependencies in the documentation on each node.
8.

Run the WebTAS install script.

This assumes that the WebTAS files have all been downloaded and placed in the proper location as per the installation guide.

 $ cd /opt/​issinc/​install/​installer/ $ sudo ./runAll.sh Launches the WebTAS install script. This will take at least 15 minutes to compete. If the script finishes and reports the installation was successful run the post-installation scripts to double-check the installation.
9. Run the mas-dataload container and restart the mas-webapp container $ sudo ./runAll.sh The mas-dataload container will initialize WebTAS with example data. Once the mas-webapp container is restarted the system will be completely started.

Test Summary

Introduction and Background

The goal of testing is to qualitatively determine if this component is reasonably consumable by an "average" consumer, and to expose any inconsistencies between what is documented and what actually exists in the asset. As such, these tests are informed by, but are separate from, the evaluation checklist. Tests were run to exercise some of the available features of the asset to verify they worked as expected. A passing score on these tests does not indicate that the asset will have a good score on the evaluation or vice versa. It is not the intent of this testing effort to comprehensively test the functionality of this asset, nor is the intent to provide authoritative security scans or penetration testing of the asset.

Assumptions

The following are overall assumptions for all of the tests: Version 2.0.1.1 of the asset was used and the asset provided data and the test instructions show mainly successful steps taken.

Test Results

  1. Feature Tests
    1. Information Model Editor (IME): FAIL
    2. WebTAS Enterprise Project Tool Web App: PASS
  2. Logs and Metrics Tests
    1. Logging Completeness: PASS

Test Details

The detailed test plans and results are not reposted here as they do not make sense without the expanded context available on the DI2E website and that I do not have permission to repost.

Evaluation Checklist

Summary

WebTAS Enterprise provides a wide suite of features and a platform that can be used for future development of custom applications. Much thought has clearly been given to choosing good open source projects and incorporating them into a single, security-oriented framework. All of the major systems are documented, including plans for certification and accreditation, processes, and artifacts. That said, the documentation sometimes only covers a subset of the functionality of a particular tool.

The included Topic Builder and web-based Project Tool seemed to work well. Unfortunately, during evaluation, WebTAS could not be made to pull data from the sample database, making a detailed test of the Project Tool unfeasible at the current time.

Another downside is that WebTAS is extremely difficult to install. Worse, once installed, it appeared to need regular maintenance as the underlying Docker containers would fail, log files would fill up all available disk space, and/or VMs would lose communication with each other. In all cases, manual intervention was required to notice, debug, and fix the issue.

Recommendations

Category Recommendation Reason
Ease of use Create generally more descriptive error messages in the log files and the terminal. During initial installation testers forgot to disable seLinux on the Docker node. Rather than giving an error message, the installer would just crash.
Ease of use Centeralize or otherwise simplify credential management. It’s tedious to enter credentials onto every node every time. Additionally, it would seem there’s no reason to confirm the password when the provided system utility could just try the password and ask again if it doesn’t work.
Maintenance Add a system service that would automatically restart containers that don’t respond to the service check. The documentation recommends this but it requires finding the container and running a script for each one.
Ease of use Use more uniform naming for the containers. The containers all seem to have three different names: one name in the post installation utility, one name for the script to restart that container, and the actual container name given by Docker.
Ease of use Centralize the logging system. Each container keeps its own logs with no way to easily access them.
Maintenance Provide a better mapping of the dependencies of the Docker containers. Documentation showing these dependencies would make diagnosing problems much easier.
Documentation Develop more accurate system requirements. In the documentation, the space requirement for the Docker node is listed as 75+ GB for the /opt directory while the system is currently using ~125 GB.
Ease of use Allow the option to put installation configuration in a config file and not just read it from STDIN on the command line. Config files would enable easier setup.
Ease of use Simplify the installation by having the installation script do some of the setup like generate certificates, install dependencies, setup ssh keys, update hosts files, and so forth. Setup is tedious and error prone.
Ease of use Don’t report that the install was successful when it actually failed. The script reports success, but upon further inspection there are many services that failed to start.
Maintenance Fix runaway disk usage issue. Occasionally something goes wrong in WebTAS that consumes so much disk space in a child node that the VM is rendered useless and must be destroyed and redone.

Checklist

The detailed checklist is not reposted here as it does not make sense without the expanded context available on the DI2E website and that I do not have permission to repost.