Creating Components

Components are made from native objects and can contain one or several such objects. Creating components while modeling might feel like extra work but you will soon notice that already after having used a component a few times, you’ll save modeling effort. This section describes how components are created by using a step-by-step example that creates a few specialized software product objects and eventually a web server.

Custom Components Directory

To start with, we shall configure securiCAD so that it will know where we will store the custom components we create. Go to the Configuration menu item and select Objects.

 

Configuration – Objects

Click on “Browse” to select where we store our custom components. Since we do not have such a directory yet, please create it while selecting it.

 

And make sure it is selected.

Custom Components Selected

 

Now we have a new item next to the securiCAD components. This is where we will pick and use the components we shall create.

Our Custom Components in securiCAD

 

Each time you create an object or a sub-directory of the custom components folder, please go to Configuration-Objects and Save again to refresh the Components list in securiCAD.

Now we are set to start creating custom components.

Singular Object Components

To start with, we shall create a few single-object components. The point of creating components with only one object is to set defenses of the objects and when re-using them as components, we know that the defenses are already adjusted. Such a situation is when working with SoftwareProducts. Start by dropping a SoftwareProduct object onto the canvas, rename it to RHEL 7.2 for RedHat Enterprise Linux.

We also see that the defense settings are all default, as expected for a freshly added native object.

SoftwareProduct Default Defenses

 

Now, to make this SoftwareProduct reflect the situation of RedHat Enterprise Linux, adjust the defenses accordingly;

RedHat Enterprise Linux Defenses

 

The non-default defenses here is that “SecretSource” is set to “Off” since RedHat is based on open source source code. Even if the rest of the defenses are following the current default settings, it is a good idea to set them to what we actually want in case we might later change the default settings.

Now it is time to save this SoftwareProduct as a component. While the object we want to make a component of is selected, go for File – Export – Export Component.

Export Component

 

We will be prompted for which object (in case there are several selected) to export. Actually we are choosing which object shall be used as the top-object of our component in the list of custom components in securiCAD.

Export Component Dialogue

 

Select the RHEL object and click OK to proceed.

Save Component

 

In the above example, we have first located the custom components directory we previously created and pointed out. Then we have created a sub-directory in that folder and called it “softwares” and then again created a sub-directory called “operatingSystems”. The custom components will this way be organized by category in the custom components list.

RHEL72 Component

 

Each time you create an object or a sub-directory of the custom components folder, please go to Configuration-Objects and Save again to refresh the Components list in securiCAD.

Now we can pick out our component representing the RedHat Enterprise Linux version 7.2 from the list of custom components and use it in our model.

Please note that it is not recommended to let SoftwareProduct components be part of other components since SoftwareProduct objects shall be shared between all objects based on the same type of software/software release. If SoftwareProduct components are included in other components, you will have an extra SoftwareProduct object for each one of them.

Composite Object Components

Now, we shall create a component consisting of several objects; a web server. Imagine a “web server” being a host with an operating system, an access control for administration, a data store, a service (which also is based on a particular piece of software and has an access control) running at port 80 and a service at port 22 enabling remote login. Finally, we consider this server to be put into production which means that it shall have the “Hardened” defense set to On.

Start by creating a service called OpenSSH;

  1. Pick a Service object from the list of native objects and rename it to OpenSSH.
  2. Add an AccessControl object and connect it to the OpenSSH object. Rename it to “ssh login”.
  3. Add a UserAccount object and connect it to the “ssh login” object. Doing that, you will be prompted to choose between “Non-Root Authorization” and “Root Authorization”. Please choose the non-root alternative since we imagine that root is not allowed to log in remotely, but instead requires a non privileged user to log in and then present extra login credentials to become root.
  4. Add a Datastore object and label it /home to represent the user directories made available by the ssh service.
  5. Go trough the defense settings of the objects we have added to adjust them when needed. For instance, the defense setting “NoDefaultPasswords” of the AccessControl should be set to On since you are required to set a password when creating a user login (actually an operating system user).

Now, we shall have the following objects and connections on the canvas;

 

Objects of the OpenSSH Service

 

Now, to organize it a bit, please drag the UserAccount onto the AccessControl and the AccessControl and Datastore objects onto the Service object.

Then select the Service object we have labeled OpenSSH and select File – Export – Export Component to make a re-usable component of it, since it is quite possible that several hosts will be offering a similar remote login ssh service.

customComponents/services
customComponents/services

 

Following the same procedure as above, we can create a component for a web service and then a host running both the ssh service and the http service.

To create the http service and make a component of it use the following steps;

  1. Pick a Service object from the list of native objects and rename it to Apache.
  2. Add an AccessControl object and connect it to the Apache object. Rename it to “http login”.
  3. Add a UserAccount object and connect it to the “http login” object. Doing that, you will be prompted to choose between “Non-Root Authorization” and “Root Authorization”. Please choose the non-root alternative here as well.
  4. Add a WebApplication object to the Service object. A WebApplication object is representing the applications run by the web service. For instance, the web application might be a CRM system or some other internal or external web portal while the service here is the binary actually running on port 80/443, hosting the web application.
  5. Add a Datastore object to the WebApplication object and label it /var/www to represent the user directories made available by the http service.
  6. Add a WebApplicationFirewall object to the WebApplication object, if such a functionality is present. A web application firewall is an add-on to the web application that will try to discover and block intrusion attempts like malicious requests and such. If uncertain, you can add a WebApplicationFirewall object and set the defense “Enabled” to probability 0.5.
  7. Go trough the defense settings of the objects we have added to adjust them when needed. Under the WebApplication you will find defense settings related to SQL injection, Remote File Inclusion, Developer Security Awareness and so on.

Next we shall create our “web server” with everything that comes with it;

  1. Pick a Host object from the list of native objects and rename it to Web Server.
  2. Add an AccessControl object and connect it to the Web Server object. Rename it to “OS login”.
  3. Add a UserAccount object and connect it to the “OS login” object. Doing that, you will be prompted to choose between “Non-Root Authorization” and “Root Authorization”. Please choose the root alternative here.
  4. Pick the Apache component from the components list and connect it to the host. When prompted for connection type, choose “Non-Root Application execution”.
  5. Pick the OpenSSH component from the components list and connect it to the host. When prompted for connection type, choose “Root Shell execution”.
  6. Go trough the defense settings of the objects we have added to adjust them when needed, like changing the “Hardened” defense to On if we consider this server to be properly maintained and managed by the IT department.

We shall now have the following items on the canvas;

Web Server Objects

 

Now we can put the connected objects into each other and then export the Host object as a component.

Refresh the custom components folder by going to Configuration-Objects and Save again.

The Web Server Component
The Web Server Component