{"id":26773172,"url":"https://github.com/nichitaa/security-benchmarking-tool","last_synced_at":"2026-04-16T08:37:04.946Z","repository":{"id":45480436,"uuid":"403247174","full_name":"nichitaa/security-benchmarking-tool","owner":"nichitaa","description":"Security Bench-marking Tool (SBT), that can import a set of audits files, create some custom audit policies and export them, audit (inspect) the workstation regarding each rule and enforce a single or a set of rules","archived":false,"fork":false,"pushed_at":"2021-12-11T17:45:06.000Z","size":123062,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2023-03-10T02:23:03.446Z","etag":null,"topics":["antd-design","electron-react-typescript","express-js","nodejs-mongodb","passport-js"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nichitaa.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-09-05T07:48:42.000Z","updated_at":"2023-03-07T07:31:13.000Z","dependencies_parsed_at":"2022-07-18T22:18:37.737Z","dependency_job_id":null,"html_url":"https://github.com/nichitaa/security-benchmarking-tool","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nichitaa%2Fsecurity-benchmarking-tool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nichitaa%2Fsecurity-benchmarking-tool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nichitaa%2Fsecurity-benchmarking-tool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nichitaa%2Fsecurity-benchmarking-tool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nichitaa","download_url":"https://codeload.github.com/nichitaa/security-benchmarking-tool/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246126669,"owners_count":20727594,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antd-design","electron-react-typescript","express-js","nodejs-mongodb","passport-js"],"created_at":"2025-03-29T01:36:41.094Z","updated_at":"2026-04-16T08:36:59.911Z","avatar_url":"https://github.com/nichitaa.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003e CS-2021 SBT - Security Benchmarking Tool\n\u003e\n\u003e FAF 192 Y3-S1\n\u003e\n\u003e Pasecinic Nichita\n\n\n\n### **Tech Stack**\n\n- [Electron](https://www.electronjs.org/) - for building cross-platform desktop apps (the app is configured to run in browser too)\n- [React with TS](https://react-typescript-cheatsheet.netlify.app/) - for UI ([antd](https://ant.design/) components)\n- [Express](https://expressjs.com/) - for our NodeJS api ([multer](https://github.com/expressjs/multer) for file storage, [crypto](https://nodejs.org/api/crypto.html) used for encryption / decryption)\n- [PassportJS](http://www.passportjs.org/) - for OAuth authentication (providers Google, GitHub, Twitter)\n- [MongoDB](https://docs.mongodb.com/) - application database ([mongoose](https://mongoosejs.com/) odm)\n- [Nodemailer](https://nodemailer.com/about/) - sending emails (email confirmation)\n\n----\n\n### **Topics**\n\n* **[1 - Importing  Compliance  Audit  Policies](./tasks/CS_Lab1.pdf)**\n* **[2 - Creating  Custom  Audit  Policies](./tasks/CS_Lab2.pdf)**\n* **[3 - Auditing  a  Workstation](./tasks/CS_Lab3.pdf)**\n* **[4 - Enforcing a Policy](./tasks/CS_Lab4.pdf)**\n* **[5 - Enforcing a Policy (cont'd)](./tasks/CS_Lab5.pdf)**\n* **[6 - SSO Security](./tasks/CS_Lab6.pdf)**\n* **[7 - Database Security](./tasks/CS_Lab7.pdf)**\n* **[8 - Email Confirmation](./tasks/CS_Lab8.pdf)**\n\n------\n\n### **Get Started**\n\n```bash\n$ # clone the project\n$ git clone https://github.com/nichitaa/CS-Labs\n$\n$ # install dependencies (electron deps)\n$ cd app\\electron-ts \n$ npm install # or yarn install\n$\n$ # install dependencies (express api)\n$ cd app\\express-api\n$ npm install \n$\n$ # run the app (api should start first)\n$ cd app\\express-api\n$ npm run dev # available on http://localhost:8080\n$\n$ # run the desktop app\n$ cd app\\electron-ts\n$ npm run dev # will open desktop app\n$ # but the app could be open in browser too on: http://loclahost:3000\n```\n\n------\n\n### **Environment variables**\n\nThe `API` requires several environment variables to be configured in order to run locally on your machine. Please create the `.env` file in the root of the `express API`  (folder:  `\\app\\express-api` ) with your specific configurations\n\n```\nMONGODB_URL= # mongo db connection url\n\nGOOGLE_CLIENT_ID= # google client id\nGOOGLE_CLIENT_SECRET= # google client secret\n\nGITHUB_CLIENT_ID= # github client id\nGITHUB_CLIENT_SECRET= # github client secret \n\nTWITTER_CONSUMER_KEY= # twitter api key\nTWITTER_CONSUMER_SECRET= # twitter secret key\n\nSMTP_HOST = # e.g. smtp.gmail.com\nSMTP_PORT = # defaults to 587\nSMTP_FROM_NAME = # emails will be send with this name\nSMTP_AUTH_USER = # email will be send from this email address\nSMTP_AUTH_PASS = # nodemailer.createTransport password for email provider\n\n```\n\n-----\n\n### **Demos**\n\n##### [1 - Importing  Compliance  Audit  Policies](./tasks/CS_Lab1.pdf)\n\n* Importing an audit file\n* Parsing it to a JSON structure and saving it as a mongodb document\n* Saving the document on the local server (`uploads` folder)\n\n##### [2 - Creating  Custom  Audit  Policies](./tasks/CS_Lab2.pdf)\n\n* Displaying each policy item in a separate section\n* Select / deselect a custom policy item from an audit document\n* Search bar for quick search an audit custom item by attribute value\n* Select / deselect all custom items in one click\n* Create and save and display in the app a new policy with selected custom items under a new name\n\n![recording1](https://github.com/nichitaa/CS-Labs/blob/main/recordings/recording1.gif)\n\n\n\n##### [3 - Auditing  a  Workstation](./tasks/CS_Lab3.pdf)\n\n* Perform an audit of the workstation, using the selected custom items\n* Display the scan results as icons, where green checkbox is a passed  test, red - failed, yellow is warning this means that the values from  expected are not the same but still is valid the optional  \"CAN_NOT_BE_NULL\" || \"CAN_BE_NULL\"\n\n![recording2](https://github.com/nichitaa/CS-Labs/blob/main/recordings/gif3.gif)\n\n\n\n##### [4 - Enforcing a Policy](./tasks/CS_Lab4.pdf)\n\n* As a backup system, the application will export all current system  registry key : HKLM, HKCU, HKCR, HKU and HKCC to a folder on desktop  (ex: `regedit-backup1632761699`)\n* Apply a single fix (enforce), on a single failed custom item \n* Apply a batch fix over all failed items\n* Live results\n\n##### [5 - Enforcing a Policy (cont'd)](./tasks/CS_Lab5.pdf)\n\n* Adding more custom items rule types that can be enforced by the system\n\n![recording4](https://github.com/nichitaa/CS-Labs/blob/main/recordings/lab4.gif)\n\n\n\n##### [6 - SSO Security](./tasks/CS_Lab6.pdf)\n\n* Adding user authentication with SSO\n* PassportJS (SSO providers are Google, GitHub and Twitter)\n* The raw data from `passportjs` is displayed on the UI as a JSON structure\n\n![recording6](https://github.com/nichitaa/CS-Labs/blob/main/recordings/lab6.gif)\n\n\n\n**[7 - Database Security](./tasks/CS_Lab7.pdf)**\n\n* Some of the fields (e.g. audit `filename`) is saved as an encrypted value in database (`aes-256-ctr` algorithm)\n\n* The email confirmation token used for user email verification is encrypted as well\n\n* ```json\n  \"token\": {\n  \t\"iv\": \"7b54d294024a965daed91065f86b83f0\",\n  \t\"content\": \"c84a154d23bf78a6ccc61127c44beb1626880e7c\"\n  }\n  ```\n\n**[8 - Email Confirmation](./tasks/CS_Lab8.pdf)**\n\n* Registered users have the possibility to verify their email address (extracted from SSO providers)\n* The verification tokens are encrypted and stored together with a user mapping in a mongodb collection \n* `Nodemailer` is used for sending email via our `express` api\n* Token confirmation page is server side rendered\n* The electron SBT app will display the current status of the user email verification\n\n\n\n# **[Download full app demo ?](https://github.com/nichitaa/CS-Labs/blob/main/recordings/demo.mp4)**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnichitaa%2Fsecurity-benchmarking-tool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnichitaa%2Fsecurity-benchmarking-tool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnichitaa%2Fsecurity-benchmarking-tool/lists"}