VMware vRealize Automation SaltStack SecOps offers compliance and vulnerability management for workloads running the vRealize Automation SaltStack Config minion. SaltStack SecOps is an add-on to vRA SaltStack Config which allows policy creation and assessment of Operating System configurations to determine compliance and security posture. The assessments use compliance benchmarks from the Center for Internet Security (CIS) and US Department of Defense Systems Agency (DISA) Security Technical Implementation Guides (STIG). Vulnerability assessments use Common Vulnerabilities and Exposures (CVEs) directly from the source vendor (typically). Additionally, SaltStack SecOps provides the option to remediate the state of a target machine and address any discovered compliance or vulnerability issues.
Furthermore, in a situation where a division of responsibilities is required for assessment and remediation, roles-based access controls provide guardrails for different personas in an organization. For example, controls can be configured to allow security administrators to create policies and run assessments. Once assessments have been completed, operations administrators can remediate issues to bring deployments into compliance and address vulnerabilities.
SaltStack Config makes up the last mile, so to speak, of SecOps (the methodology) by providing both the assessment and remediation capabilities that are needed to maintain compliance. In this blog series, I will walk through the aforementioned areas and provide a look into how compliance and security management occurs with SaltStack SecOps. Part one will focus on the compliance aspects of the product, part two covers Vulnerability management, and part three, RBAC, API scenarios, and customizations. No Saltstack SecOps discussion is complete without describing the various Saltstack Config features that will be used during the assessment and remediation process. If you haven’t spent much time with SaltStack Config, I recommend checking out Vincent’s blog to familiarize yourself.
Once SecOps is enabled and a user has logged into SaltStack Config, you will see a view similar to the screenshot. Clicking Comply or Protect on the menu displays additional options. Choosing Comply, you can also view individual benchmarks and checks from the menu selection on the left. Selecting Policies, summary information on the main view breaks down the compliance summary by regulation in the graph and provides an overall summary of all assessments and remediation runs. In general you want more green than red and all green should be your goal! The bottom window offers summary views for each policy and allows you to create and manage policies. Clicking create policy opens the policy configuration wizard.
We start by naming the policy and choosing a Target. Targets are groups of minions that are created for a number of reasons, but in this context, a Target is a grouping of Machines that will be assessed for Compliance management. In this case, I want to scan a group of web servers to check their compliance status. I’ve named the policy Web Servers and chosen the identically named Target: Web Servers from the dropdown selection.
My web servers are running CentOS 7. On the Benchmarks tab, I chose CIS CentOS Linux 7 Benchmark from the list. Note: we currently support 88 different OS benchmarks. Each benchmark and the associated checks are taken directly from CIS, STIG or RedHat. You can select one or more benchmarks based on the OS version you want to assess.
After choosing the Benchmark(s), clicking Next displays the list of Checks that are included. You can select all Checks available for a benchmark or refine the list by using a filter. Notice in the screenshot, I filtered checks to a smaller number based on SSH. Selecting the checkboxes next to an item includes those checks in the policy. In the example, once all the SSH checks are selected, a different filter can be entered until all the relevant checks are selected for your needs.
If you’re unsure what a Check involves, click the arrows next to the checkbox. Information will appear which provides a description, rationale, Osfinger for Grain matching, benchmark ref, and importantly, actions the check will take if remediation is required.
Scrolling down a bit on the Check’s information, details are provided on the State File. This detail shows what Salt will check when an assessment runs and subsequently what will happen if you choose to remediate. The variable test=True tells Salt the run is a check against the state of a machine and is used for assessment purposes. No changes will occur to the target during the assessment phase. Salt States are what sets SaltStack Config SecOps apart from other SecOps products. While many products claim to offer remediation of an issue or configuration, SaltStack goes well beyond simple remediation by offering full state management, configuration drift, and patching for continuous security and compliance management.
VMware is certified with CIS and DISA to obtain benchmarks and adds States to the Check so you don’t have to. Adding a State File to the process dramatically cuts down on the amount of time it will take for your company to understand your compliance posture, and if necessary, immediately remediate states when a change is required. This process also cuts out the often very lengthy process of developing your own state files, testing, and frequently iterating on those files until your OS is properly compliant.
Many Checks offer the ability to tweak a specific config in your environment. Clicking Variables allows you to make a change directly in the policy and have those changes occur during a remediation. Alternatively you can change the config state through the main SaltStack config portion of the interface or via CLI.
As a final step in the policy creation process, you can create a schedule for running assessments. In the example, I chose to run an assessment every Saturday at 2:00 AM. You can also run the assessment once or set an interval for a recurring assessment down to the hour, minute, and second depending on your needs. Cron expressions offer additional customization options for scheduling. The maximum number of parallel jobs are set to control the assessment speed and resource use.
After a policy is created, you can run an assessment at any time by clicking the green Run Assessment box inside that policy. Notice you also have the option to make changes to a policy as well.
I ran the assessment using the SSH checks that were set on the filter. The assessment results tells us that the VMs are 91% non-compliant for the SSH checks I selected. You can view each check’s compliance status for the target, whether the check actually applies to the target, if there were errors during the assessment, and whether SecOps was able to determine the status, shown as Unknown. At this point, you can choose to remediate all checks against the Target or exempt certain checks if you decide they aren’t relevant.
For a deeper view into each VM, click Minions. You are shown a more detailed view of the compliance status for each Minion (VM) in the selected Target. At this level, choose individual VMs for remediation, exemption or all VMs. Also there are options to run SaltStack Config jobs and commands directly against the VMs. A set of predefined and custom jobs and commands can be used here that offer much greater state management flexibility beyond what is provided in each Check.
In the previous example, I selected one of the CentOS VMs and clicked remediate. Clicking Activity shows job status and gives you the ability to view job details.
Job details are shown in several different ways. Each provides a different level and type of information on what was assessed or in the case below what was remediated. I chose Highstate as an example which includes both Summary and deeper job details about the remediation. These views can provide an audit trail of changes to the state of a VM and provides attestation of compliance. You also have this detail for root isolation/cause should an error occur in the assessment or remediation process.
Once remediation is complete, running the assessment again will update results. The selected CentOS VM is now compliant with the checks I chose. When I clicked remediate SaltStack Config made the configuration changes detailed in the State Files for those checks. Now that the VM is compliant, clicking Report shows further information about the policy status and gives the ability to download a report for use as part of an audit process in your environment.
This completes my first blog post on SaltStack SecOps compliance management. As you can see, using SaltStack SeCops to understand your compliance posture and provide continuous compliance in your environment is straightforward and simple. In part two, I’ll cover the vulnerability management part of the product. Stay tuned for that blog! Thanks for reading my post today.