Introduction to VMware vRealize Automation SaltStack SecOps

Reading time: 9 minutes

Recently I began familiarizing myself with VMware vRealize Automation SaltStack Config in my home lab. While I'm still relatively new to the product, I was curious to learn more about the compliance and vulnerability management capabilities provided by the SecOps add-on. In this post, I introduce VMware vRealize Automation SaltStack SecOps and briefly review the various features and functionality provided by the product. In subsequent blog posts, I will give a more in-depth look at vulnerability management and compliance management capabilities.

A Brief History of VMware vRealize Automation SaltStack SecOps

Previously released in April 2019 alongside SaltStack Enterprise 6.0, the SaltStack SecOps add-on added security policy compliance and vulnerability remediation capabilities to SaltStack Enterprise. SaltStack SecOps was well received in the industry and won several awards, including being named the hottest new cybersecurity product at RSA 2019 by CSO Online. In September 2020, VMware announced its intent to acquire SaltStack. By October 2020, VMware announced that it had closed on this acquisition and introduced VMware vRealize Automation SaltStack Config as the configuration management component in VMware vRealize Automation. Finally, in February 2021, VMware announced the release of VMware vRealize Automation SaltStack SecOps.

What Is VMware vRealize Automation SaltStack SecOps?

VMware vRealize Automation SaltStack SecOps is an add-on for VMware vRealize Automation SaltStack Config, which comes as part of the vRealize Automation product. VMware describes the product as the “compliance and vulnerability management component of vRealize Automation, delivering full-service, closed-loop automation for IT system compliance and vulnerability remediation.” The add-on introduces two additional sections within the VMware vRealize Automation SaltStack Config user interface: Compliance and Vulnerability. I will explore each of these components in more detail below.

SaltStack SecOps Compliance

The Compliance portion of the SecOps add-on allows you to manage benchmarks, checks, and define assessment policies. Per VMware, the product “includes a database of up-to-date, certified security content based on CIS and Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs).” However, as I’ve found with many compliance benchmarking products, the out-of-box content is often outdated and missing the latest operating system releases. In the case of DISA STIGs, earlier this year, VMware vRealize Automation SaltStack SecOps only contained a single STIG (Red Hat Enterprise Linux 7), but as of this month, STIG content for both Microsoft Windows Server 2016 and Microsoft Windows Server 2019 is now available. DISA recently released the Microsoft Windows Server 2022 STIG, Version 1, Release 1 on September 28, 2022. Hopefully, it will become available within VMware vRealize Automation SaltStack SecOps sooner than later.

vRealize Automation SaltStack SecOps Compliance Summary

Compliance Benchmarks

VMware’s Supported Security and Compliance Benchmarks documentation provides a list of supported benchmarks within VMware vRealize Automation SaltStack SecOps. However, I’ve found that the list is inaccurate (as of October 2022). Based on my review of the available compliance benchmarks in the product, the following compliance benchmarks are available in VMware vRealize Automation SaltStack SecOps:

OS/SW Name Benchmark Authority Benchmark Version Benchmark Profiles
CentOS Linux 6CISv2.1.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
CentOS Linux 7CISv2.2.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
Debian Linux 9CISv1.0.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
Docker 1.13.0CISv1.0.0 Level 1 - Docker
Level 2 - Docker
Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
Microsoft Windows 10 Enterprise Release 1703CISv1.3.0 Level 1 - Workstation + BitLocker
Level 2 - Workstation + BitLocker
Microsoft Windows Server 2012 R2CISv2.3.0 Level 1 - Domain Controller
Level 2 - Domain Controller
Level 1 - Member Server
Level 2 - Member Server
Microsoft Windows Server 2016DISA STIGV2, R3
V2, R4
Category I
Category II
Category III
Microsoft Windows Server 2016 RTM (Release 1607)CISv1.1.0 Level 1 - Domain Controller
Level 2 - Domain Controller
Level 1 - Member Server
Level 2 - Member Server
Next Generation Windows Security
Microsoft Windows Server 2019DISA STIGV2, R3
V2, R4
Category I
Category II
Category III
Microsoft Windows Server 2019 RTM (Release 1809)CISv1.0.0 Level 1 - Domain Controller
Level 2 - Domain Controller
Level 1 - Member Server
Level 2 - Member Server
Next Generation Windows Security - Domain Controller
Next Generation Windows Security - Member Server
Oracle Linux 7CISv2.1.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
Red Hat Enterprise Linux 6CISv2.1.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
Red Hat Enterprise Linux 7CISv2.2.0
v3.1.1
Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
Red Hat Enterprise Linux 7DISA STIGVersion 2, Release 4 Category I
Category II
Category III
Red Hat Enterprise Linux 8CISv1.0.0
v2.0.0
Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
SUSE Linux Enterprise Server 12CISv2.1.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
SUSE Linux Enterprise Server 15CISv1.0.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
Ubuntu Linux 14.04 LTSCISv2.1.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
Ubuntu Linux 16.04 LTSCISv1.1.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
Ubuntu Linux 18.04 LTSCISv1.0.0 Level 1 - Server
Level 2 - Server
Level 1 - Workstation
Level 2 - Workstation
VMware Photon OS 3.0VMware Hardening GuideVersion 1 Category II
Category III

Custom Compliance Content

VMware vRealize Automation SaltStack SecOps supports the creation of custom compliance content using the SaltStack SecOps Compliance Custom Content SDK. This SDK allows you to create, test, and build custom security content to use alongside the SaltStack SecOps built-in compliance library. Creating the custom compliance checks is as easy as utilizing the template files included in the SDK and defining both a state (.sls) file and a meta (.meta) file for each check. The SDK provides capabilities to test your content utilizing Docker containers, and once tested, the SDK can generate a tarball file suitable for uploading into VMware vRealize Automation SaltStack SecOps.

SaltStack SecOps Vulnerability

The Vulnerability portion of the VMware vRealize Automation SaltStack SecOps add-on allows you to assess and remediate your systems against the latest security advisories. Per VMware, it “is a vulnerability remediation solution that allows Security and IT teams to work together to assess the vulnerability status of your systems against the latest security advisories, including those that reference Common Vulnerabilities and Exposures (CVE).” This task is accomplished by defining a vulnerability policy, scanning target systems based on the policy, and remediating any advisory with an available remediation package.

I find this portion of the product quite intriguing due to the following:

  1. VMware vRealize Automation SaltStack SecOps duplicates existing capabilities within VMware’s Carbon Black suite of products. It even provides the ability to import vendor scan data from VMware Carbon Black (among other products).
  2. VMware vRealize Automation SaltStack SecOps does not provide a list or database of known vulnerabilities which the product will scan or remediate.
  3. VMware vRealize Automation SaltStack SecOps Vulnerability data is only released quarterly, leaving the product outdated.

Based on the lack of visibility into the vulnerabilities supported and the lack of frequent updates to the vulnerability database, I find it difficult to view this product as a serious solution for use in vulnerability assessment and management. From my experience thus far, the tool appears to primarily surface missing patch findings based on the guest operating systems’ built-in patching capabilities.

vRealize Automation SaltStack SecOps Vulnerability Summary

Supported Operating Systems

VMware vRealize Automation SaltStack SecOps Vulnerability supports the following operating systems:

Operating System Versions
CentOS 6, 7, 8
Red Hat Enterprise Linux 6, 7, 8
Oracle Linux 6, 7, 8
Ubuntu Linux 16.x, 18.x
Microsoft Windows Microsoft Windows 10
Microsoft Windows Server 2008+
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016 R1607
Microsoft Windows Server 2019 R1809

It’s worth noting that the list does not contain the latest operating systems, including:

  • CentOS Stream 9 (released in December 2021)
  • Red Hat Enterprise Linux 9 (released in May 2022)
  • Oracle Linux 9 (released in June 2022)
  • Ubuntu 20.x (released April 2020)
  • Ubuntu 22.x (released April 2022)
  • Microsoft Windows 11 (released October 2021)
  • Microsoft Windows Server 2022 (released August 2021)

Third-Party Security Scans

VMware vRealize Automation SaltStack SecOps supports importing results from third-party security scanners. After import, vRealize Automation SaltStack SecOps can be used to remediate the security advisories. The following third-party security scanning solutions are supported:

  • Tenable
  • Rapid7
  • Qualys
  • Kenna Security
  • Carbon Black

SaltStack SecOps Compliance and Vulnerability Content Updates

By default, vRealize Automation SaltStack SecOps will regularly download and ingest the latest compliance and vulnerability data directly from VMware. If necessary, the product supports downloading this data via an HTTP proxy. If your SaltStack SecOps systems are on an air-gapped network, you can optionally download the data manually from VMware Customer Connect and import the tarball files into the product. Per VMware, vulnerability data is updated quarterly, although they also state that this frequency could change in the future. VMware does not specify a frequency for new benchmark data releases but says that benchmarks are released independently of SaltStack SecOps releases.

vRealize Automation SaltStack SecOps Content Libraries Update Status

Conclusion

VMware vRealize Automation SaltStack SecOps has the potential to be a useful tool when it comes to enforcing compliance with industry benchmarks. However, I’ve observed that new industry benchmarks have not been released in a timely fashion for enforcement via SaltStack SecOps. The lack of timely updates could be a roadblock to adopting the product within specific industries.

Regarding the tool’s vulnerability scanning and remediation capabilities, I do not see the product as a viable solution. The lack of a published vulnerability database and the infrequency of updates prevent the end user from knowing whether or not specific vulnerabilities exist within a system or if the tool is even checking systems for the vulnerability. Until VMware vRealize Automation SaltStack SecOps can list which vulnerabilities a system does and does not have, the solution itself will only be useful for remediating vulnerabilities imported from third-party vulnerability scanners.

See Also


Search

Get Notified of Future Posts

Follow Me

LinkedIn Icon
Twitter/X Icon
Threads Icon
RSS Icon

Recent Posts