Compliance Management with VMware Aria Automation SaltStack SecOps

In my previous post titled Introduction to VMware vRealize Automation SaltStack SecOps, I provided an introduction to VMware Aria Automation SaltStack Automation SecOps, as well as a brief history and overview of the product’s capabilities. In this post, I’ll dive deeper into the product’s compliance management capabilities.

Compliance Checks

Compliance checks are at the foundation of VMware Aria Automation SaltStack SecOps compliance management. These checks provide the information necessary to identify the purpose of the check, the operating systems it applies to, the rationale for the check, and, more importantly, the state file responsible for implementing/remediating the check. VMware Aria Automation SaltStack SecOps includes thousands of built-in checks corresponding to various CIS and DISA STIG benchmarks. Additionally, VMware provides the SaltStack SecOps Compliance Custom Content SDK that allows customers to define and implement custom checks within the product. Most checks contain the following data:

• Title - The title of the check that shows within the UI.
• Description - The Description provides a brief description of the check.
• Action - The action field provides information regarding what the check does.
• Osfinger - The Osfinger field provides the list of applicable operating systems for the check.
• Profile - The profile field lists the benchmark profiles applicable to the check.
• Rationale – The rationale field explains why the check is important.
• Refs - The Refs field lists all benchmark references for the check, such as STIG IDs.
• Remediation - This field explains how to remediate the check within the guest OS.
• Scored - Indicates if the check affects the compliance score of the minion.
• Vars - Lists all variables utilized in the check and the default values.
• State File - Contains SaltStack state definition that implements the check.

Compliance Benchmarks

Benchmarks build upon checks by grouping together various checks required to implement an industry compliance benchmark, such as CIS benchmarks or DISA STIGs. Each benchmark consists of the following items:

• Benchmark Name - This usually identifies the industry benchmark title and version of the benchmark.
• OS - Specifies the SaltStack operating systems IDs that apply to the benchmark.
• Last Updated - Specifies the data that the benchmark content was last updated within your deployment of SaltStack Config SecOps. Please note that this date is not the date that VMware updated the benchmark. Instead, this is the date that the benchmark content was updated within your specific deployment of SaltStack SecOps.
• Authority - This is the authority responsible for the benchmark, such as CIS or STIG.
• Checks - A list of compliance checks that are included in the benchmark.

Compliance Policies

Compliance policies define the relationship between compliance content (benchmarks and checks) and the minions assessed. They allow you to specify which benchmark checks are applied to which minions, the required configuration inputs for the various benchmark checks, and a schedule for evaluating the minions for compliance. Additionally, compliance policies contain compliance assessment and remediation data, benchmark check exemptions, and minion exemptions.

Defining a Compliance Policy

When defining a new compliance policy, a wizard walks you through the process of providing the following information:

• Targets - the Target section allows you to provide a name for your policy as well as select the minion target group that the new policy targets

• Benchmarks - The Benchmarks section allows you to select one or more pre-defined compliance benchmarks, such as a CIS Benchmark or DISA STIG. If your target group contains minions on multiple operating systems, you can select multiple benchmarks for assessment.

• Checks - The Checks section of the policy allows you to select the individual Checks to include in your policy from the chosen Benchmarks. When you first arrive at this screen, no checks are selected. You must choose all the checks you wish to include in your assessment.

• Variables - This policy section allows you to customize any variables utilized by the Checks that you selected. These variables enable you to define environment-specific values in the Checks.

• Schedule - This section defines the frequency of assessing compliance with the policy. You can specify various scheduling periods, including recurring, date/time, once, or cron based. Additionally, you can define scheduling limits such as specific hours, start/end dates, and a splay (random delay before running).

After defining all of the required information, you can save the policy and begin assessing compliance. When the assessment process is complete, you can review and remediate the findings, add exemptions, and modify the policy.

Compliance Policy Assessment Results

When the policy assessment is complete, you are provided several options that are separated into different tabs and the option to Remediate All minions. These tabs include Checks, Minions, Exemptions, Report, and Activity.

Checks

The Checks tab lists all the checks included in the policy and the number of minions per each status: Compliant, Non-Compliant, Not Applicable, Error, or Unknown. Clicking on a specific check loads the details of the check and the details for the last assessment and remediation. You can select the Non-Compliant minions and click the REMEDIATE button to begin the remediation process or click EXEMPTION to add an exemption to the policy for the specific check/minion combination.

Minions

The Minions tab provides assessment results grouped per minion. After selecting a minion, a minion details report lists the state of all policy checks for the minion. From here, you can choose individual checks to either remediate or exempt.

Exemptions

The Exemptions tab displays all exemptions defined within the policy during your review of the Checks or Minions tabs. Exemptions can be defined for the same check multiple times to group various minions into separate exemptions. When an exemption is defined, you provide a reason for each exemption. These exemptions and their reasons are displayed here. You can expand the exemption details and click the REMOVE EXEMPTION button if an exemption is no longer needed.

Report

The Report view provides an overview of the assessment and allows you to download the details formatted as JSON. The JSON results are provided for download inside a .zip file.

Activity

The activity tab lists all activities related to the policy. These activities include jobs such as policy assessments and remediations. Each job in the list provides a link to download the job details.

Remediating Compliance Policy Findings

Aria Automation SaltStack SecOps provides several options for remediating compliance policy findings. The possibilities include remediating all findings for the entire compliance policy, remediating one or more findings for all minions, remediating all findings for one or more minions, and remediating one or more findings for a particular minion.

Remediating All Findings

The first option is to remediate all findings for a specific compliance policy. This task is accomplished by selecting the particular compliance policy and clicking the REMEDIATE ALL button in the top right corner.

Remediating One or More Findings for All Minions

The next option is to remediate one or more findings for all minions. This task is accomplished by selecting the particular compliance policy. Then, select the specific checks you wish to remediate from the Checks tab and click the REMEDIATE button.

Remediating All Findings for One or More Minions

To remediate all findings for one or more minions, start by selecting the Minions tab. Next, choose the minions you wish to remediate and click the REMEDIATE button.

Remediating One or More Findings for a Particular Minion

The final option is to remediate specific findings for a single minion. To accomplish this task, select the Minions tab, then click the name of the minion you wish to remediate. Next, choose the checks you want to remediate from the Last assessment tab and click the REMEDIATE button.

Conclusion

VMware Aria Automation SaltStack SecOps provides a powerful tool to assess and remediate minions based on industry benchmarks such as CIS and DISA STIGs. Policy definitions offer flexibility in how these policies are defined against the various minions. This flexibility allows numerous ways to customize policy implementations and exemptions to best fit your environment requirements. Additionally, using the SaltStack SecOps Compliance Custom Content SDK, you can define custom checks to be included within your Compliance Policies offering limitless customization capabilities.

Share:

Search

Get Notified of Future Posts

Follow Me

Recent Posts