-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #235 from vmware/aria-automation-photon4-updates
Aria automation photon4 updates
- Loading branch information
Showing
157 changed files
with
7,568 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+3.33 MB
aria/automation/8.x/docs/VMware_Aria_Automation_8.x_STIG_Readiness_Guide_v1r6.zip
Binary file not shown.
90 changes: 90 additions & 0 deletions
90
...mation/8.x/v1r6-srg/inspec/vmware-aria-automation-8x-stig-baseline/CHANGELOG.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
# Change Log | ||
|
||
## [8.x Version 1 Release 6] (2024-04-22) | ||
|
||
#### Release Notes | ||
- Replaced Photon 3 content with Photon 4 content. | ||
- Fixed DKER-CE-000116 control (rename from 115) | ||
- Fixed DKER-CE-000132 control (rename from 131) | ||
- Updated Kubernetes control references (inclusion/exclusion) | ||
- see Overview file in the xccdf zip for details | ||
|
||
## [8.13.1 Version 1 Release 5] (2024-01-03) | ||
|
||
#### Release Notes | ||
- Updated documentation for Kubernetes manifest file changes. | ||
|
||
## [8.12 Version 1 Release 4] (2023-10-30) | ||
|
||
#### Release Notes | ||
- Rebranding from vRealize Automation to VMware Aria Automation: | ||
- VRAA-8X-000002 | ||
- VRAA-8X-000005 | ||
- VRAA-8X-000007 | ||
- VRAA-8X-000008 - fixed vracli command | ||
- VRAA-8X-000009 | ||
- VRAA-8X-000012 | ||
- VRAA-8X-000014 | ||
- VRAA-8X-000046 | ||
- VRAA-8X-000047 | ||
- VRAA-8X-000074 | ||
- VRAA-8X-000091 | ||
- VRAA-8X-000106 | ||
- VRAA-8X-000107 | ||
- VRAA-8X-000123 - removed | ||
- VRAA-8X-000125 - fixed fips mode check | ||
- VRAA-8X-000126 - updated sshd config path | ||
- VRAA-8X-000127 | ||
- VRAA-8X-000128 | ||
- Include Photon controls locally (instead of linking to Photon profile) to handle updated sshd config file path specific to Aria Automation. | ||
- Updated inspec.yaml sshd command input in the Photon profile. | ||
- Updated Photon controls with new sshd config file path: | ||
- PHTN-30-000003 | ||
- PHTN-30-000006 | ||
- PHTN-30-000008 | ||
- PHTN-30-000009 | ||
- PHTN-30-000037 | ||
- PHTN-30-000038 | ||
- PHTN-30-000064 | ||
- PHTN-30-000078 | ||
- PHTN-30-000079 | ||
- PHTN-30-000080 | ||
- PHTN-30-000081 | ||
- PHTN-30-000082 | ||
- PHTN-30-000083 | ||
- PHTN-30-000084 | ||
- PHTN-30-000085 | ||
- PHTN-30-000086 | ||
- PHTN-30-000087 | ||
- PHTN-30-000112 | ||
- PHTN-30-000115 | ||
- PHTN-30-000119 | ||
- PHTN-30-000120 | ||
|
||
## [8.11 Version 1 Release 3] (2023-04-06) | ||
|
||
#### Release Notes | ||
- General cleanup, linting fixes. | ||
- Switched to Official DISA Kubernetes v1r8 STIG content. | ||
- VRAA-8X-000125 - Changed check from 'strict' to 'enabled' for FIPS mode. | ||
- VRAA-8X-000126 - Moved from Photon to vRA to handle input value. | ||
- VRAA-8X-000127 - Moved from Photon to vRA to handle path changes. | ||
- VRAA-8X-000128 - Moved from Photon to vRA to handle config file option. | ||
|
||
## [8.9 Version 1 Release 2] (2022-12-15) | ||
|
||
#### Release Notes | ||
- Removed Traefik and RabbitMQ controls, merged relevant controls into Application control set. | ||
- General cleanup of verbiage, InSpec content, updates to pass linting. | ||
- VRAA-8X-000001, VRAA-8X-000003, VRAA-8X-000004, VRAA-8X-000006, VRAA-8X-000010 - handled by IDM STIG controls. | ||
- VRAA-8X-000007 - Updated Check and Fix. | ||
- VRAA-8X-000011 - Marked as Duplicate of VRAA-8X-000012. | ||
- VRAA-8X-000014, VRAA-8X-000015, VRAA-8X-000047, VRAA-8X-000074, VRAA-8X-000091, VRAA-8X-000106, VRAA-8X-000107 - Moved from Traefik to vRA Application control. | ||
- VRAA-8X-000046 - Moved from RabbitMQ to vRA Application control. | ||
- VRAA-8X-000123 - Added control for disabling CEIP. | ||
- VRAA-8X-000125 - Added control to ensure FIPS mode. | ||
|
||
## [8.2 Version 1 Release 1] (2021-08-04) | ||
|
||
#### Release Notes | ||
- Initial release for vRA 8 |
67 changes: 67 additions & 0 deletions
67
...utomation/8.x/v1r6-srg/inspec/vmware-aria-automation-8x-stig-baseline/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# vmware-aria-automation-8x-stig-baseline | ||
VMware Aria Automation 8.x STIG Readiness Guide Chef InSpec Profile | ||
Version: Version 1 Release 6 Date: 22 April 2024 | ||
STIG Type: [STIG Readiness Guide](https://confluence.eng.vmware.com/pages/viewpage.action?pageId=1231779155) | ||
Maintainers: Broadcom | ||
|
||
## InSpec Profiles | ||
InSpec profiles for VMware Aria Operations are available for each component or can be run all or some from the wrapper/overlay profile. Note the wrapper profile is setup to reference the other profiles from the same relative folder structure as seen here. | ||
|
||
[See the InSpec docs for more info on Profile dependencies and inheritence](https://www.inspec.io/docs/reference/profiles/) | ||
|
||
## Supported Versions | ||
- 8.16.1-8.16.2 | ||
|
||
## Requirements | ||
- [Chef InSpec](https://downloads.chef.io/tools/inspec) or [CINC Auditor](https://cinc.sh/start/auditor/) installed on a machine that can SSH to the target. Tested with cinc-auditor version 6.6.0. Chef/CINC Workstation can also be installed and used. | ||
- Administrative access to the target via root or sudo. | ||
- Update the inputs in inputs file example (inspec.yml) as appropriate for your environment. | ||
- Assumes profile is downloaded to C:\Inspec\Profiles\vmware-aria-automation-8x-stig-baseline | ||
|
||
## How to run InSpec locally from Powershell on Windows | ||
|
||
Run all profiles against a target appliance and output results to CLI | ||
``` | ||
cinc-auditor exec C:\Inspec\Profiles\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password' | ||
``` | ||
|
||
Or if currently in the base directory ('vmware-aria-automation-8x-stig-baseline') | ||
``` | ||
inspec exec . -t ssh://root@<IP or FQDN> --password 'password' | ||
``` | ||
|
||
Run all profiles against a target appliance, specify a wrapper inputs file, show progress, and output results to CLI and JSON | ||
``` | ||
cinc-auditor exec C:\Inspec\Profiles\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password' --input-file=inputs-example.yml --show-progress --reporter=cli json:C:\Inspec\Reports\report.json | ||
``` | ||
|
||
Run a specific profile (Docker in this case, using a Regex) against a target appliance, show progress, and output results to CLI and JSON using the wrapper profile | ||
``` | ||
cinc-auditor exec . -t ssh://root@<IP or FQDN> --password 'password' --show-progress --reporter=cli json:C:\Inspec\Reports\aria-automation.json --controls=/DKER/ | ||
``` | ||
|
||
Run a single STIG Control against a target appliance from a specific profile | ||
``` | ||
cinc-auditor exec . -t ssh://root@<IP or FQDN> --password 'password' --controls=VRAA-8X-000008 | ||
``` | ||
|
||
Run all controls against a target appliance and specify a waiver file | ||
``` | ||
cinc-auditor exec . -t ssh://root@<IP or FQDN> --password 'password' --waiver-file waivers-aria-operations-8x-internal.yml | ||
``` | ||
|
||
## InSpec Vendoring | ||
When you execute a local profile, the inspec.yml file will be read in order to source any profile dependencies. It will then cache the dependencies locally and generate an inspec.lock file. | ||
|
||
If you add or update dependencies in inspec.yml, dependencies may be re-vendored and the lockfile updated with `inspec vendor --overwrite` | ||
|
||
## Waivers | ||
A set of example controls to 'skip' is provided for reference if controls should not be applied. (docker.rb, kubernetes.rb, photon.rb, and aria-automation.rb) | ||
Other waiver options can be found in the [InSpec Waiver Documentation](https://docs.chef.io/inspec/waivers/), and an example waiver file is provided in the root of the repository. | ||
|
||
## Reporting | ||
InSpec supports various reporting formats out of the box including HTML, JSON, and jUNIT. | ||
|
||
There are also supplemental tools like [MITRE's SAF CLI](https://github.com/mitre/saf) that can be used to transform results to other formats like a STIG Checklist file. | ||
|
||
Results can also be imported into a Mitre Heimdall server for a more polished visual result. |
45 changes: 45 additions & 0 deletions
45
...inspec/vmware-aria-automation-8x-stig-baseline/aria-automation/controls/VRAA-8X-000002.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
control 'VRAA-8X-000002' do | ||
title 'VMware Aria Automation must protect log tools from unauthorized access.' | ||
desc " | ||
Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. | ||
Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. | ||
It is therefore imperative that access to log tools be controlled and protected from unauthorized access. | ||
Application servers generally provide web- and/or command line-based functionality for managing the application server log capabilities. In addition, subsets of log tool components may be stored on the file system as jar or xml configuration files. The application server must ensure that in addition to protecting any web-based log tools, any file system-based tools are protected as well. | ||
" | ||
desc 'rationale', '' | ||
desc 'check', " | ||
At the command prompt, run the following command: | ||
# stat -c \"%a:%U:%G\" /usr/local/bin/vracli | ||
Expected result: | ||
700:root:root | ||
If the output does not match the expected result, this is a finding. | ||
" | ||
desc 'fix', " | ||
At the command prompt, run the following command(s): | ||
# chmod 700 /usr/local/bin/vracli | ||
# chown root:root /usr/local/bin/vracli | ||
" | ||
impact 0.5 | ||
tag severity: 'medium' | ||
tag gtitle: 'SRG-APP-000121-AS-000081' | ||
tag satisfies: ['SRG-APP-000122-AS-000082', 'SRG-APP-000123-AS-000083', 'SRG-APP-000340-AS-000185'] | ||
tag gid: 'V-VRAA-8X-000002' | ||
tag rid: 'SV-VRAA-8X-000002' | ||
tag stig_id: 'VRAA-8X-000002' | ||
tag cci: ['CCI-001493', 'CCI-001494', 'CCI-001495', 'CCI-002235'] | ||
tag nist: ['AC-6 (10)', 'AU-9'] | ||
|
||
describe file('/usr/local/bin/vracli') do | ||
it { should_not be_more_permissive_than('0700') } | ||
its('owner') { should eq 'root' } | ||
its('group') { should eq 'root' } | ||
end | ||
end |
48 changes: 48 additions & 0 deletions
48
...inspec/vmware-aria-automation-8x-stig-baseline/aria-automation/controls/VRAA-8X-000005.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
control 'VRAA-8X-000005' do | ||
title 'VMware Aria Automation must use cryptographic mechanisms to protect the integrity of log tools.' | ||
desc " | ||
Protecting the integrity of the tools used for logging purposes is a critical step in ensuring the integrity of log data. Log data includes all information (e.g., log records, log settings, and log reports) needed to successfully log information system activity. | ||
It is not uncommon for attackers to replace the log tools or inject code into the existing tools for the purpose of providing the capability to hide or erase system activity from the logs. | ||
To address this risk, log tools must be cryptographically signed in order to provide the capability to identify when the log tools have been modified, manipulated or replaced. An example is a checksum hash of the file or files. | ||
Application server log tools must use cryptographic mechanisms to protect the integrity of the tools or allow cryptographic protection mechanisms to be applied to their tools. | ||
" | ||
desc 'rationale', '' | ||
desc 'check', " | ||
At the command prompt, run the following command: | ||
# rpm -V prelude-vracli | ||
If the command produces any output showing files have been modified, this is a finding. | ||
Note: In some cases \"tmp\" files may be created during package install, and later cleaned up, which rpm will report as \"missing\". These changes must be inspected on a case by case basis for determination if they should be considered findings or not. | ||
" | ||
desc 'fix', " | ||
The fix will vary on the file and the modification made. If the user or group has been changed, run the following command: | ||
# rpm --setugids prelude-vracli | ||
If the permissions have been changed, run the following command: | ||
# rpm --setperms prelude-vracli | ||
If the md5 hash has been changed, roll back to a previous backup or contact VMware support. | ||
The original files are not retained and cannot be included here. | ||
" | ||
impact 0.5 | ||
tag severity: 'medium' | ||
tag gtitle: 'SRG-APP-000290-AS-000174' | ||
tag gid: 'V-VRAA-8X-000005' | ||
tag rid: 'SV-VRAA-8X-000005' | ||
tag stig_id: 'VRAA-8X-000005' | ||
tag cci: ['CCI-001496'] | ||
tag nist: ['AU-9 (3)'] | ||
|
||
# Find any modified files, ignoring missing tmp files... | ||
describe command('rpm -V prelude-vracli | grep -v "^missing\s*/tmp"') do | ||
its('stdout.strip') { should cmp '' } | ||
end | ||
end |
Oops, something went wrong.