Skip to content

Commit

Permalink
Merge pull request #235 from vmware/aria-automation-photon4-updates
Browse files Browse the repository at this point in the history 
Aria automation photon4 updates
  • Loading branch information
@freddyfeelgood
freddyfeelgood authored Apr 24, 2024
2 parents 3961f0f + adf8f6c commit 12fd306
Show file tree
Hide file tree
Showing 157 changed files with 7,568 additions and 5 deletions.
11 changes: 6 additions & 5 deletions aria/automation/8.x/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,12 @@
## Compatibility
The table below provides supported interoperability between product and STIG versioning. Application of STIG content outside interoperable versions is not supported.

| | V1R3* | V1R4* | V1R5* |
|:-------------------:|:------------------:|:------------------:|:------------------:|
| `8.11.x` | :heavy_check_mark: | :x: | :x: |
| `8.12.x` | :x: | :heavy_check_mark: | :x: |
| `8.13.1` | :x: | :x: | :heavy_check_mark: |
| | V1R3* | V1R4* | V1R5* | V1R6* |
|:-------------------:|:------------------:|:------------------:|:------------------:|:------------------:|
| `8.11.x` | :heavy_check_mark: | :x: | :x: | :x: |
| `8.12.x` | :x: | :heavy_check_mark: | :x: | :x: |
| `8.13.1` | :x: | :x: | :heavy_check_mark: | :x: |
| `8.16.1` | :x: | :x: | :x: | :heavy_check_mark: |

> [!NOTE]
> - \* Denotes STIG Readiness Guide
Expand Down
Binary file added aria/automation/8.x/docs/VMware_Aria_Automation_8.x_STIG_Readiness_Guide_v1r6.zip
View file
Binary file not shown.
90 changes: 90 additions & 0 deletions ...mation/8.x/v1r6-srg/inspec/vmware-aria-automation-8x-stig-baseline/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
# Change Log

## [8.x Version 1 Release 6] (2024-04-22)

#### Release Notes
- Replaced Photon 3 content with Photon 4 content.
- Fixed DKER-CE-000116 control (rename from 115)
- Fixed DKER-CE-000132 control (rename from 131)
- Updated Kubernetes control references (inclusion/exclusion)
- see Overview file in the xccdf zip for details

## [8.13.1 Version 1 Release 5] (2024-01-03)

#### Release Notes
- Updated documentation for Kubernetes manifest file changes.

## [8.12 Version 1 Release 4] (2023-10-30)

#### Release Notes
- Rebranding from vRealize Automation to VMware Aria Automation:
- VRAA-8X-000002
- VRAA-8X-000005
- VRAA-8X-000007
- VRAA-8X-000008 - fixed vracli command
- VRAA-8X-000009
- VRAA-8X-000012
- VRAA-8X-000014
- VRAA-8X-000046
- VRAA-8X-000047
- VRAA-8X-000074
- VRAA-8X-000091
- VRAA-8X-000106
- VRAA-8X-000107
- VRAA-8X-000123 - removed
- VRAA-8X-000125 - fixed fips mode check
- VRAA-8X-000126 - updated sshd config path
- VRAA-8X-000127
- VRAA-8X-000128
- Include Photon controls locally (instead of linking to Photon profile) to handle updated sshd config file path specific to Aria Automation.
- Updated inspec.yaml sshd command input in the Photon profile.
- Updated Photon controls with new sshd config file path:
- PHTN-30-000003
- PHTN-30-000006
- PHTN-30-000008
- PHTN-30-000009
- PHTN-30-000037
- PHTN-30-000038
- PHTN-30-000064
- PHTN-30-000078
- PHTN-30-000079
- PHTN-30-000080
- PHTN-30-000081
- PHTN-30-000082
- PHTN-30-000083
- PHTN-30-000084
- PHTN-30-000085
- PHTN-30-000086
- PHTN-30-000087
- PHTN-30-000112
- PHTN-30-000115
- PHTN-30-000119
- PHTN-30-000120

## [8.11 Version 1 Release 3] (2023-04-06)

#### Release Notes
- General cleanup, linting fixes.
- Switched to Official DISA Kubernetes v1r8 STIG content.
- VRAA-8X-000125 - Changed check from 'strict' to 'enabled' for FIPS mode.
- VRAA-8X-000126 - Moved from Photon to vRA to handle input value.
- VRAA-8X-000127 - Moved from Photon to vRA to handle path changes.
- VRAA-8X-000128 - Moved from Photon to vRA to handle config file option.

## [8.9 Version 1 Release 2] (2022-12-15)

#### Release Notes
- Removed Traefik and RabbitMQ controls, merged relevant controls into Application control set.
- General cleanup of verbiage, InSpec content, updates to pass linting.
- VRAA-8X-000001, VRAA-8X-000003, VRAA-8X-000004, VRAA-8X-000006, VRAA-8X-000010 - handled by IDM STIG controls.
- VRAA-8X-000007 - Updated Check and Fix.
- VRAA-8X-000011 - Marked as Duplicate of VRAA-8X-000012.
- VRAA-8X-000014, VRAA-8X-000015, VRAA-8X-000047, VRAA-8X-000074, VRAA-8X-000091, VRAA-8X-000106, VRAA-8X-000107 - Moved from Traefik to vRA Application control.
- VRAA-8X-000046 - Moved from RabbitMQ to vRA Application control.
- VRAA-8X-000123 - Added control for disabling CEIP.
- VRAA-8X-000125 - Added control to ensure FIPS mode.

## [8.2 Version 1 Release 1] (2021-08-04)

#### Release Notes
- Initial release for vRA 8
67 changes: 67 additions & 0 deletions ...utomation/8.x/v1r6-srg/inspec/vmware-aria-automation-8x-stig-baseline/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# vmware-aria-automation-8x-stig-baseline
VMware Aria Automation 8.x STIG Readiness Guide Chef InSpec Profile
Version: Version 1 Release 6 Date: 22 April 2024
STIG Type: [STIG Readiness Guide](https://confluence.eng.vmware.com/pages/viewpage.action?pageId=1231779155)
Maintainers: Broadcom

## InSpec Profiles
InSpec profiles for VMware Aria Operations are available for each component or can be run all or some from the wrapper/overlay profile. Note the wrapper profile is setup to reference the other profiles from the same relative folder structure as seen here.

[See the InSpec docs for more info on Profile dependencies and inheritence](https://www.inspec.io/docs/reference/profiles/)

## Supported Versions
- 8.16.1-8.16.2

## Requirements
- [Chef InSpec](https://downloads.chef.io/tools/inspec) or [CINC Auditor](https://cinc.sh/start/auditor/) installed on a machine that can SSH to the target. Tested with cinc-auditor version 6.6.0. Chef/CINC Workstation can also be installed and used.
- Administrative access to the target via root or sudo.
- Update the inputs in inputs file example (inspec.yml) as appropriate for your environment.
- Assumes profile is downloaded to C:\Inspec\Profiles\vmware-aria-automation-8x-stig-baseline

## How to run InSpec locally from Powershell on Windows

Run all profiles against a target appliance and output results to CLI
```
cinc-auditor exec C:\Inspec\Profiles\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password'
```

Or if currently in the base directory ('vmware-aria-automation-8x-stig-baseline')
```
inspec exec . -t ssh://root@<IP or FQDN> --password 'password'
```

Run all profiles against a target appliance, specify a wrapper inputs file, show progress, and output results to CLI and JSON
```
cinc-auditor exec C:\Inspec\Profiles\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password' --input-file=inputs-example.yml --show-progress --reporter=cli json:C:\Inspec\Reports\report.json
```

Run a specific profile (Docker in this case, using a Regex) against a target appliance, show progress, and output results to CLI and JSON using the wrapper profile
```
cinc-auditor exec . -t ssh://root@<IP or FQDN> --password 'password' --show-progress --reporter=cli json:C:\Inspec\Reports\aria-automation.json --controls=/DKER/
```

Run a single STIG Control against a target appliance from a specific profile
```
cinc-auditor exec . -t ssh://root@<IP or FQDN> --password 'password' --controls=VRAA-8X-000008
```

Run all controls against a target appliance and specify a waiver file
```
cinc-auditor exec . -t ssh://root@<IP or FQDN> --password 'password' --waiver-file waivers-aria-operations-8x-internal.yml
```

## InSpec Vendoring
When you execute a local profile, the inspec.yml file will be read in order to source any profile dependencies. It will then cache the dependencies locally and generate an inspec.lock file.

If you add or update dependencies in inspec.yml, dependencies may be re-vendored and the lockfile updated with `inspec vendor --overwrite`

## Waivers
A set of example controls to 'skip' is provided for reference if controls should not be applied. (docker.rb, kubernetes.rb, photon.rb, and aria-automation.rb)
Other waiver options can be found in the [InSpec Waiver Documentation](https://docs.chef.io/inspec/waivers/), and an example waiver file is provided in the root of the repository.

## Reporting
InSpec supports various reporting formats out of the box including HTML, JSON, and jUNIT.

There are also supplemental tools like [MITRE's SAF CLI](https://github.com/mitre/saf) that can be used to transform results to other formats like a STIG Checklist file.

Results can also be imported into a Mitre Heimdall server for a more polished visual result.
45 changes: 45 additions & 0 deletions ...inspec/vmware-aria-automation-8x-stig-baseline/aria-automation/controls/VRAA-8X-000002.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
control 'VRAA-8X-000002' do
title 'VMware Aria Automation must protect log tools from unauthorized access.'
desc "
Protecting log data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data.
It is therefore imperative that access to log tools be controlled and protected from unauthorized access.
Application servers generally provide web- and/or command line-based functionality for managing the application server log capabilities. In addition, subsets of log tool components may be stored on the file system as jar or xml configuration files. The application server must ensure that in addition to protecting any web-based log tools, any file system-based tools are protected as well.
"
desc 'rationale', ''
desc 'check', "
At the command prompt, run the following command:
# stat -c \"%a:%U:%G\" /usr/local/bin/vracli
Expected result:
700:root:root
If the output does not match the expected result, this is a finding.
"
desc 'fix', "
At the command prompt, run the following command(s):
# chmod 700 /usr/local/bin/vracli
# chown root:root /usr/local/bin/vracli
"
impact 0.5
tag severity: 'medium'
tag gtitle: 'SRG-APP-000121-AS-000081'
tag satisfies: ['SRG-APP-000122-AS-000082', 'SRG-APP-000123-AS-000083', 'SRG-APP-000340-AS-000185']
tag gid: 'V-VRAA-8X-000002'
tag rid: 'SV-VRAA-8X-000002'
tag stig_id: 'VRAA-8X-000002'
tag cci: ['CCI-001493', 'CCI-001494', 'CCI-001495', 'CCI-002235']
tag nist: ['AC-6 (10)', 'AU-9']

describe file('/usr/local/bin/vracli') do
it { should_not be_more_permissive_than('0700') }
its('owner') { should eq 'root' }
its('group') { should eq 'root' }
end
end
48 changes: 48 additions & 0 deletions ...inspec/vmware-aria-automation-8x-stig-baseline/aria-automation/controls/VRAA-8X-000005.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
control 'VRAA-8X-000005' do
title 'VMware Aria Automation must use cryptographic mechanisms to protect the integrity of log tools.'
desc "
Protecting the integrity of the tools used for logging purposes is a critical step in ensuring the integrity of log data. Log data includes all information (e.g., log records, log settings, and log reports) needed to successfully log information system activity.
It is not uncommon for attackers to replace the log tools or inject code into the existing tools for the purpose of providing the capability to hide or erase system activity from the logs.
To address this risk, log tools must be cryptographically signed in order to provide the capability to identify when the log tools have been modified, manipulated or replaced. An example is a checksum hash of the file or files.
Application server log tools must use cryptographic mechanisms to protect the integrity of the tools or allow cryptographic protection mechanisms to be applied to their tools.
"
desc 'rationale', ''
desc 'check', "
At the command prompt, run the following command:
# rpm -V prelude-vracli
If the command produces any output showing files have been modified, this is a finding.
Note: In some cases \"tmp\" files may be created during package install, and later cleaned up, which rpm will report as \"missing\". These changes must be inspected on a case by case basis for determination if they should be considered findings or not.
"
desc 'fix', "
The fix will vary on the file and the modification made. If the user or group has been changed, run the following command:
# rpm --setugids prelude-vracli
If the permissions have been changed, run the following command:
# rpm --setperms prelude-vracli
If the md5 hash has been changed, roll back to a previous backup or contact VMware support.
The original files are not retained and cannot be included here.
"
impact 0.5
tag severity: 'medium'
tag gtitle: 'SRG-APP-000290-AS-000174'
tag gid: 'V-VRAA-8X-000005'
tag rid: 'SV-VRAA-8X-000005'
tag stig_id: 'VRAA-8X-000005'
tag cci: ['CCI-001496']
tag nist: ['AU-9 (3)']

# Find any modified files, ignoring missing tmp files...
describe command('rpm -V prelude-vracli | grep -v "^missing\s*/tmp"') do
its('stdout.strip') { should cmp '' }
end
end
Loading

0 comments on commit 12fd306

Please sign in to comment.