diff --git a/content/en/docs/Tutorials/vSphere/audit8.md b/content/en/docs/Tutorials/vSphere/audit8.md index e8749385..6d279932 100644 --- a/content/en/docs/Tutorials/vSphere/audit8.md +++ b/content/en/docs/Tutorials/vSphere/audit8.md @@ -16,7 +16,7 @@ To audit vSphere using InSpec we utilize the VMware transport(train-vmware) whic ### Prerequisites Versions listed below were used for this documentation. Other versions of these tools may work as well but if issues are found it is recommended to try the versions listed here. -* Powershell 7.3.4/PowerCLI 13.1 or newer +* Powershell 7.3.4/PowerCLI 13.3 or newer * [VMware.Vsphere.SsoAdmin PowerCLI Module 1.3.9](https://www.powershellgallery.com/packages/VMware.vSphere.SsoAdmin) or newer * InSpec/Cinc Auditor 6.6.0 * train-vmware 0.2.0 @@ -37,7 +37,7 @@ To extend the functionality of the VMware transport that ships with InSpec we ha To install the plugin that is included with the `vmware-vsphere-8.0-stig-baseline` profile, do the following: ```powershell # Install the custom train-vmware plugin. Update the path to the gem as needed. The command will be the same on Windows and Linux. -> cinc-auditor plugin install /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline/train-vmware-0.2.0.gem +> cinc-auditor plugin install /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline/train-vmware-0.2.0.gem # To verify the installation > cinc-auditor plugin list @@ -91,6 +91,13 @@ Included in the `vmware-vsphere-8.0-stig-baseline` is an example `inputs-example Open the inputs file for editing. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="bash" >}} +# Navigate to the InSpec profile folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline + +# Edit the inputs file +vi inputs-example.yml +{{< /tab >}} {{< tab header="8.0 U2" lang="bash" >}} # Navigate to the InSpec profile folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline @@ -110,6 +117,34 @@ vi inputs-example.yml Update the inputs as shown below with values relevant to your environment. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="yaml" >}} +# Choose whether to scan a single host, all hosts in a cluster, or all hosts in vCenter. +vmhostName: '10.186.25.26' +cluster: '' +allesxi: false +# Set to true if hosts are joined to active directory for authentication +adJoined: false +# If ESXi is joined to AD, enter the AD group that has administrative access to ESXi. +adAdminGroup: 'MyAdAdminGroup' +# Enter the environment specific syslog server ESXi should be forwarding logs to +syslogServer: 'tcp://log.test.local:514' +# Enter the environment specific time servers. +esxiNtpServers: + - 'time-a-g.nist.gov' + - 'time-b-g.nist.gov' +# Enter the environment specific vMotion VLAN Id. +vMotionVlanId: '100' +# Enter the environment specific Management VLAN Id. +mgtVlanId: '101' +# Enter an array of users that should be in the lockdown mode exceptions list. +exceptionUsers: + - root + - dcui +# If snmp is used in the environment change to true. +snmpEnabled: 'false' +# Enter the latest build number for ESXi. +esxiBuildNumber: '24022510' +{{< /tab >}} {{< tab header="8.0 U2" lang="yaml" >}} # Choose whether to scan a single host, all hosts in a cluster, or all hosts in vCenter. vmhostName: '10.186.25.26' @@ -172,6 +207,35 @@ esxiBuildNumber: '21813344' In this example we will be scanning a single ESXi host attached to the target vCenter, specifying an inputs file, enabling enhanced outcomes in InSpec, and outputting a report to the CLI and to a JSON file. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +# Navigate to the InSpec profile folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline + +# Run the audit +> cinc-auditor exec ./esxi/ -t vmware:// --show-progress --enhanced-outcomes --input-file ./inputs-example.yml --reporter cli json:/tmp/reports/MyESXi8Report.json + +# Shown below is the last part of the output at the CLI. + [N/A] ESXI-80-000241: The ESXi host must not use the default Active Directory ESX Admin group. + [SKIP] The ESXi host 10.186.25.26 is not joined to AD, so this control is not applicable. + [PASS] ESXI-80-000243: The ESXi host must configure a persistent log location for all locally stored logs. + [PASS] PowerCLI Command: $vmhost = Get-VMHost -Name 10.186.25.26; $esxcli = Get-EsxCli -VMHost $vmhost -V2; $esxcli.system.syslog.config.get.Invoke() | Select-Object -ExpandProperty LocalLogOutputIsPersistent stdout.strip is expected to cmp == "true" + [FAIL] ESXI-80-000244: The ESXi host must enforce the exclusive running of executables from approved VIBs. + [FAIL] PowerCLI Command: Get-VMHost -Name 10.186.25.26 | Get-AdvancedSetting -Name VMkernel.Boot.execInstalledOnly | Select-Object -ExpandProperty Value stdout.strip is expected to cmp == "true" + + expected: true + got: False + + (compared using `cmp` matcher) + + [PASS] ESXI-80-000245: The ESXi host must use sufficient entropy for cryptographic operations. + [PASS] PowerCLI Command: $vmhost = Get-VMHost -Name 10.186.25.26; $esxcli = Get-EsxCli -VMHost $vmhost -V2; $esxcli.system.settings.kernel.list.invoke()| Where {$_.Name -eq "disableHwrng"} | Select-Object -ExpandProperty Configured stdout.strip is expected to cmp == "FALSE" + [PASS] PowerCLI Command: $vmhost = Get-VMHost -Name 10.186.25.26; $esxcli = Get-EsxCli -VMHost $vmhost -V2; $esxcli.system.settings.kernel.list.invoke()| Where {$_.Name -eq "entropySources"} | Select-Object -ExpandProperty Configured stdout.strip is expected to cmp == "0" + [PASS] ESXI-80-000246: The ESXi host must not enable log filtering. + [PASS] PowerCLI Command: $vmhost = Get-VMHost -Name 10.186.25.26; $esxcli = Get-EsxCli -VMHost $vmhost -V2; $esxcli.system.syslog.config.logfilter.get.invoke() | Select-Object -ExpandProperty LogFilteringEnabled stdout.strip is expected to cmp == "false" + +Profile Summary: 29 successful controls, 26 control failures, 18 controls not reviewed, 4 controls not applicable, 0 controls have error +Test Summary: 41 successful, 51 failures, 23 skipped +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} # Navigate to the InSpec profile folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline @@ -239,6 +303,13 @@ Included in the `vmware-vsphere-8.0-stig-baseline` is an example `inputs-example Open the inputs file for editing. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="bash" >}} +# Navigate to the InSpec profile folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline + +# Edit the inputs file +vi inputs-example.yml +{{< /tab >}} {{< tab header="8.0 U2" lang="bash" >}} # Navigate to the InSpec profile folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline @@ -258,6 +329,11 @@ vi inputs-example.yml Update the inputs as shown below with values relevant to your environment. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="yaml" >}} +# Choose whether to scan a single VM or all VMs in vCenter. +vmName: "" +allvms: true +{{< /tab >}} {{< tab header="8.0 U2" lang="yaml" >}} # Choose whether to scan a single VM or all VMs in vCenter. vmName: "" @@ -274,6 +350,70 @@ allvms: true In this example we will be scanning all VMs in the target vCenter, specifying an inputs file, enabling enhanced outcomes in InSpec, and outputting a report to the CLI and to a JSON file. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +# Navigate to the InSpec profile folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline + +# Run the audit +cinc-auditor exec ./vm/ -t vmware:// --show-progress --enhanced-outcomes --input-file ./inputs-example.yml --reporter cli json:/tmp/reports/MyVMs8Report.json + +# Shown below is the last part of the output at the CLI. + [PASS] VMCH-80-000207: Virtual machines (VMs) must enable logging. + [PASS] VM: stig vm2 is expected to cmp == "true" + [PASS] VM: stigvm1 is expected to cmp == "true" + [PASS] VM: vCLS-1446f2cc-b6b7-4778-84b7-f73f758dd46c is expected to cmp == "true" + [PASS] VM: vCLS-28a51340-7070-4437-b4b1-a87b7480ac7d is expected to cmp == "true" + [PASS] VM: vCLS-b680b5a0-5434-48a0-8420-82c95e5ab481 is expected to cmp == "true" + [PASS] VMCH-80-000208: Virtual machines (VMs) must not use independent, non-persistent disks. + [PASS] Checking the VM: stig vm2 for Non-Persistent Hard Disks is expected not to cmp == "IndependentNonPersistent" + [PASS] Checking the VM: stigvm1 for Non-Persistent Hard Disks is expected not to cmp == "IndependentNonPersistent" + [PASS] Checking the VM: vCLS-1446f2cc-b6b7-4778-84b7-f73f758dd46c for Non-Persistent Hard Disks is expected not to cmp == "IndependentNonPersistent" + [PASS] Checking the VM: vCLS-28a51340-7070-4437-b4b1-a87b7480ac7d for Non-Persistent Hard Disks is expected not to cmp == "IndependentNonPersistent" + [PASS] Checking the VM: vCLS-b680b5a0-5434-48a0-8420-82c95e5ab481 for Non-Persistent Hard Disks is expected not to cmp == "IndependentNonPersistent" + [PASS] VMCH-80-000209: Virtual machines (VMs) must remove unneeded floppy devices. + [PASS] Checking the VM: stig vm2 for Floppy drives is expected to be empty + [PASS] Checking the VM: stigvm1 for Floppy drives is expected to be empty + [PASS] Checking the VM: vCLS-1446f2cc-b6b7-4778-84b7-f73f758dd46c for Floppy drives is expected to be empty + [PASS] Checking the VM: vCLS-28a51340-7070-4437-b4b1-a87b7480ac7d for Floppy drives is expected to be empty + [PASS] Checking the VM: vCLS-b680b5a0-5434-48a0-8420-82c95e5ab481 for Floppy drives is expected to be empty + [PASS] VMCH-80-000210: Virtual machines (VMs) must remove unneeded CD/DVD devices. + [PASS] Checking the VM: stig vm2 for CD/DVD drives is expected to cmp == "false" + [PASS] Checking the VM: stigvm1 for CD/DVD drives is expected to cmp == "false" + [PASS] Checking the VM: vCLS-1446f2cc-b6b7-4778-84b7-f73f758dd46c for CD/DVD drives is expected to be empty + [PASS] Checking the VM: vCLS-28a51340-7070-4437-b4b1-a87b7480ac7d for CD/DVD drives is expected to be empty + [PASS] Checking the VM: vCLS-b680b5a0-5434-48a0-8420-82c95e5ab481 for CD/DVD drives is expected to be empty + [PASS] VMCH-80-000211: Virtual machines (VMs) must remove unneeded parallel devices. + [PASS] Checking the VM: stig vm2 for parallel devices is expected not to match "Parallel" + [PASS] Checking the VM: stigvm1 for parallel devices is expected not to match "Parallel" + [PASS] Checking the VM: vCLS-1446f2cc-b6b7-4778-84b7-f73f758dd46c for parallel devices is expected not to match "Parallel" + [PASS] Checking the VM: vCLS-28a51340-7070-4437-b4b1-a87b7480ac7d for parallel devices is expected not to match "Parallel" + [PASS] Checking the VM: vCLS-b680b5a0-5434-48a0-8420-82c95e5ab481 for parallel devices is expected not to match "Parallel" + [PASS] VMCH-80-000212: Virtual machines (VMs) must remove unneeded serial devices. + [PASS] Checking the VM: stig vm2 for serial devices is expected not to match "Serial" + [PASS] Checking the VM: stigvm1 for serial devices is expected not to match "Serial" + [PASS] Checking the VM: vCLS-1446f2cc-b6b7-4778-84b7-f73f758dd46c for serial devices is expected not to match "Serial" + [PASS] Checking the VM: vCLS-28a51340-7070-4437-b4b1-a87b7480ac7d for serial devices is expected not to match "Serial" + [PASS] Checking the VM: vCLS-b680b5a0-5434-48a0-8420-82c95e5ab481 for serial devices is expected not to match "Serial" + [FAIL] VMCH-80-000213: Virtual machines (VMs) must remove unneeded USB devices. (2 failed) + [FAIL] Checking the VM: stig vm2 for USB devices is expected not to match "USB" + expected "IDE 0\r\nIDE 1\r\nPS2 controller 0\r\nPCI controller 0\r\nSIO controller 0\r\nKeyboard \r\nPointing ...er \r\nSCSI controller 0\r\nSATA controller 0\r\nCD/DVD drive 1\r\nHard disk 1\r\nNetwork adapter 1" not to match "USB" + + [FAIL] Checking the VM: stigvm1 for USB devices is expected not to match "USB" + expected "IDE 0\r\nIDE 1\r\nPS2 controller 0\r\nPCI controller 0\r\nSIO controller 0\r\nKeyboard \r\nPointing ...er \r\nSCSI controller 0\r\nSATA controller 0\r\nCD/DVD drive 1\r\nHard disk 1\r\nNetwork adapter 1" not to match "USB" + + [PASS] Checking the VM: vCLS-1446f2cc-b6b7-4778-84b7-f73f758dd46c for USB devices is expected not to match "USB" + [PASS] Checking the VM: vCLS-28a51340-7070-4437-b4b1-a87b7480ac7d for USB devices is expected not to match "USB" + [PASS] Checking the VM: vCLS-b680b5a0-5434-48a0-8420-82c95e5ab481 for USB devices is expected not to match "USB" + [PASS] VMCH-80-000214: Virtual machines (VMs) must disable DirectPath I/O devices when not required. + [PASS] Checking the VM: stig vm2 for PCI passthrough devices is expected to be empty + [PASS] Checking the VM: stigvm1 for PCI passthrough devices is expected to be empty + [PASS] Checking the VM: vCLS-1446f2cc-b6b7-4778-84b7-f73f758dd46c for PCI passthrough devices is expected to be empty + [PASS] Checking the VM: vCLS-28a51340-7070-4437-b4b1-a87b7480ac7d for PCI passthrough devices is expected to be empty + [PASS] Checking the VM: vCLS-b680b5a0-5434-48a0-8420-82c95e5ab481 for PCI passthrough devices is expected to be empty + +Profile Summary: 23 successful controls, 2 control failures, 0 controls not reviewed, 0 controls not applicable, 0 controls have error +Test Summary: 121 successful, 4 failures, 0 skipped +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} # Navigate to the InSpec profile folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline @@ -411,6 +551,13 @@ Included in the `vmware-vsphere-8.0-stig-baseline` is an example `inputs-example Open the inputs file for editing. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="bash" >}} +# Navigate to the InSpec profile folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline + +# Edit the inputs file +vi inputs-example.yml +{{< /tab >}} {{< tab header="8.0 U2" lang="bash" >}} # Navigate to the InSpec profile folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline @@ -430,6 +577,41 @@ vi inputs-example.yml Update the inputs as shown below with values relevant to your environment. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="yaml" >}} +# Enter the environment specific syslog server vCenter should be forwarding logs to. +syslogServers: + - 'loginsight.vmware.com' + - 'syslog.server2.com' +# Enter the environment specific time servers. +ntpServers: + - 'time-a-g.nist.gov' + - 'time-b-g.nist.gov' +# If an IPfix collector is used enter the IP. +ipfixCollectorAddress: '' +# List any users/groups that should be in the default roles that have crypto permissions. The default users/groups are provided below. +vcCryptoAdmins: + - 'VSPHERE.LOCAL\Administrator' + - 'VSPHERE.LOCAL\Administrators' + - 'VSPHERE.LOCAL\vCLSAdmin' +# List any roles that are approved to have crypto permissions. The default roles are provided below. +vcCryptoRoles: + - 'Admin' + - 'NoTrustedAdmin' + - 'vCLSAdmin' + - 'vSphereKubernetesManager' + - 'VMOperatorController' +# Enter any approved users in the bash shell administrators users group +bashShellAdminUsers: + - 'Administrator' +# Enter any approved group in the bash shell administrators group +bashShellAdminGroups: [] +# Enter any approved users in the trusted admin users group +trustedAdminUsers: [] +# Enter any approved users in the trusted admin group +trustedAdminGroups: [] +# Set to false if file based backups are used via the VAMI +backup3rdParty: false +{{< /tab >}} {{< tab header="8.0 U2" lang="yaml" >}} # Enter the environment specific syslog server vCenter should be forwarding logs to. syslogServers: @@ -504,6 +686,40 @@ backup3rdParty: false In this example we will be scanning vCenter controls in the target vCenter, specifying an inputs file, enabling enhanced outcomes in InSpec, and outputting a report to the CLI and to a JSON file. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +# Navigate to the InSpec profile folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline + +# Run the audit +cinc-auditor exec ./vcenter/ -t vmware:// --show-progress --enhanced-outcomes --input-file ./inputs-example.yml --reporter cli json:/tmp/reports/MyvCenter8Report.json + +# Shown below is the last part of the output at the CLI. + [PASS] VCSA-80-000302: The vCenter Server must reset port configuration when virtual machines are disconnected. + [PASS] PowerCLI Command: (Get-VDPortgroup -Name "VDSwitch STIG 1-DVUplinks-40").ExtensionData.Config.Policy.PortConfigResetAtDisconnect stdout.strip is expected to cmp == "True" + [PASS] PowerCLI Command: (Get-VDPortgroup -Name "VD PG 1").ExtensionData.Config.Policy.PortConfigResetAtDisconnect stdout.strip is expected to cmp == "True" + [PASS] PowerCLI Command: (Get-VDPortgroup -Name "VD PG 2").ExtensionData.Config.Policy.PortConfigResetAtDisconnect stdout.strip is expected to cmp == "True" + [PASS] PowerCLI Command: (Get-VDPortgroup -Name "VDSwitch STIG 2-DVUplinks-44").ExtensionData.Config.Policy.PortConfigResetAtDisconnect stdout.strip is expected to cmp == "True" + [PASS] PowerCLI Command: (Get-VDPortgroup -Name "VD PG 3").ExtensionData.Config.Policy.PortConfigResetAtDisconnect stdout.strip is expected to cmp == "True" + [PASS] PowerCLI Command: (Get-VDPortgroup -Name "VD PG 4").ExtensionData.Config.Policy.PortConfigResetAtDisconnect stdout.strip is expected to cmp == "True" + [FAIL] VCSA-80-000303: The vCenter Server must disable Secure Shell (SSH) access. + [FAIL] True is expected not to cmp == "true" + + expected: true + got: True + + (compared using `cmp` matcher) + + [FAIL] VCSA-80-000304: The vCenter Server must enable data in transit encryption for vSAN. + [FAIL] PowerCLI Command: $vsanclusterconf = Get-VsanView -Id VsanVcClusterConfigSystem-vsan-cluster-config-system; $vsanclusterconf.VsanClusterGetConfig((Get-Cluster -Name cluster0).ExtensionData.MoRef).DataInTransitEncryptionConfig.Enabled stdout.strip is expected to cmp == "true" + + expected: true + got: + + (compared using `cmp` matcher) + +Profile Summary: 25 successful controls, 22 control failures, 16 controls not reviewed, 3 controls not applicable, 0 controls have error +Test Summary: 136 successful, 26 failures, 20 skipped +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} # Navigate to the InSpec profile folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline @@ -578,6 +794,13 @@ Test Summary: 136 successful, 26 failures, 20 skipped Instead of running each STIG for product controls separately you can also run all of the vCenter, ESXi, and VM controls for a combined report. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +# Navigate to the InSpec profile folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline + +# Run the script +cinc-auditor exec . -t vmware:// --show-progress --enhanced-outcomes --input-file ./inputs-example.yml --reporter cli json:/tmp/reports/MyvSphere8Report.json +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} # Navigate to the InSpec profile folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline @@ -603,6 +826,81 @@ With this script you can also provide an [attestation](/docs/automation-tools/sa To use the runner script, do the following: {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +# Enter Powershell +pwsh + +# If not already previously done setup the credential for the vCenter connection. +# Note: VISERVER is referencing vCenter and not an ESXi host. +$env:VISERVER='10.186.30.81' +$env:VISERVER_USERNAME='Administrator@vsphere.local' +$env:VISERVER_PASSWORD='password' + +# Navigate to the powercli folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/powercli + +# Run the script +./VMware_vSphere_8.0_STIG_ESXi_InSpec_Runner.ps1 -vcenter 10.186.30.81 -reportPath /tmp/reports -inspecPath /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline -inputsfile ./vmware-vsphere-8.0-stig-esxi-inspec-runner-inputs-example.yml + +# You will be prompted for credentials to vCenter. This is to connect via PowerCLI before running InSpec to collect all of the host names to use as an input to InSpec for each individual host audit. +10:08:10 AM ...Enter credentials to connect to vCenter + +PowerShell credential request +Enter credentials for vCenter +User: administrator@vsphere.local +Password for user administrator@vsphere.local: **************** + +10:08:23 AM ...Connecting to vCenter Server 10.186.30.81 +10:08:26 AM ...Getting PowerCLI objects for all ESXi hosts in vCenter: 10.186.30.81 +10:08:27 AM ...Validated path for report at C:\Inspec\Reports\Runner +10:08:27 AM ...Report path is C:\Inspec\Reports\Runner and report file is C:\Inspec\Reports\Runner\VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.13-6-7-2023_10-8-4.json +10:08:27 AM ...Running InSpec exec against 10.186.16.13 with inspec exec $inspecPath -t vmware:// --input vmhostName=$name --input-file $inputsFile --show-progress --reporter=json:$reportFile +FFFF...F...*.FF*..FFFFF.**.*.FF*.FFF.F..F*F.**********............F..*F.FF.F*..FFFF**FFFFFFFFFFFFFFFFF.FFFFF**.F... +10:10:06 AM ...Detected saf cli...generating STIG Viewer Checklist for 10.186.16.13 +10:10:11 AM ...Report path is C:\Inspec\Reports\Runner and report file is C:\Inspec\Reports\Runner\VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.134-6-7-2023_10-8-4.json +10:10:11 AM ...Running InSpec exec against 10.186.16.134 with inspec exec $inspecPath -t vmware:// --input vmhostName=$name --input-file $inputsFile --show-progress --reporter=json:$reportFile +FFFF...F...*.FF*..FFFFF.**.*.FF*.FFF.F..F*F.**********............F..*F.FF.F*..FFFF**FFFFFFFFFFFFFFFFF.FFFFF**.F... +10:11:51 AM ...Detected saf cli...generating STIG Viewer Checklist for 10.186.16.134 +10:11:56 AM ...Report path is C:\Inspec\Reports\Runner and report file is C:\Inspec\Reports\Runner\VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.25.26-6-7-2023_10-8-4.json +10:11:56 AM ...Running InSpec exec against 10.186.25.26 with inspec exec $inspecPath -t vmware:// --input vmhostName=$name --input-file $inputsFile --show-progress --reporter=json:$reportFile +FFFF...F...*.FF*..FFFFF.**.*.FF*.FFF.F..F*F.**********............F..*F.FF.F*..FFFF**FFFFFFFFFFFFFFFFF.FFFFF**.F... +10:13:26 AM ...Detected saf cli...generating STIG Viewer Checklist for 10.186.25.26 +10:13:30 AM ...Disconnecting from vCenter + +# Resulting output +ls /tmp/reports + + Directory: /tmp/reports + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +-a--- 6/7/2023 10:10 AM 473286 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.13-6-7-2023_10-8-4.ckl +-a--- 6/7/2023 10:10 AM 521076 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.13-6-7-2023_10-8-4.json +-a--- 6/7/2023 10:11 AM 473364 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.134-6-7-2023_10-8-4.ckl +-a--- 6/7/2023 10:11 AM 521228 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.134-6-7-2023_10-8-4.json +-a--- 6/7/2023 10:13 AM 473286 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.25.26-6-7-2023_10-8-4.ckl +-a--- 6/7/2023 10:13 AM 521082 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.25.26-6-7-2023_10-8-4.json + +# If you want to specify a attestation file to incorporate into the CKL results you can add the attestation argument to the command as follows: +./VMware_vSphere_8.0_STIG_ESXi_InSpec_Runner.ps1 -vcenter 10.186.30.81 -reportPath /tmp/reports -inspecPath /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/inspec/vmware-vsphere-8.0-stig-baseline -inputsfile ./vmware-vsphere-8.0-stig-esxi-inspec-runner-inputs-example.yml -attestationFile ./vmware-vsphere-8.0-stig-esxi-inspec-runner-attestation-example.yml + +# Resulting output +ls /tmp/reports + + Directory: /tmp/reports + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +-a--- 6/7/2023 10:39 AM 473326 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.13-6-7-2023_10-37-15_with_Attestations.ckl +-a--- 6/7/2023 10:39 AM 592992 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.13-6-7-2023_10-37-15_with_Attestations.json +-a--- 6/7/2023 10:39 AM 521084 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.13-6-7-2023_10-37-15.json +-a--- 6/7/2023 10:41 AM 473404 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.134-6-7-2023_10-37-15_with_Attestations.ckl +-a--- 6/7/2023 10:41 AM 593137 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.134-6-7-2023_10-37-15_with_Attestations.json +-a--- 6/7/2023 10:40 AM 521230 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.16.134-6-7-2023_10-37-15.json +-a--- 6/7/2023 10:42 AM 473326 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.25.26-6-7-2023_10-37-15_with_Attestations.ckl +-a--- 6/7/2023 10:42 AM 592988 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.25.26-6-7-2023_10-37-15_with_Attestations.json +-a--- 6/7/2023 10:42 AM 521082 VMware_vSphere_8.0_STIG_ESXi_Inspec_Report_10.186.25.26-6-7-2023_10-37-15.json +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} # Enter Powershell pwsh @@ -780,8 +1078,36 @@ In this example we will be scanning the vCenter appliance, specifying an inputs Updating the inputs file is not required for this profile but the `inputs-vcsa-8.0.yml` should be specified because it contains inputs for the Photon profile. +*Note: An inputs file is no longer required when running the V2R1 automation or newer for the VCSA scan.* + {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +# Navigate to the InSpec profile folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vcsa/inspec/vmware-vcsa-8.0-stig-baseline + +# Run the audit +cinc-auditor exec . -t ssh://root@10.186.30.81 --password 'password' --show-progress --enhanced-outcomes --reporter cli json:/tmp/reports/MyVCSA8Report.json + +# Shown below is the last part of the output at the CLI. + [PASS] VCUI-80-000141: The vCenter UI service example applications must be removed. + [PASS] false is expected to cmp == "false" + [PASS] VCUI-80-000142: The vCenter UI service default ROOT web application must be removed. + [PASS] Command: `ls /usr/lib/vmware-vsphere-ui/server/webapps/ROOT` stdout.strip is expected to cmp == "" + [PASS] VCUI-80-000143: The vCenter UI service default documentation must be removed. + [PASS] false is expected to cmp == "false" + [PASS] VCUI-80-000151: The vCenter UI service must disable "ALLOW_BACKSLASH". + [PASS] is expected to be in nil and "false" + [PASS] VCUI-80-000152: The vCenter UI service must enable "ENFORCE_ENCODING_IN_GET_WRITER". + [PASS] is expected to be in nil and "true" + [PASS] VCUI-80-000154: The vCenter UI service manager webapp must be removed. + [PASS] false is expected to cmp == "false" + [PASS] VCUI-80-000155: The vCenter UI service host-manager webapp must be removed. + [PASS] false is expected to cmp == "false" + +Profile Summary: 304 successful controls, 25 control failures, 0 controls skipped +Test Summary: 1240 successful, 80 failures, 0 skipped +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} # Navigate to the InSpec profile folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vcsa/inspec/vmware-vcsa-8.0-stig-baseline diff --git a/content/en/docs/Tutorials/vSphere/remediate8.md b/content/en/docs/Tutorials/vSphere/remediate8.md index f4afa2ce..910e0898 100644 --- a/content/en/docs/Tutorials/vSphere/remediate8.md +++ b/content/en/docs/Tutorials/vSphere/remediate8.md @@ -16,7 +16,7 @@ To remediate vSphere, PowerCLI is the automation tool used, while for the VCSA w ### Prerequisites Versions listed below were used for this documentation. Other versions of these tools may work as well but if issues are found it is recommended to try the versions listed here. -* Powershell 7.3.4/PowerCLI 13.1 or newer +* Powershell 7.3.4/PowerCLI 13.3 or newer * [VMware.Vsphere.SsoAdmin PowerCLI Module 1.3.9](https://www.powershellgallery.com/packages/VMware.vSphere.SsoAdmin) or newer * Ansible 2.14.2 * A vSphere 8.x U1 or newer environment. @@ -63,6 +63,40 @@ In order to run the script effectively it must be provided with the organization Review the below parameters and gather the information needed to run the script: {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +[CmdletBinding()] +param ( + [Parameter(Mandatory=$true)] + [string]$vcenter, + [Parameter(Mandatory=$true)] + [pscredential]$vccred, + [Parameter(Mandatory=$true,ParameterSetName="hostname")] + [string]$hostname, + [Parameter(Mandatory=$true,ParameterSetName="cluster")] + [string]$cluster, + [Parameter(Mandatory=$false, + HelpMessage="Enter the path for the output report. Example /tmp")] + [string]$reportpath, + [Parameter(Mandatory=$true, + HelpMessage="Enter the Active Directory Admins group to use for administrative access to ESXi")] + [string]$esxAdminGroup, + [Parameter(Mandatory=$true, + HelpMessage="Enter allowed IP ranges for the ESXi firewall in comma separated format. For Example "192.168.0.0/16","10.0.0.0/8" ")] + [string[]]$allowedIPs, + [Parameter(Mandatory=$false, + HelpMessage="Enter the syslog server for the ESXi server(s). Example tcp://log.domain.local:514")] + [string]$syslogServer, + [Parameter(Mandatory=$false, + HelpMessage="Enable this option if VMware vRealize Log Insight is used to manage syslog on the ESXi host(s).")] + [switch]$logInsight, + [Parameter(Mandatory=$true, + HelpMessage="Enter NTP servers. For Example "10.1.1.1","10.1.1.2" ")] + [string[]]$ntpServers, + [Parameter(Mandatory=$false, + HelpMessage="Specify the native VLAN Id configured on the ports going to the ESXi Hosts. If none is specified the default of 1 will be used.")] + [string]$nativeVLAN = "1" +) +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} [CmdletBinding()] param ( @@ -155,6 +189,60 @@ This example will remediate all hosts in the vSphere cluster named `cluster0`. I {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +# Navigate to the powercli folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/powercli + +# Running the script. +./VMware_vSphere_8.0_STIG_ESXi_Remediation.ps1 -vcenter 10.182.177.21 -vccred $vccred -cluster "cluster0" -esxAdminGroup "MyESXiGroup" -allowedIPs "10.10.10.0/24","10.10.11.0/24" -ntpServers "time-a-g.nist.gov","time-b-g.nist.gov" -syslogServer "tcp://loginsight.vmware.com:514" -reportpath /tmp/reports + +# Snippet from the output of running the script. +2:11:17 PM ...Remediating STIG ID:ESXI-80-000244 with Title: The ESXi host must enforce the exclusive running of executables from approved VIBs. +2:11:17 PM ...Setting VMkernel.Boot.execInstalledOnly was incorrectly set to False on 10.182.180.5...setting to true +VMkernel.Boot.execI… True VMHost +2:11:18 PM ...Setting VMkernel.Boot.execInstalledOnly was incorrectly set to False on 10.182.182.193...setting to true +VMkernel.Boot.execI… True VMHost +2:11:20 PM ...Setting VMkernel.Boot.execInstalledOnly was incorrectly set to False on 10.182.183.107...setting to true +VMkernel.Boot.execI… True VMHost +2:11:21 PM ...Remediating STIG ID:ESXI-80-000245 with Title: The ESXi host must use sufficient entropy for cryptographic operations. +2:11:22 PM ...disableHwrng set correctly to FALSE on 10.182.180.5 +2:11:22 PM ...entropySources set correctly to 0 on 10.182.180.5 +2:11:23 PM ...disableHwrng set correctly to FALSE on 10.182.182.193 +2:11:24 PM ...entropySources set correctly to 0 on 10.182.182.193 +2:11:25 PM ...disableHwrng set correctly to FALSE on 10.182.183.107 +2:11:25 PM ...entropySources set correctly to 0 on 10.182.183.107 +2:11:25 PM ...Remediating STIG ID:ESXI-80-000246 with Title: The ESXi host must not enable log filtering. +2:11:25 PM ...log filtering set correctly to false on 10.182.180.5 +2:11:25 PM ...log filtering set correctly to false on 10.182.182.193 +2:11:26 PM ...log filtering set correctly to false on 10.182.183.107 +2:11:26 PM ...Remediating STIG ID:ESXI-80-000008 with Title: The ESXi host must enable lockdown mode. +2:11:26 PM ...Enabling Lockdown mode with level lockdownNormal on 10.182.180.5 +2:11:26 PM ...Enabling Lockdown mode with level lockdownNormal on 10.182.182.193 +2:11:27 PM ...Enabling Lockdown mode with level lockdownNormal on 10.182.183.107 +2:11:27 PM ...Configuration Summary: +2:11:27 PM { + "vcenter": "10.182.177.21", + "hostname": "", + "cluster": "cluster0", + "vmhosts": [ + "10.182.180.5", + "10.182.182.193", + "10.182.183.107" + ], + "reportpath": "/tmp/reports", + "ok": 99, + "changed": 123, + "skipped": 25, + "failed": 5, + +# A results file and Powershell transcript is provided in the report path specified. +Directory: /tmp/reports + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +-a--- 6/8/2023 2:11 PM 6578 VMware_vSphere_8.0_STIG_ESXi_Remediation_Results_6-8-2023_14-6-38.json +-a--- 6/8/2023 2:11 PM 84552 VMware_vSphere_8.0_STIG_ESXi_Remediation_Transcript_6-8-2023_14-6-38.txt +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} # Navigate to the powercli folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/powercli @@ -278,6 +366,30 @@ This example will remediate all hosts in the vSphere cluster named `cluster0`. I {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +# Navigate to the powercli folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/powercli + +# Running the script. +./VMware_vSphere_8.0_STIG_VM_Remediation.ps1 -vcenter 10.182.177.21 -vccred $vccred -cluster "cluster0" -reportpath /tmp/reports + +# Snippet from the output of running the script. +2:13:50 PM ...Connecting to vCenter Server 10.182.177.21 +2:13:52 PM ...Getting PowerCLI objects for all virtual machines in cluster: cluster0 +2:13:53 PM ...Remediating advanced settings on vCLS-1ef92498-69e3-4c68-b4fa-ef5a25b671b7 on 10.182.177.21 +2:13:53 PM ...Setting isolation.device.connectable.disable does not exist on vCLS-1ef92498-69e3-4c68-b4fa-ef5a25b671b7 and is compliant by default... +2:13:53 PM ...Setting isolation.tools.copy.disable does not exist on vCLS-1ef92498-69e3-4c68-b4fa-ef5a25b671b7 and is compliant by default... +2:13:53 PM ...Setting isolation.tools.diskShrink.disable does not exist on vCLS-1ef92498-69e3-4c68-b4fa-ef5a25b671b7 and is compliant by default... +2:13:53 PM ...Setting isolation.tools.diskWiper.disable does not exist on vCLS-1ef92498-69e3-4c68-b4fa-ef5a25b671b7 and is compliant by default... + +# A results file and Powershell transcript is provided in the report path specified. +Directory: /tmp/reports + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +-a--- 6/8/2023 2:14 PM 10743 VMware_vSphere_8.0_STIG_VM_Remediation_Transcript_6-8-2023_14-13-50.txt +-a--- 6/8/2023 2:14 PM 1105 VMware_vSphere_8.0_STIG_VM_Remediation_Transcript_6-8-2023_14-14-7.txt +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} # Navigate to the powercli folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/powercli @@ -341,6 +453,24 @@ This script also uses the [VMware.Vsphere.SsoAdmin PowerCLI Module](https://www. Review the below parameters and gather the information needed to run the script: {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +[CmdletBinding()] +param ( + [Parameter(Mandatory=$true)] + [string]$vcenter, + [Parameter(Mandatory=$true)] + [pscredential]$vccred, + [Parameter(Mandatory=$false, + HelpMessage="Enter the path for the output report. Example /tmp")] + [string]$reportpath, + [Parameter(Mandatory=$false, + HelpMessage="If Netflow is used enter the collector IP address")] + [string]$vcNetflowCollectorIp = "", + [Parameter(Mandatory=$false, + HelpMessage="To disable Netflow on all port groups if enabled set to true")] + [boolean]$vcNetflowDisableonallPortGroups = $false +) +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} [CmdletBinding()] param ( @@ -397,6 +527,37 @@ This example will remediate all controls on a target vCenter server. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="powershell" >}} +# Navigate to the powercli folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vsphere/powercli + +# Running the script. +./VMware_vSphere_8.0_STIG_vCenter_Remediation.ps1 -vcenter 10.182.177.21 -vccred $vccred -vcNetflowDisableonallPortGroups $true -reportpath /tmp/reports + +# Snippet from the output of running the script. +2:27:42 PM ...Connecting to vCenter Server 10.182.177.21 +2:27:44 PM ...Connecting to vCenter SSO Server 10.182.177.21 +2:27:45 PM ...Verifying vCenter 10.182.177.21 is version 8.0.x +2:27:45 PM ...vCenter 10.182.177.21 is version 8.0.1 continuing... +2:27:45 PM ...Getting PowerCLI objects for all virtual distributed switches in vCenter: 10.182.177.21 +2:27:45 PM ...Getting PowerCLI objects for all virtual distributed port groups in vCenter: 10.182.177.21 +2:27:46 PM ...Remediating STIG ID: VCSA-80-000009 with Title: The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. +2:27:46 PM ...!!This control must be remediated manually!! +2:27:46 PM ...Remediating STIG ID: VCSA-80-000023 with Title: The vCenter Server must enforce the limit of three consecutive invalid logon attempts by a user. +2:27:47 PM ...SSO login attempts set incorrectly on 10.182.177.21 +2:27:47 PM ...Remediating STIG ID: VCSA-80-000024 with Title: The vCenter Server must display the Standard Mandatory DoD Notice and Consent Banner before logon. +2:27:47 PM ...!!This control must be remediated manually!! +2:27:47 PM ...Remediating STIG ID: VCSA-80-000034 with Title: The vCenter Server must produce audit records containing information to establish what type of events occurred. +2:27:47 PM ...Setting config.log.level is already configured correctly to info on 10.182.177.21 + +# A results file and Powershell transcript is provided in the report path specified. +Directory: /tmp/reports + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +-a--- 6/8/2023 2:28 PM 2873 VMware_vSphere_8.0_STIG_vCenter_Remediation_Results_6-8-2023_14-27-42.json +-a--- 6/8/2023 2:28 PM 25530 VMware_vSphere_8.0_STIG_vCenter_Remediation_Transcript_6-8-2023_14-27-42.txt +{{< /tab >}} {{< tab header="8.0 U2" lang="powershell" >}} # Navigate to the powercli folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vsphere/powercli @@ -485,6 +646,35 @@ root@sc1-10-182-131-166 [ ~ ]# chsh -s /bin/bash root To run all of the VCSA controls, follow the example below: {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="bash" >}} +# Navigate to the Ansible playbook folder +cd /usr/share/stigs/vsphere/8.0/v2r1-stig/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening + +# The -k parameter will prompt for password and we are using extra-vars to specify a variable file for the playbook to use. +ansible-playbook -i 10.182.177.21, -u root playbook.yml -k -v --extra-vars @vars-vcenter.yml + +# Output example +SSH password: + +PLAY [all] ******************************************************************************************************************************************************************************************************************** + +TASK [Gathering Facts] ******************************************************************************************************************************************************************************************************** +ok: [10.182.177.21] + +TASK [vmware-photon-3.0-stig-ansible-hardening : Include Photon] ************************************************************************************************************************************************************** +included: /home/rlakey/.ansible/roles/vmware-photon-3.0-stig-ansible-hardening/tasks/photon.yml for 10.182.177.21 + +TASK [vmware-photon-3.0-stig-ansible-hardening : Create time stamp] *********************************************************************************************************************************************************** +ok: [10.182.177.21] => {"ansible_facts": {"backup_timestamp": "2023-05-25-12-25-58"}, "changed": false} + +TASK [vmware-photon-3.0-stig-ansible-hardening : Backup files...if restoring be sure to restore permissions that original file had!!] ***************************************************************************************** +ok: [10.182.177.21] => (item=/etc/rsyslog.conf) => {"ansible_loop_var": "item", "changed": false, "checksum": "7aa11dc58f144160e7e3dc2d40cb2f03a39a989c", "dest": "/tmp/ansible-backups-2023-05-25-12-25-58/rsyslog.conf", "gid": 0, "group": "root", "item": "/etc/rsyslog.conf", "md5sum": "d31d58ff2bbc5cff6b7f343c2580300c", "mode": "0644", "owner": "root", "size": 4000, "src": "/etc/rsyslog.conf", "state": "file", "uid": 0} +ok: [10.182.177.21] => (item=/etc/issue) => {"ansible_loop_var": "item", "changed": false, "checksum": "930cb25fc842aca6047cb9fc1bfbd6ea191e686f", "dest": "/tmp/ansible-backups-2023-05-25-12-25-58/issue", "gid": 0, "group": "root", "item": "/etc/issue", "md5sum": "f498b74a84aaa39e292d9b815899144d", "mode": "0644", "owner": "root", "size": 104, "src": "/etc/issue", "state": "file", "uid": 0} +ok: [10.182.177.21] => (item=/etc/audit/rules.d/audit.STIG.rules) => {"ansible_loop_var": "item", "changed": false, "checksum": "38f324fe67c6943e07ef1910b41dedeb0b256ca4", "dest": "/tmp/ansible-backups-2023-05-25-12-25-58/audit.STIG.rules", "gid": 0, "group": "root", "item": "/etc/audit/rules.d/audit.STIG.rules", "md5sum": "396d715044fc7a8d92a0332d3edb4112", "mode": "0640", "owner": "root", "size": 5080, "src": "/etc/audit/rules.d/audit.STIG.rules", "state": "file", "uid": 0} + +TASK [vmware-photon-3.0-stig-ansible-hardening : PHTN-30-000001 - Update/Create audit.STIG.rules file] ************************************************************************************************************************ +changed: [10.182.177.21] => {"changed": true, "checksum": "aaafa4e8c28743ce3cc22c818f28f4cb9a3f53b2", "dest": "/etc/audit/rules.d/audit.STIG.rules", "gid": 0, "group": "root", "md5sum": "91a31e7bbf9e3f0d7f390feb4360581b", "mode": "0640", "owner": "root", "size": 5180, "src": "/root/.ansible/tmp/ansible-tmp-1685039234.3606877-890-106251101523760/source", "state": "file", "uid": 0} +{{< /tab >}} {{< tab header="8.0 U2" lang="bash" >}} # Navigate to the Ansible playbook folder cd /usr/share/stigs/vsphere/8.0/v1r1-stig/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening @@ -548,6 +738,13 @@ changed: [10.182.177.21] => {"changed": true, "checksum": "aaafa4e8c28743ce3cc22 A more conservative and preferred approach is to target any non-compliant controls or run each component separately allowed you to perform any functional testing in between. {{< tabpane text=false right=false persist=header >}} {{% tab header="**Version**:" disabled=true /%}} +{{< tab header="8.0 U3" lang="bash" >}} +# Providing the tag "eam" will instruct the playbook to only run the eam role. This tag can be seen in each roles task/main.yml file. +ansible-playbook -i 10.182.177.21, -u root playbook.yml -k -v --extra-vars @vars-vcenter.yml --tags eam + +# Providing the tag "VCEM-70-000001" will instruct the playbook to only run task tagged with the STIG ID of VCEM-80-000001. +ansible-playbook -i 10.182.177.21, -u root playbook.yml -k -v --extra-vars @vars-vcenter.yml --tags VCEM-80-000001 +{{< /tab >}} {{< tab header="8.0 U2" lang="bash" >}} # Providing the tag "eam" will instruct the playbook to only run the eam role. This tag can be seen in each roles task/main.yml file. ansible-playbook -i 10.182.177.21, -u root playbook.yml -k -v --extra-vars @vars-vcenter-example.yml --tags eam