Skip to content

Commit

Permalink
Merge pull request #205 from vmware/aria-logs-updates-add-ansible
Browse files Browse the repository at this point in the history 
Aria logs updates and add ansible
  • Loading branch information
@freddyfeelgood
freddyfeelgood authored Feb 22, 2024
2 parents 193e3d1 + b2c3b78 commit 3e480d8
Show file tree
Hide file tree
Showing 194 changed files with 7,924 additions and 1,270 deletions.
46 changes: 46 additions & 0 deletions aria/operations-for-logs/8.x/ansible/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# vmware-operations-for-logs-8x-stig-ansible-hardening
VMware Aria Operations for Logs 8.x Appliance STIG Readiness Guide Ansible Playbook
Version: Version 1 Release 4: 21 February 2024
STIG Type: STIG Readiness Guide

## Overview
This is a hardening playbook that utilizes Ansible to perform automated remediation for STIG compliance of the VMware Aria Operations for Logs 8.x Appliance STIG Readiness Guide.

## Supported Versions
- VMware Aria Operations for Logs 8.14

## !!Important!!
- Please read through the README carefully and familiarize yourself with the playbook and ansible before running this playbook
- As always please ensure you have a back out plan - if needed you can roll back the changes
- In order to run the Photon role it must be installed as a role so that this playbook may find it
- This playbook has not been tested for forward or backward compatibility beyond the version listed under supported versions.

### Requirements

- [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/index.html) installed on a machine that can SSH to the target node(s). Tested with Ansible 2.15.9.
- SSH with root access enabled

## Playbook Structure

- playbook.yml - Main playbook to run
- /roles/<role name>/defaults/main.yml - Default variables to use during the run of the playbook
- /roles/<role name>/tasks/main.yml - Default role task file
- /roles/<role name>/<role name>.yml - task definitions for the role

## How to run

Run all controls on a target appliance. Prompt for password and display verbose output
```
ansible-playbook -i 'IP or FQDN', -u 'root' playbook.yml -k -v -b
```
Run controls for one service by specifying a tag.
```
ansible-playbook -i 'IP or FQDN', -u 'root' playbook.yml -k -v -b -t cassandra
```
Run a specific control by specifying a tag.
```
ansible-playbook -i 'IP or FQDN', -u 'username' playbook.yml -k -v -b -t VLIC-8X-000007
```

## Misc
- If vars need to be updated we recommend either creating a vars file to specify at the command line or adding them to the main playbook.yml or your own playbook.yml so that it is easy to track what is being altered from the original state.
6 changes: 6 additions & 0 deletions aria/operations-for-logs/8.x/ansible/playbook.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
- name: VRLI 8.x Remediation Automation
hosts: all
roles:
- role: ariaopslogs
- role: cassandra
- role: tcserver
25 changes: 25 additions & 0 deletions aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/defaults/main.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
# defaults file for ariaopslogs
ariaopslogs_apipath: "https://{{ inventory_hostname }}:9543/api/v2"
ariaopslogs_username: "admin"
ariaopslogs_password: "VMware1!"

# VLIA-8X-000001
ariaopslogs_loginbanner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring |
of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

# VLIA-8X-000002
ariaopslogs_ntp_servers:
- 0.vmware.pool.ntp.org
- 1.vmware.pool.ntp.org
- 2.vmware.pool.ntp.org
- 3.vmware.pool.ntp.org

# VLIA-8X-000003
ariaopslogs_config_base: "/usr/lib/loginsight/application/etc/loginsight-config-base.xml"
303 changes: 303 additions & 0 deletions aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/ariaopslogs.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,303 @@
# Generate session token
- name: Generate and get session ID
tags: always
block:
- name: Generate sessionId
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/sessions"
method: POST
headers:
Content-Type: 'application/json'
Accept: 'application/json'
body_format: json
body: '{"username":"{{ ariaopslogs_username }}","password":"{{ ariaopslogs_password }}","provider":"Local"}'
validate_certs: false
register: token

- name: Extract & save sessionId
ansible.builtin.set_fact:
session_id: "{{ token.json.sessionId }}"

###################################################################################################################################

# VLIA-8X-000001 - VMware Aria Operations for Logs must display the standard DoD notice and consent banner before granting access to the system.
- name: VLIA-8X-000001 - VMware Aria Operations for Logs must display the standard DoD notice and consent banner before granting access to the system
tags: [VLIA-8X-000001]
block:
- name: VLIA-8X-000001 - Get Current DoD Consent Details
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/dod"
method: GET
status_code: 200
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
validate_certs: false
register: response_get_dod
changed_when: false
failed_when:
- response_get_dod.status != 200

- name: VLIA-8X-000001 -Update DoD Consent Details
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/dod"
method: PUT
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
body_format: json
body: '{ "enabled" : true, "title" : "DoD Consent", "description" : "{{ ariaopslogs_loginbanner }}", "loginMessageType" : "CONSENT_DIALOG" }'
validate_certs: false
register: response_upd_dod
when:
- not response_get_dod.json.enabled
changed_when:
- response_upd_dod.status == 200

###################################################################################################################################

# VLIA-8X-000002 - VMware Aria Operations for Logs must be configured to synchronize time with an authoritative source.
- name: VLIA-8X-000002 - VMware Aria Operations for Logs must be configured to synchronize time with an authoritative source
tags: [VLIA-8X-000002]
block:
- name: VLIA-8X-000002 - Get time configurations
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/time/config"
method: GET
status_code: 200
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
validate_certs: false
register: response_get_time
changed_when: false
failed_when:
- response_get_time.status != 200

- name: VLIA-8X-000002 - Update time configurations
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/time/config"
method: PUT
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
body_format: json
body: '{ "timeReference": "NTP_SERVER","ntpServers": {{ ariaopslogs_ntp_servers }} }'
validate_certs: false
register: response_upd_time
when:
- response_get_time.json.ntpConfig.timeReference == "ESX_HOST" or response_get_time.json.ntpConfig.ntpServers != ariaopslogs_ntp_servers
changed_when:
- response_upd_time.status == 200

###################################################################################################################################

# VLIA-8X-000003 - VMware Aria Operations for Logs must initiate session auditing upon startup.
- name: VLIA-8X-000003 - VMware Aria Operations for Logs must initiate session auditing upon startup
tags: [VLIA-8X-000003]
block:
- name: VLIA-8X-000003 - Configure log level
community.general.xml:
path: "{{ ariaopslogs_config_base }}"
xpath: '/config/logging/configuration/loggers/logger[@name="com.vmware.loginsight.web.bootstrap.Bootstrapper.audit"]'
attribute: level
value: "info"
state: present

- name: VLIA-8X-000003 - Configure appenderRef
community.general.xml:
path: "{{ ariaopslogs_config_base }}"
xpath: '/config/logging/configuration/loggers/logger[@name="com.vmware.loginsight.web.bootstrap.Bootstrapper.audit"]/appenderRef'
attribute: ref
value: "AUDIT"
state: present

###################################################################################################################################

# VLIA-8X-000004 - VMware Aria Operations for Logs must protect audit information from unauthorized read access.
- name: VLIA-8X-000004 - VMware Aria Operations for Logs must protect audit information from unauthorized read access
tags: [VLIA-8X-000004]
block:
- name: VLIA-8X-000004 - Check log file permissions
ansible.builtin.command: stat -c "%a:%U:%G" /var/log/loginsight/audit.log
register: file_perm
changed_when: false

- name: VLIA-8X-000004 - Verify and update file permissions
ansible.builtin.file:
path: "/var/log/loginsight/audit.log"
state: file
owner: 'root'
group: 'root'
mode: '640'

###################################################################################################################################

# VLIA-8X-000005 - VMware Aria Operations for Logs must enable multifactor authentication.
# This is a manual fix
#### Login to VMware Aria Operations for Logs as an administrator.
#### In the slide-out menu on the left, choose Configuration >> Authentication.
#### Navigate to the "Workspace ONE Access" tab, ensure the "Enable Single Sign-On" radio button is enabled and the details of your Workspace ONE Access instance are correct, then click "Save".
#### Workspace ONE Access must also be configured to support Smart Card authentication.
#### See the accompanying Smart Card configuration guide for Workspace ONE Access.

###################################################################################################################################

# VLIA-8X-000006 - VMware Aria Operations for Logs must disable local accounts after 35 days of inactivity.
# This is a manual fix.
#### Login to VMware Aria Operations for Logs as an administrator.
#### In the slide-out menu on the left, choose Configuration >> General.
#### Enable the radio button next to "Password Policy Restriction" and click Save.

###################################################################################################################################

# VLIA-8X-000007 - VMware Aria Operations for Logs must terminate user sessions after a period of inactivity.
- name: VLIA-8X-000007 - VMware Aria Operations for Logs must terminate user sessions after a period of inactivity
tags: [VLIA-8X-000007]
block:
- name: VLIA-8X-000007 - Get session timeout
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/ui/browser-session"
method: GET
status_code: 200
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
validate_certs: false
register: response_get_to
changed_when: false
failed_when:
- response_get_to.status != 200

- name: VLIA-8X-000007 - Update session timeout
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/ui/browser-session"
method: PUT
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
body_format: json
body: '{ "timeout" : 30 }'
validate_certs: false
register: response_upd_to
when:
- response_get_to.json.timeout != 30
changed_when:
- response_upd_to.status == 200

###################################################################################################################################

# VLIA-8X-000008 - VMware Aria Operations for Logs must notify the SA and ISSO when log record retention capacity is low.
- name: VLIA-8X-000008 - VMware Aria Operations for Logs must notify the SA and ISSO when log record retention capacity is low
tags: [VLIA-8X-000008]
block:
- name: VLIA-8X-000008 - Get retention threshold
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/notification/config/retention-threshold"
method: GET
status_code: 200
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
validate_certs: false
register: response_get_thres
changed_when: false
failed_when:
- response_get_thres.status != 200

- name: VLIA-8X-000008 - Update retention threshold
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/notification/config/retention-threshold"
method: PUT
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
body_format: json
body: '{ "sendNotification" : true, "dataInterval" : 1, "intervalUnit" : "MONTHS" }'
validate_certs: false
register: response_upd_thres
when:
- not response_get_thres.json.sendNotification
changed_when:
- response_upd_thres.status == 200

###################################################################################################################################

# VLIA-8X-000009 - VMware Aria Operations for Logs must alert administrators of audit failure events.
# This is a manual fix.
#### Login to VMware Aria Operations for Logs as an administrator.
#### In the slide-out menu on the left, choose Management >> Hosts.
#### Click the checkbox next to "Inactive hosts notification" and configure an alerting threshold for notifications according to organizational policies.

###################################################################################################################################

# VLIA-8X-000010 - VMware Aria Operations for Logs must use only DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
# This is a manual fix.
#### Generate or request a new certificate from a trusted certificate authority
#### Login to VMware Aria Operations for Logs as an administrator.
#### In the slide-out menu on the left, choose Configuration >> SSL.
#### Click "Choose File" next to "New Certificate File", select the new certificate file, then click Save.
#### Restart if prompted.

###################################################################################################################################

# VLIA-8X-000011 - VMware Aria Operations for Logs must protect API SSL connections.
# This is a manual fix
#### Login to VMware Aria Operations for Logs as an administrator.
#### In the slide-out menu on the left, choose Configuration >> SSL.
#### Ensure "Require SSL Connection" is enabled and click save.

###################################################################################################################################

# VLIA-8X-000012 - VMware Aria Operations for Logs must not provide environment information to third parties.
- name: VLIA-8X-000012 - VMware Aria Operations for Logs must not provide environment information to third parties
tags: [VLIA-8X-000012]
block:
- name: VLIA-8X-000012 - Get CEIP
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/ceip"
method: GET
status_code: 200
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
validate_certs: false
register: response_get_ceip
changed_when: false
failed_when:
- response_get_ceip.status != 200

- name: VLIA-8X-000012 - Update CEIP
ansible.builtin.uri:
url: "{{ ariaopslogs_apipath }}/ceip"
method: PUT
headers:
Content-Type: 'application/json'
Accept: 'application/json'
Authorization: "Bearer {{ session_id }}"
body_format: json
body: '{ "feedback" : false }'
validate_certs: false
register: response_upd_ceip
when:
- response_get_ceip.json.feedback
changed_when:
- response_upd_ceip.status == 200

###################################################################################################################################

# VLIA-8X-000056 - VMware Aria Operations for Logs must protect audit information from unauthorized read access.
# This is a manual fix
#### Login to the VMware Aria Operations for Logs admin portal (/admin/) as an administrator.
#### In the menu on the left, choose "Configuration", then "General".
#### On the "General Configuration" page, under "FIPS MODE", ensure "Activate FIPS Mode" is enabled, then click "Save".
#### Note: Once FIPS mode is activated, it can never be de-activated.
11 changes: 11 additions & 0 deletions aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/main.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
# tasks file for ariaopslogs

- name: Include ariaopslogs
ansible.builtin.include_tasks:
file: ariaopslogs.yml
apply:
tags:
- ariaopslogs
tags:
- always
Loading

0 comments on commit 3e480d8

Please sign in to comment.