Merge pull request #194 from vmware/aria-automation-8.12-updates

Aria automation 8.12 updates

aria/automation/8.x/docs/README.md

@@ -1,4 +1,4 @@
-# VMware Aria (formerly vRealize Automation) 8.11.1 STIG Documentation
+# VMware Aria (formerly vRealize Automation) 8.12 STIG Documentation
 
 ## Overview
 An XCCDF formatted XML is provided for the Aria Automation STIG Readiness Guide content for each component for use to view in the DISA [STIG Viewer](https://public.cyber.mil/stigs/stig-viewing-tools/).  

aria/automation/8.x/inspec/vmware-vra-8x-stig-baseline/CHANGELOG.md → aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/CHANGELOG.md

@@ -1,5 +1,52 @@
 # Change Log  
 
+## [8.12 Version 1 Release 4] (2023-10-30)
+
+#### Release Notes
+- Rebranding from vRealize Automation to VMware Aria Automation:
+  - VRAA-8X-000002
+  - VRAA-8X-000005
+  - VRAA-8X-000007
+  - VRAA-8X-000008
+  - VRAA-8X-000009
+  - VRAA-8X-000012
+  - VRAA-8X-000014
+  - VRAA-8X-000046
+  - VRAA-8X-000047
+  - VRAA-8X-000074
+  - VRAA-8X-000091
+  - VRAA-8X-000106
+  - VRAA-8X-000107
+  - VRAA-8X-000123
+  - VRAA-8X-000125
+  - VRAA-8X-000126
+  - VRAA-8X-000127
+  - VRAA-8X-000128
+- Include Photon controls locally (instead of linking to Photon profile) to handle updated sshd config file path specific to Aria Automation.
+- Updated inspec.yaml sshd command input in the Photon profile.
+- Updated Photon controls with new sshd config file path:
+  - PHTN-30-000003
+  - PHTN-30-000006
+  - PHTN-30-000008
+  - PHTN-30-000009
+  - PHTN-30-000037
+  - PHTN-30-000038
+  - PHTN-30-000064
+  - PHTN-30-000078
+  - PHTN-30-000079
+  - PHTN-30-000080
+  - PHTN-30-000081
+  - PHTN-30-000082
+  - PHTN-30-000083
+  - PHTN-30-000084
+  - PHTN-30-000085
+  - PHTN-30-000086
+  - PHTN-30-000087
+  - PHTN-30-000112
+  - PHTN-30-000115
+  - PHTN-30-000119
+  - PHTN-30-000120
+
 ## [8.11 Version 1 Release 3] (2023-04-06)
 
 #### Release Notes

aria/automation/8.x/inspec/vmware-vra-8x-stig-baseline/LICENSE → aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/LICENSE

@@ -1,5 +1,5 @@
 dod-compliance-and-automation
-Copyright (c) 2019 VMware, Inc.  All rights reserved.				
+Copyright (c) 2023 VMware, Inc.  All rights reserved.				
 
 The Apache 2.0 license (the "License") set forth below applies to all parts of the dod-compliance-and-automation project.  You may not use this file except in compliance with the License.
 

aria/automation/8.x/inspec/vmware-vra-8x-stig-baseline/README.md → aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/README.md

@@ -1,12 +1,12 @@
 # vmware-vra-8x-stig-baseline
 VMware vRealize Automation 8.x STIG Readiness Guide Chef InSpec Profile  
-Version: Version 1 Release 3 Date: 6 April 2023  
+Version: Version 1 Release 4 Date: 30 October 2023  
 STIG Type: STIG Readiness Guide  
 
 ## Overview
 This is a compliance auditing profile that is based on Chef InSpec/CINC Auditor to perform an automated check for STIG compliance of the VMware vRealize Automation 8.x STIG Readiness Guide.
 
-It has been tested against versions 8.6 through 8.11.1. 
+It has been tested against versions 8.12 through 8.13. 
 
 All technical NIST SP 800-53 requirements were considered while developing this content. SRG requirements that are applicable and configurable are included in this content while other controls that are "Not Applicable", "Inherently Met" or "Does Not Meet" are not included.
 
@@ -19,7 +19,7 @@ All technical NIST SP 800-53 requirements were considered while developing this
 
 ## vRA InSpec Profiles
 
-InSpec profiles for vRA are available for each component or can be run all or some from the wrapper/overlay profile. Note the wrapper profile is setup to reference the other profiles from the same relative folder structure as seen below.  
+InSpec profiles for vRA are available for each component or can be run all or some from a wrapper/overlay profile. Note the wrapper profile is setup to reference the other profiles from the same relative folder structure as seen below.  
 
 Repository paths:
 * [Photon](https://github.com/vmware/dod-compliance-and-automation/tree/master/photon/3.0/inspec/vmware-photon-3.0-stig-inspec-baseline)
@@ -28,10 +28,10 @@ See the [InSpec docs](https://www.inspec.io/docs/reference/profiles/) for more i
 
 ## How to run InSpec locally from Powershell on Windows
 
-**Note - assumes all relevant profiles are downloaded to C:\Inspec\Profiles\vmware-vra-8x-stig-baseline**  
+**Note - assumes all relevant profiles are downloaded to C:\Inspec\Profiles\vmware-aria-automation-8x-stig-baseline**  
 Example folder structure:  
 ```
-\vmware-vra-8x-stig-baseline  
+\vmware-aria-automation-8x-stig-baseline  
   \docker  
   \kubernetes  
   \photon  
@@ -41,50 +41,55 @@ Example folder structure:
 
 It is recommended to utilize an inputs file for specifying environment specific variables such as NTP, Syslog, etc. An example is provided for you to begin with.  
 
-### Run all profiles against a target vRA appliance and output results to CLI
+### Run all profiles against a target appliance and output results to CLI
 ```
-inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-vra-8x-stig-baseline -t ssh://root@vra IP or FQDN --password 'password'
+inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password'
 ```
 
-### Or if currently in the base directory ('vmware-vra-8x-stig-baseline')
+### Or if currently in the base directory ('vmware-aria-automation-8x-stig-baseline')
 ```
-inspec exec . -t ssh://root@vra IP or FQDN --password 'password'
+inspec exec . -t ssh://root@<IP or FQDN> --password 'password'
 ```
-### Run all profiles against a target vRA appliance with needed inputs and output results to CLI
+
+### Run all profiles against a target appliance with needed inputs and output results to CLI
 ```
-inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-vra-8x-stig-baseline -t ssh://root@vra IP or FQDN --password 'password' --input [nputname]=[inputvalue] [inputname]=[inputvalue]
+inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password' --input [nputname]=[inputvalue] [inputname]=[inputvalue]
 ```
+
 ### Run all profiles against a target appliance with example inputs, show progress, and output results to CLI and JSON
 ```
-inspec exec . -t ssh://root@IP or FQDN --password 'password' --input-file=inputs-example.yml --show-progress --reporter=cli json:path\to\report\report.json
+inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password' --input-file=inputs-example.yml --show-progress --reporter=cli json:path\to\report\report.json
 ```
-### Run all profiles against a target vRA, show progress, and output results to CLI and JSON
+
+### Run all profiles against a target appliance, show progress, and output results to CLI and JSON
 ```
-inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-vra-8x-stig-baseline -t ssh://root@vra IP or FQDN --password 'password' --show-progress --reporter=cli json:C:\Inspec\Reports\vra.json
+inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password' --show-progress --reporter=cli json:C:\Inspec\Reports\aria-automation.json
 ```
-### Run a specific profile (Docker in this case, using a Regex) against a target vRA appliance, show progress, and output results to CLI and JSON using the wrapper profile
+
+### Run a specific profile (Docker in this case, using a Regex) against a target appliance, show progress, and output results to CLI and JSON using the wrapper profile
 ```
-inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-vra-8x-stig-baseline -t ssh://root@vra IP or FQDN --password 'password' --show-progress --reporter=cli json:C:\Inspec\Reports\vra.json --controls=/DKER/
+inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password' --show-progress --reporter=cli json:C:\Inspec\Reports\aria-automation.json --controls=/DKER/
 ```
-### Run a single STIG Control against a target vRA appliance from a specific profile
+
+### Run a single STIG Control against a target appliance from a specific profile
 ```
-inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-vra-8x-stig-baseline -t ssh://root@vra IP or FQDN --password 'password' --controls=VRAA-8X-000008
+inspec exec C:\Inspec\Profiles\vmware-stig-baseline\vmware-aria-automation-8x-stig-baseline -t ssh://root@<IP or FQDN> --password 'password' --controls=VRAA-8X-000008
 ```
 
 ## Waivers
-A set of example controls to 'skip' is provided for reference if controls should not be applied. (docker.rb, kubernetes.rb, photon.rb, and vra.rb)
-Other waiver options can be found in the [InSpec Waiver Documentation](https://docs.chef.io/inspec/waivers/)  
+A set of example controls to 'skip' is provided for reference if controls should not be applied. (docker.rb, kubernetes.rb, photon.rb, and aria-automation.rb)
+Other waiver options can be found in the [InSpec Waiver Documentation](https://docs.chef.io/inspec/waivers/), and an example waiver file is provided in the root of the repository.  
 
 ## Reporting
 InSpec supports various reporting formats out of the box including HTML, JSON, and jUNIT.  
 
 There are also supplemental tools like [MITRE's SAF CLI](https://github.com/mitre/saf) that can be used to transform results to other formats like a STIG Checklist file.  
 
-Results can also be imported into Heimdall server for a more polished visual result.  
+Results can also be imported into a Heimdall server for a more polished visual result.
 
 ## InSpec Vendoring
 
 **Note - When you execute a local profile, the inspec.yml file will be read in order to source any profile dependencies. It will then cache the dependencies locally and generate an inspec.lock file.**  
 **This lockfile creation can be prevented by adding the '--no-create-lockfile' parameter to any of the above InSpec commands.**
 
-If you add or update dependencies in inspec.yml, dependencies may be re-vendored and the lockfile updated with 'inspec vendor --overwrite'
+If you add or update dependencies in inspec.yml, dependencies can be re-vendored and the lockfile updated by running the "inspec vendor --overwrite" command.

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/controls/vra.rb

@@ -0,0 +1,2 @@
+include_controls 'vra' do
+end

aria/automation/8.x/inspec/vmware-vra-8x-stig-baseline/docker/inspec.yml → aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/docker/inspec.yml

@@ -1,8 +1,8 @@
 name: Docker-CE
 title: InSpec Profile
-maintainer: The Authors
+maintainer: SCOPE/VMTA
 copyright: The Authors
-copyright_email: you@example.com
+copyright_email: stigs@vmware.com
 license: Apache-2.0
 summary: An InSpec Compliance Profile
-version: 0.1.0
+version: 1.0.1

aria/automation/8.x/inspec/vmware-vra-8x-stig-baseline/kubernetes/inspec.yml → aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/kubernetes/inspec.yml

@@ -1,11 +1,11 @@
 name: kubernetes-stig-baseline
 title: Kubernetes Security Technical Implementation Guide
-maintainer: VMTA
+maintainer: SCOPE/VMTA
 copyright: The Authors
-copyright_email: you@example.com
+copyright_email: stigs@vmware.com
 license: Apache-2.0
 summary: "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]."
-version: 1.0.3
+version: 1.0.4
 
 supports:
   - platform-family: linux

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000001.rb

@@ -0,0 +1,50 @@
+control 'PHTN-30-000001' do
+  title 'The Photon operating system must audit all account creations.'
+  desc  'Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.'
+  desc  'rationale', ''
+  desc  'check', "
+    At the command line, run the following command:
+
+    # auditctl -l | grep -E \"(useradd|groupadd)\"
+
+    Expected result:
+
+    -w /usr/sbin/useradd -p x -k useradd
+    -w /usr/sbin/groupadd -p x -k groupadd
+
+    If either \"useradd\" or \"groupadd\" are not listed with a permissions filter of at least \"x\", this is a finding.
+
+    Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-30-000013.
+  "
+  desc 'fix', "
+    Navigate to and open:
+
+    /etc/audit/rules.d/audit.STIG.rules
+
+    Add or update the following lines:
+
+    -w /usr/sbin/useradd -p x -k useradd
+    -w /usr/sbin/groupadd -p x -k groupadd
+
+    At the command line, run the following command to load the new audit rules:
+
+    # /sbin/augenrules --load
+
+    Note: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.
+
+    Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.
+  "
+  impact 0.5
+  tag severity: 'medium'
+  tag gtitle: 'SRG-OS-000004-GPOS-00004'
+  tag gid: 'V-PHTN-30-000001'
+  tag rid: 'SV-PHTN-30-000001'
+  tag stig_id: 'PHTN-30-000001'
+  tag cci: ['CCI-000018']
+  tag nist: ['AC-2 (4)']
+
+  describe auditd do
+    its('lines') { should include %r{-w /usr/sbin/useradd -p x -k useradd} }
+    its('lines') { should include %r{-w /usr/sbin/groupadd -p x -k groupadd} }
+  end
+end

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000002.rb

@@ -0,0 +1,60 @@
+control 'PHTN-30-000002' do
+  title 'The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.'
+  desc  'By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.'
+  desc  'rationale', ''
+  desc  'check', "
+    At the command line, run the following commands:
+
+    # grep pam_tally2 /etc/pam.d/system-auth
+
+    Expected result:
+
+    auth       required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
+
+    # grep pam_tally2 /etc/pam.d/system-account
+
+    Expected result:
+
+    account    required pam_tally2.so onerr=fail audit
+
+    If the output does not list the \"pam_tally2\" options as configured in the expected results, this is a finding.
+  "
+  desc 'fix', "
+    Navigate to and open:
+
+    /etc/pam.d/system-auth
+
+    Remove any existing \"pam_tally2.so\" line and add the following line after the \"pam_unix.so\" statement:
+
+    auth       required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
+
+    Navigate to and open:
+
+    /etc/pam.d/system-account
+
+    Remove any existing \"pam_tally2.so\" line and add the following line after the \"pam_unix.so\" statement:
+
+    account    required pam_tally2.so onerr=fail audit
+
+    Note: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.
+  "
+  impact 0.5
+  tag severity: 'medium'
+  tag gtitle: 'SRG-OS-000021-GPOS-00005'
+  tag satisfies: ['SRG-OS-000329-GPOS-00128']
+  tag gid: 'V-PHTN-30-000002'
+  tag rid: 'SV-PHTN-30-000002'
+  tag stig_id: 'PHTN-30-000002'
+  tag cci: ['CCI-000044', 'CCI-002238']
+  tag nist: ['AC-7 a', 'AC-7 b']
+
+  # match after pam_unix.so and with options in any order on pam_tally2
+  describe file('/etc/pam.d/system-auth') do
+    its('content') { should match /^auth\s*required\s*pam_unix\.so.*\n(^auth\s*required\s*pam_tally2\.so\s*(?=.*\bdeny=3\b)(?=.*\bonerr=fail\b)(?=.*\baudit\b)(?=.*\beven_deny_root\b)(?=.*\bunlock_time=900\b)(?=.*\broot_unlock_time=300\b).*$)/ }
+  end
+
+  # match after pam_unix.so and with options in any order on pam_tally2
+  describe file('/etc/pam.d/system-account') do
+    its('content') { should match /^account\s*required\s*pam_unix\.so.*\n(^account\s*required\s*pam_tally2\.so\s*(?=.*\bonerr=fail\b)(?=.*\baudit\b).*$)/ }
+  end
+end

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000003.rb

@@ -0,0 +1,73 @@
+control 'PHTN-30-000003' do
+  title 'The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting Secure Shell (SSH) access.'
+  desc  'Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.'
+  desc  'rationale', ''
+  desc  'check', "
+    At the command line, run the following command:
+
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i Banner
+
+    Expected result:
+
+    banner /etc/issue
+
+    If the output does not match the expected result, this is a finding.
+
+    Open /etc/issue with a text editor.
+
+    If the file does not contain the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
+
+    Standard Mandatory DOD Notice and Consent Banner:
+
+    \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+    -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+    -At any time, the USG may inspect and seize data stored on this IS.
+    -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
+    -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+    -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"
+  "
+  desc 'fix', "
+    Navigate to and open:
+
+    /etc/ssh/sshd_config_effective
+
+    Ensure the \"Banner\" line is uncommented and set to the following:
+
+    Banner /etc/issue
+
+    Navigate to and open:
+
+    /etc/issue
+
+    Ensure the file contains the Standard Mandatory DoD Notice and Consent Banner.
+
+    \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+    -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+    -At any time, the USG may inspect and seize data stored on this IS.
+    -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
+    -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+    -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"
+
+    At the command line, run the following command:
+
+    # systemctl restart sshd.service
+  "
+  impact 0.5
+  tag severity: 'medium'
+  tag gtitle: 'SRG-OS-000023-GPOS-00006'
+  tag satisfies: ['SRG-OS-000228-GPOS-00088']
+  tag gid: 'V-PHTN-30-000003'
+  tag rid: 'SV-PHTN-30-000003'
+  tag stig_id: 'PHTN-30-000003'
+  tag cci: ['CCI-000048', 'CCI-001384']
+  tag nist: ['AC-8 a', 'AC-8 c 1']
+
+  sshdcommand = input('sshdcommand')
+  describe command("#{sshdcommand}|&grep -i Banner") do
+    its('stdout.strip') { should cmp 'Banner /etc/issue' }
+  end
+
+  describe file('/etc/issue') do
+    its('content') { should match /You are accessing a U\.S\. Government/ }
+  end
+end