updates for v1r1 of the official vsphere 8 stig (#192)

vmware · Nov 7, 2023 · e2acd12 · e2acd12
1 parent be9f694
commit e2acd12
Show file tree

Hide file tree

Showing 516 changed files with 14,789 additions and 11,007 deletions.
diff --git a/vsphere/8.0/README.md b/vsphere/8.0/README.md
@@ -1,14 +1,14 @@
 # VMware vSphere 8 DoD STIG Compliance and Automation
-*STIG Status: STIG Readiness Guide Version 1 Release 2*
+*STIG Status: Official STIG Version 1 Release 1*
 
 ## Compatibility
-Version 1 Release 2 is intended for Update 2 builds only. If you are still on Update 1 please reference Version 1 Release 1 of the guidance and automation available [here](https://github.com/vmware/dod-compliance-and-automation/tree/archive-vsphere-8u1).  
+The official STIG Version 1 Release 1 is intended for Update 2 builds only. If you are still on Update 1 please reference STIG Readiness Guide Version 1 Release 1 of the guidance and automation available [here](https://github.com/vmware/dod-compliance-and-automation/tree/archive-vsphere-8u1).  
 
-|                |        V1R1*       |         V1R2*      |
-|:--------------:|:------------------:|:------------------:|
-|     8.0 GA     |        :x:         |         :x:        |
-|     8.0 U1     | :heavy_check_mark: |         :x:        |
-|     8.0 U2     |        :x:         | :heavy_check_mark: |
+|                |        V1R1*       |         V1R2*      |         V1R1       |
+|:--------------:|:------------------:|:------------------:|:------------------:|
+|     8.0 GA     |        :x:         |         :x:        |         :x:        |
+|     8.0 U1     | :heavy_check_mark: |         :x:        |         :x:        |
+|     8.0 U2     |        :x:         | :heavy_check_mark: | :heavy_check_mark: |
 
 \* Denotes STIG Readiness Guide
 

diff --git a/vsphere/8.0/docs/README.md b/vsphere/8.0/docs/README.md
@@ -3,7 +3,7 @@
 ## Overview
 An XCCDF formatted XML is provided for the vSphere 8 STIG Readiness Guide content for each component for use to view in [STIG Viewer](https://public.cyber.mil/stigs/stig-viewing-tools/).  
 
-This can consumed from the zip file included in the [VMware vSphere 8 STIG Readiness Guide](https://core.vmware.com/resource/vmware-vsphere-8-stig-readiness-guide).  
+This can consumed from the latest download available at [public.cyber.mil](https://public.cyber.mil/stigs/downloads/). 
 
 ## Known Issues
 Any known issues will be documented in the known-issues.md document located here.  
diff --git a/vsphere/8.0/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/CHANGELOG.md b/vsphere/8.0/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Change Log
 
+## [8.0 Official STIG Version 1 Release 1] (2023-11-03)
+
+#### Release Notes
+- Updated release notes to reflect the official STIG publication  
+
 ## [8.0 Version 1 Release 2] (2023-09-21)
 
 #### Release Notes

diff --git a/vsphere/8.0/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md b/vsphere/8.0/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md
@@ -1,10 +1,10 @@
 # vmware-vcsa-8.0-stig-ansible-hardening
-VMware vCenter 8.0 Appliance STIG Readiness Guide Ansible Playbook  
-Version: Version 1 Release 2: September 21, 2023  
-STIG Type: STIG Readiness Guide  
+VMware vCenter 8.0 Appliance STIG Ansible Playbook  
+Version: Version 1 Release 1: November 03, 2023  
+STIG Type: Official STIG  
 
 ## Overview
-This is a hardening playbook that utilizes Ansible to perform automated remediation for STIG compliance of the VMware vCenter 8.0 Appliance STIG Readiness Guide.  
+This is a hardening playbook that utilizes Ansible to perform automated remediation for STIG compliance of the VMware vCenter 8.0 Appliance STIG.  
 
 ## !!Important!!
 - Please read through the README carefully and familiarize yourself with the playbook and ansible before running this playbook

diff --git a/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/.rubocop.yml b/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/.rubocop.yml
@@ -0,0 +1,27 @@
+# The behavior of RuboCop can be controlled via the .rubocop.yml
+# configuration file. It makes it possible to enable/disable
+# certain cops (checks) and to alter their behavior if they accept
+# any parameters. The file can be placed either in your home
+# directory or in some project directory.
+#
+# RuboCop will start looking for the configuration file in the directory
+# where the inspected file is and continue its way up to the root directory.
+#
+# See https://docs.rubocop.org/rubocop/configuration
+
+Style/WordArray:
+  Enabled: false
+Layout/EndOfLine:
+  Enabled: true
+Style/Encoding:
+  Enabled: true
+Layout/TrailingWhitespace:
+  Enabled: true
+Layout/ExtraSpacing:
+  Enabled: true
+Layout/EmptyLinesAroundBlockBody:
+  Enabled: true
+Style/StringLiterals:
+  Enabled: true
+Style/SymbolProc:
+  Enabled: false
diff --git a/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/CHANGELOG.md b/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Change Log
 
+## [8.0 Official STIG Version 1 Release 1] (2023-11-03)
+
+#### Release Notes
+- Updated metadata to reflect official STIG v1r1 release
+
 ## [8.0 Version 1 Release 2] (2023-09-21)
 
 #### Release Notes

diff --git a/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/README.md b/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/README.md
@@ -1,19 +1,18 @@
 # vmware-vcsa-8.0-stig-baseline
-VMware vSphere vCenter Appliance 8.0 STIG Readiness Guide Chef InSpec Profile  
-Version: Release 1 Version 2 Date: 21 September 2023  
-STIG Type: STIG Readiness Guide
+VMware vSphere vCenter Appliance 8.0 STIG Chef InSpec Profile  
+Version: Release 1 Version 1 Date: 03 November 2023  
+STIG Type: Official STIG
 
 ## VCSA InSpec Profiles
 
 InSpec profiles for the VCSA are available for each component or can be run all or some from the wrapper/overlay profile. Note the wrapper profile is setup to reference the other profiles from the same relative folder structure as seen here.  
 
-[See the InSpec docs for more info on Profile dependencies and inheritence](https://www.inspec.io/docs/reference/profiles/)
+[See the InSpec docs for more info on Profile dependencies and inheritance](https://www.inspec.io/docs/reference/profiles/)
 
 
 ## How to run InSpec locally from Powershell on Windows
 
 **Note - assumes vcsa profiles are downloaded to C:\Inspec\Profiles\vmware-vcsa-8.0-stig-baseline**  
-**Note - assumes photon profile is downloaded to C:\Inspec\Profiles\vmware-photon-4.0-stig-inspec-baseline**  
 
 It is recommended to utilize an inputs files for specifying vCenter and environment specific variables. An example is provided for you to begin with.  
 

diff --git a/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/controls/photon.rb b/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/controls/photon.rb
@@ -1,17 +1 @@
-include_controls 'photon' do
-  # SELinux is currently not available on VCSA.
-  skip_control 'PHTN-40-000066'
-  # VCSA currently cannot implement this control so it must be skipped.
-  skip_control 'PHTN-40-000085'
-  # Syslog configuration is done in the VAMI
-  skip_control 'PHTN-40-000111'
-  # NTP configuration is done in the VAMI
-  skip_control 'PHTN-40-000121'
-  # AIDE not supported yet
-  skip_control 'PHTN-40-000127'
-  skip_control 'PHTN-40-000237'
-  # VCSA ships with rsyslog installed.
-  skip_control 'PHTN-40-000241'
-  # VCSA does not support this configuration at this time.
-  skip_control 'PHTN-40-000245'
-end
+include_controls 'photon'
diff --git a/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/eam/controls/VCEM-80-000001.rb b/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/eam/controls/VCEM-80-000001.rb
@@ -1,49 +1,46 @@
 control 'VCEM-80-000001' do
   title 'The vCenter ESX Agent Manager service must limit the number of maximum concurrent connections permitted.'
-  desc  "
-    Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a system crash.
+  desc 'Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a system crash.
 
-    Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. In Tomcat, each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the maxThreads attribute.
-  "
-  desc  'rationale', ''
-  desc  'check', "
-    At the command prompt, run the following command:
+Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. In Tomcat, each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the maxThreads attribute.
 
-    # xmllint --xpath '/Server/Service/Executor[@name=\"tomcatThreadPool\"]/@maxThreads' /usr/lib/vmware-eam/web/conf/server.xml
+'
+  desc 'check', %q(At the command prompt, run the following command:
 
-    Expected result:
+# xmllint --xpath '/Server/Service/Executor[@name="tomcatThreadPool"]/@maxThreads' /usr/lib/vmware-eam/web/conf/server.xml
 
-    maxThreads=\"300\"
+Expected result:
 
-    If the output does not match the expected result, this is a finding.
-  "
-  desc 'fix', "
-    Navigate to and open:
+maxThreads="300"
 
-    /usr/lib/vmware-eam/web/conf/server.xml
+If the output does not match the expected result, this is a finding.)
+  desc 'fix', 'Navigate to and open:
 
-    Navigate to the <Executor> node with the name of tomcatThreadPool and configure with the value \"maxThreads=\"300\"\".
+/usr/lib/vmware-eam/web/conf/server.xml
 
-    Note: The <Executor> node should be configured similar to the following:
+Navigate to the <Executor> node with the name of tomcatThreadPool and configure with the value "maxThreads="300"".
 
-    <Executor maxThreads=\"300\"
-                    minSpareThreads=\"50\"
-                    name=\"tomcatThreadPool\"
-                    namePrefix=\"tomcat-http--\"/>
+Note: The <Executor> node should be configured similar to the following:
 
-    Restart the service with the following command:
+<Executor maxThreads="300"
+                minSpareThreads="50"
+                name="tomcatThreadPool"
+                namePrefix="tomcat-http--"/>
 
-    # vmon-cli --restart eam
-  "
+Restart the service with the following command:
+
+# vmon-cli --restart eam'
   impact 0.5
+  tag check_id: 'C-62743r934665_chk'
   tag severity: 'medium'
-  tag gtitle: 'SRG-APP-000001-AS-000001'
-  tag satisfies: ['SRG-APP-000435-AS-000163']
-  tag gid: 'V-VCEM-80-000001'
-  tag rid: 'SV-VCEM-80-000001'
+  tag gid: 'V-259003'
+  tag rid: 'SV-259003r934667_rule'
   tag stig_id: 'VCEM-80-000001'
+  tag gtitle: 'SRG-APP-000001-AS-000001'
+  tag fix_id: 'F-62652r934666_fix'
+  tag satisfies: ['SRG-APP-000001-AS-000001', 'SRG-APP-000435-AS-000163']
   tag cci: ['CCI-000054', 'CCI-002385']
-  tag nist: ['AC-10', 'SC-5']
+  tag nist: ['AC-10', 'SC-5 a']
 
   # Open server.xml file and get the input variable value
   xmlconf = xml(input('serverXmlPath'))

diff --git a/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/eam/controls/VCEM-80-000005.rb b/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/eam/controls/VCEM-80-000005.rb
@@ -1,47 +1,42 @@
 control 'VCEM-80-000005' do
   title 'The vCenter ESX Agent Manager service cookies must have secure flag set.'
-  desc  "
-    The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a cookie in clear text.
+  desc 'The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a cookie in clear text.
 
-    By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.
-  "
-  desc  'rationale', ''
-  desc  'check', "
-    At the command prompt, run the following command:
+By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.'
+  desc 'check', %q(At the command prompt, run the following command:
 
-    # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=\".*\"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' -
+# xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' -
 
-    Expected result:
+Expected result:
 
-    <secure>true</secure>
+<secure>true</secure>
 
-    If the output of the command does not match the expected result, this is a finding.
-  "
-  desc 'fix', "
-    Navigate to and open:
+If the output of the command does not match the expected result, this is a finding.)
+  desc 'fix', 'Navigate to and open:
 
-    /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml
+/usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml
 
-    Navigate to the <session-config> node and configure the <secure> setting as follows:
+Navigate to the <session-config> node and configure the <secure> setting as follows:
 
-    <session-config>
-      <session-timeout>30</session-timeout>
-      <cookie-config>
-          <http-only>true</http-only>
-          <secure>true</secure>
-      </cookie-config>
-    </session-config>
+<session-config>
+  <session-timeout>30</session-timeout>
+  <cookie-config>
+      <http-only>true</http-only>
+      <secure>true</secure>
+  </cookie-config>
+</session-config>
 
-    Restart the service with the following command:
+Restart the service with the following command:
 
-    # vmon-cli --restart eam
-  "
+# vmon-cli --restart eam'
   impact 0.5
+  tag check_id: 'C-62744r934668_chk'
   tag severity: 'medium'
-  tag gtitle: 'SRG-APP-000033-AS-000024'
-  tag gid: 'V-VCEM-80-000005'
-  tag rid: 'SV-VCEM-80-000005'
+  tag gid: 'V-259004'
+  tag rid: 'SV-259004r934670_rule'
   tag stig_id: 'VCEM-80-000005'
+  tag gtitle: 'SRG-APP-000033-AS-000024'
+  tag fix_id: 'F-62653r934669_fix'
   tag cci: ['CCI-000213']
   tag nist: ['AC-3']
 

diff --git a/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/eam/controls/VCEM-80-000013.rb b/vsphere/8.0/vcsa/inspec/vmware-vcsa-8.0-stig-baseline/eam/controls/VCEM-80-000013.rb
@@ -1,37 +1,34 @@
 control 'VCEM-80-000013' do
   title 'The vCenter ESX Agent Manager service must initiate session logging upon startup.'
-  desc  'Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a service starts, it becomes more difficult for suspicious activity to go unlogged.'
-  desc  'rationale', ''
-  desc  'check', "
-    At the command prompt, run the following command:
+  desc 'Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a service starts, it becomes more difficult for suspicious activity to go unlogged.'
+  desc 'check', 'At the command prompt, run the following command:
 
-    # grep StreamRedirectFile /etc/vmware/vmware-vmon/svcCfgfiles/eam.json
+# grep StreamRedirectFile /etc/vmware/vmware-vmon/svcCfgfiles/eam.json
 
-    Expected output:
+Expected output:
 
-    \"StreamRedirectFile\" : \"%VMWARE_LOG_DIR%/vmware/eam/jvm.log\",
+"StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/eam/jvm.log",
 
-    If no log file is specified for the \"StreamRedirectFile\" setting, this is a finding.
-  "
-  desc 'fix', "
-    Navigate to and open:
+If no log file is specified for the "StreamRedirectFile" setting, this is a finding.'
+  desc 'fix', 'Navigate to and open:
 
-    /etc/vmware/vmware-vmon/svcCfgfiles/eam.json
+/etc/vmware/vmware-vmon/svcCfgfiles/eam.json
 
-    Below the last line of the \"PreStartCommandArg\" block, add the following line:
+Below the last line of the "PreStartCommandArg" block, add the following line:
 
-    \"StreamRedirectFile\" : \"%VMWARE_LOG_DIR%/vmware/eam/jvm.log\",
+"StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/eam/jvm.log",
 
-    Restart the service with the following command:
+Restart the service with the following command:
 
-    # vmon-cli --restart eam
-  "
+# vmon-cli --restart eam'
   impact 0.5
+  tag check_id: 'C-62745r934671_chk'
   tag severity: 'medium'
-  tag gtitle: 'SRG-APP-000092-AS-000053'
-  tag gid: 'V-VCEM-80-000013'
-  tag rid: 'SV-VCEM-80-000013'
+  tag gid: 'V-259005'
+  tag rid: 'SV-259005r934673_rule'
   tag stig_id: 'VCEM-80-000013'
+  tag gtitle: 'SRG-APP-000092-AS-000053'
+  tag fix_id: 'F-62654r934672_fix'
   tag cci: ['CCI-001464']
   tag nist: ['AU-14 (1)']