Aria automation 8.12 edits

aria/automation/8.x/docs/README.md

@@ -1,6 +1,50 @@
-# VMware Aria (formerly vRealize Automation) 8.12 STIG Documentation
+# VMware Aria Automation 8.12 STIG Documentation
+
+## Compatibility
+This STIG Readiness Guide *Version 1 Release 4* is intended for versions 8.12 and 8.13 only. If you are still on version 8.11 or earlier please reference the guidance available [here](https://github.com/vmware/dod-compliance-and-automation/tree/e2df6ab7ed8cd72148ede03fed97d894885fe95c/aria/automation/8.x). If you are on version 8.13.1 or later, new STIG Readiness Guides are in development for those versions.
+
+|                     |        V1R3*       |         V1R4*      |
+|:-------------------:|:------------------:|:------------------:|
+|  8.6 GA to 8.11 GA  | :heavy_check_mark: |         :x:        |
+|  8.12 GA to 8.13 GA |         :x:        | :heavy_check_mark: |
+|      8.13.1 GA      |         :x:        |         :x:        |
+
+\* Denotes STIG Readiness Guide  
 
 ## Overview
 An XCCDF formatted XML is provided for the Aria Automation STIG Readiness Guide content for each component for use to view in the DISA [STIG Viewer](https://public.cyber.mil/stigs/stig-viewing-tools/).  
 
 The zip file here can be directly imported into the DISA STIG Viewer for review and checklist creation.
+
+This project folder contains content for compliance auditing and remediation of the VMware Aria Automation STIG Readiness Guide.
+
+The VMware Aria Automation Security Technical Implementation Guides (STIGs) provide security policy and configuration requirements for the use of VMware Aria Automation in the Department of Defense (DoD). The VMware Aria Automation STIG is comprised of the following:
+
+- VMware Aria Automation STIG 
+  - VMware Aria Automation Application
+  - VMware Aria Automation Appliance
+    - Docker
+    - Kubernetes
+    - Photon OS 3.0
+
+The VMware Aria Automation STIGs presume operation in an environment compliant with all applicable DoD guidance.
+
+All technical NIST SP 800-53 requirements were considered while developing this STIG. SRG requirements that are applicable and configurable are included in the SRG content spreadsheets. Other controls that are "Not Applicable", "Inherently Met" or "Does Not Meet" are not included.
+
+## Using this Repo
+
+In each of these areas you will find instructions on how to run those components and other relevant notes.  
+- docs - Supporting documentation will be made available here as needed.
+- inspec - Automation for auditing VMware Aria Automation for compliance.
+
+## Disclaimer
+
+VMware and DISA accept no liability for the consequences of applying specific configuration settings made on the basis of the SRGs/STIGs. It must be noted that the configuration settings specified should be evaluated in a local, representative test environment before implementation in a production environment, especially within large user populations. The extensive variety of environments makes it impossible to test these configuration settings for all potential software configurations.
+
+For some production environments, failure to test before implementation may lead to a loss of required functionality. Evaluating the risks and benefits to a system’s particular circumstances and requirements is the system owner's responsibility. The evaluated risks resulting from not applying specified configuration settings must be approved by the responsible Authorizing Official.
+
+Furthermore, VMware and DISA implies no warranty that the application of all specified configurations will make a system 100 percent secure. Security guidance is provided for the Department of Defense. While other agencies and organizations are free to use it, care must be given to ensure that all applicable security guidance is applied both at the device hardening level as well as the architectural level. Some of the controls may not be configurable in environments outside the DoDIN.
+
+## License
+
+The dod-compliance-and-automation project is available under the [Apache License, Version 2.0](LICENSE).

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/CHANGELOG.md

@@ -7,7 +7,7 @@
   - VRAA-8X-000002
   - VRAA-8X-000005
   - VRAA-8X-000007
-  - VRAA-8X-000008
+  - VRAA-8X-000008 - fixed vracli command
   - VRAA-8X-000009
   - VRAA-8X-000012
   - VRAA-8X-000014
@@ -17,9 +17,9 @@
   - VRAA-8X-000091
   - VRAA-8X-000106
   - VRAA-8X-000107
-  - VRAA-8X-000123
-  - VRAA-8X-000125
-  - VRAA-8X-000126
+  - VRAA-8X-000123 - removed
+  - VRAA-8X-000125 - fixed fips mode check
+  - VRAA-8X-000126 - updated sshd config path
   - VRAA-8X-000127
   - VRAA-8X-000128
 - Include Photon controls locally (instead of linking to Photon profile) to handle updated sshd config file path specific to Aria Automation.

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/README.md

@@ -17,15 +17,6 @@ All technical NIST SP 800-53 requirements were considered while developing this
 - Update the inputs in the inspec.yml file as appropriate for the environment.
 - InSpec installed on target machine if running tests locally, or ssh enabled on the target machine if running tests remotely.
 
-## vRA InSpec Profiles
-
-InSpec profiles for vRA are available for each component or can be run all or some from a wrapper/overlay profile. Note the wrapper profile is setup to reference the other profiles from the same relative folder structure as seen below.  
-
-Repository paths:
-* [Photon](https://github.com/vmware/dod-compliance-and-automation/tree/master/photon/3.0/inspec/vmware-photon-3.0-stig-inspec-baseline)
-
-See the [InSpec docs](https://www.inspec.io/docs/reference/profiles/) for more info on profile dependencies and inheritance  
-
 ## How to run InSpec locally from Powershell on Windows
 
 **Note - assumes all relevant profiles are downloaded to C:\Inspec\Profiles\vmware-aria-automation-8x-stig-baseline**  

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000006.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i SyslogFacility
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i SyslogFacility
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000008.rb

@@ -9,7 +9,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i LogLevel
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i LogLevel
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000009.rb

@@ -9,7 +9,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i FipsMode
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i FipsMode
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000037.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i ClientAliveInterval
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i ClientAliveInterval
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000038.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i ClientAliveCountMax
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i ClientAliveCountMax
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000064.rb

@@ -13,7 +13,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i Ciphers
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i Ciphers
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000078.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i GSSAPIAuthentication
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i GSSAPIAuthentication
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000079.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i PermitUserEnvironment
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i PermitUserEnvironment
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000080.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i X11Forwarding
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i X11Forwarding
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000081.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i StrictModes
+    # T -f /etc/ssh/sshd_config_effective |&grep -i StrictModes
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000082.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i KerberosAuthentication
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i KerberosAuthentication
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000083.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i PermitEmptyPasswords
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i PermitEmptyPasswords
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000084.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i Compression
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i Compression
 
     Expected result:
 

aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000085.rb

@@ -5,7 +5,7 @@
   desc  'check', "
     At the command line, run the following command:
 
-    # sshd -t -f /etc/ssh/sshd_config_effective |&grep -i PrintLastLog
+    # sshd -T -f /etc/ssh/sshd_config_effective |&grep -i PrintLastLog
 
     Expected result: