SaltStack Protect configuration

Overview

SaltStack Protect manages vulnerabilities on all the systems in your environment. Its content library includes advisories based on the latest Common Vulnerabilities and Exposures (CVE) entries.

The content library updates regularly as security standards change. You can configure content to download (or ingest) automatically as security standards change, which is recommended for most standard systems. As an alternative, the library includes the option to download content manually.

Prerequisites

Configuring SaltStack Protect is one post-installation step in a series of several steps that should be followed in a specific order. First, complete one of the installation scenarios and then read the following post-installation topics:

Automatic content ingestion for standard systems

For non-air-gapped RaaS systems, SaltStack Protect content is downloaded and ingested on a periodic basis as determined by the settings in the configuration file.

To configure automatic SaltStack Protect content ingestion:

  1. Add the following section to the RaaS configuration file /etc/raas/raas, adapting it as necessary:

    vman:
      vman_dir: vman
      download_enabled: true
      download_frequency: 86400
      username: vman
      content_url: 'https://enterprise.saltstack.com/vman_downloads'
      ingest_on_boot: true
      compile_stats_interval: 60
      stats_snapshot_interval: 3600
      old_policy_file_lifespan: 2
      delete_old_policy_files_interval: 86400
      tenable_asset_import_enabled: True
      tenable_asset_import_grains: ['fqdn', 'ipv4', 'ipv6', 'hostname', 'mac_address', 'netbios_name',
                                    'bios_uuid', 'manufacturer_tpm_id', 'ssh_fingerprint',
                                    'mcafee_epo_guid', 'mcafee_epo_agent_guid', 'symantec_ep_hardware_key',
                                    'qualys_asset_id', 'qualys_host_id', 'servicenow_sys_id', 'gcp_project_id',
                                    'gcp_zone', 'gcp_instance_id', 'azure_vm_id', 'azure_resource_id',
                                    'aws_availability_zone', 'aws_ec2_instance_ami_id',
                                    'aws_ec2_instance_group_name', 'aws_ec2_instance_state_name',
                                    'aws_ec2_instance_type', 'aws_ec2_name', 'aws_ec2_product_code',
                                    'aws_owner_id', 'aws_region', 'aws_subnet_id', 'aws_vpc_id',
                                    'installed_software', 'bigfix_asset_id'
                                    ]
    

    For more information about these configuration settings, see Configuration options.

  2. Save the file.

  3. Restart RaaS.

    systemctl restart raas
    

    After the service restarts, SaltStack Protect content begins to download. This may take up to five minutes, depending on your internet connection.

Manual content ingestion

Air-gapped systems must update SaltStack Protect content from one of the RaaS nodes. Air-gapped systems are defined by a configuration setting of vman/download_enabled = False.

To configure ingestion for air-gapped systems:

  1. Download the SaltStack Protect content from the Downloads page.

  2. Log in to a RaaS node.

  3. Copy the SaltStack Protect content tarball to the RaaS node (tmp is recommended).

    This content could be delivered by email or any other means.

  4. Ingest the tarball contents.

    su - raas -c "raas vman_ingest /path/to/vman.tar.gz.e"
    

    This returns:

    Extracting: /tmp/vman.tar.gz -> /tmp/extracted-1551290468.5497127
    
    Cleaning up: /tmp/extracted-1551290468.5497127
    
    Results:
    
    {'errors': [], 'success': True}
    

Configuration options

The following table describes the configuration options that are available for SaltStack Protect:

Option Description
vman_dir Location where SaltStack Protect content is expanded before ingestion. If the path is relative (no leading /), then it is relative to the Raas cache dir /var/lib/raas/cache
download_enabled If True, SaltStack Protect content downloading is enabled. Set to False for air gapped systems
download_frequency The frequency in seconds of automated SaltStack Protect content downloads and ingestion
username Username used to log in to enterprise.saltstack.com to get content
content_url URL from which SaltStack Protect content will be downloaded
ingest_on_boot If True, SaltStack Protect content will be downloaded and ingested soon after raas boot (default: True)
compile_stats_interval How often (in seconds) SaltStack Protect stats will be compiled
stats_snapshot_interval How often (in seconds) SaltStack Protect stats will be collected
old_policy_file_lifespan Lifespan (in days) of old policy files that will remain in the Raas file system
delete_old_policy_files_interval How often (in seconds) old SaltStack Protect policy files will be deleted from the RaaS file system
tenable_asset_import_enabled If True, minion grains in SaltStack Enterprise will be sent to Tenable.io for matching assets (default: True)
tenable_asset_import_grains

List of minion grains to send to Tenable.io, if tenable asset import is enabled.

SaltStack Protect supports only fqdn, ipv4, ipv6, and hostname out of the box, however you can send other information by defining custom grains. For more on grains, including how to write custom grains, see Salt documentation: Grains.

If you have only a subset keys in your grains data, only those in the subset will be synced.

fqdn and ipv4 will be sent even if you do not list them here.

For more information, see the Tenable Import assets documentation.

Next steps

After configuring SaltStack Protect, there may be additional post-installation steps. Check the list of post-installation steps to ensure you have completed all the necessary steps.