SaltStack Protect configuration

Overview

SaltStack Protect manages vulnerabilities on all the systems in your environment. Its content library includes advisories based on the latest Common Vulnerabilities and Exposures (CVE) entries.

The content library updates regularly as security standards change. You can configure content to download (or ingest) automatically as security standards change, which is recommended for most standard systems.

As an alternative, the library includes the option to download content manually, or to access content from the Enterprise API (RaaS) node via an HTTP(s) proxy. Manual ingestion is useful for air-gapped systems, while downloading via proxy is useful to avoid downloading content directly from the internet. Downloading via proxy also provides more control and visibility into what’s being downloaded and where.

Prerequisites

Configuring SaltStack Protect is one post-installation step in a series of several steps that should be followed in a specific order. First, complete one of the installation scenarios and then read the following post-installation pages:

Install Python 3 rpm libraries

SaltStack Comply and SaltStack Protect use the Python 3 rpm libraries to reliably compare package versions. These programs need the increased accuracy provided by these libraries to determine version compliance or assess vulnerabilities.

Currently, any minions using RedHat or CentOS 7 might need the Python 3 rpm libraries in order to run accurate SaltStack Comply or SaltStack Protect assessments. If you intend to run assessments on minions that use these versions of RedHat or CentOS, you need to manually install the Python 3 rpm library on these machines.

Note

Other workarounds are available. If you need an alternate workaround, Contact Support.

To install the Python 3 rpm library:

  1. Install the EPEL repository using the following command:

    yum install -y epel-release
    
  2. Install the Python 3 rpm library:

    yum install -y python3-rpm
    

Automatic content ingestion for standard systems

For non-air-gapped Enterprise API systems, SaltStack Protect content is downloaded and ingested on a periodic basis as determined by the settings in the configuration file.

To configure automatic SaltStack Protect content ingestion:

  1. Add the following section to the RaaS service configuration file /etc/raas/raas, adapting it as necessary:

    vman:
      vman_dir: vman
      download_enabled: true
      download_frequency: 86400
      username: vman
      content_url: 'https://enterprise.saltstack.com/vman_downloads'
      ingest_on_boot: true
      compile_stats_interval: 60
      stats_snapshot_interval: 3600
      old_policy_file_lifespan: 2
      delete_old_policy_files_interval: 86400
      tenable_asset_import_enabled: True
      tenable_asset_import_grains: ['fqdn', 'ipv4', 'ipv6', 'hostname', 'mac_address', 'netbios_name',
                                    'bios_uuid', 'manufacturer_tpm_id', 'ssh_fingerprint',
                                    'mcafee_epo_guid', 'mcafee_epo_agent_guid', 'symantec_ep_hardware_key',
                                    'qualys_asset_id', 'qualys_host_id', 'servicenow_sys_id', 'gcp_project_id',
                                    'gcp_zone', 'gcp_instance_id', 'azure_vm_id', 'azure_resource_id',
                                    'aws_availability_zone', 'aws_ec2_instance_ami_id',
                                    'aws_ec2_instance_group_name', 'aws_ec2_instance_state_name',
                                    'aws_ec2_instance_type', 'aws_ec2_name', 'aws_ec2_product_code',
                                    'aws_owner_id', 'aws_region', 'aws_subnet_id', 'aws_vpc_id',
                                    'installed_software', 'bigfix_asset_id'
                                    ]
    

    For more information about these configuration settings, see Configuration options.

  2. Save the file.

  3. Restart the RaaS service.

    systemctl restart raas
    

    After the service restarts, SaltStack Protect content begins to download. This may take up to five minutes, depending on your internet connection.

Ingesting content via http(s) proxy

For ingestion via proxy, you’ll need to create an override to the RaaS service and add new environment variables for http proxy and https proxy.

To configure the Enterprise API (RaaS) node to use https proxy:

  1. Complete the previous steps to enable automatic ingestion.

  2. On your Salt Master service, edit the RaaS service:

    systemctl edit raas
    
  3. Add the following lines to the generated file.

    [Service]
    Environment="http_proxy=http://<hostname>:234"
    Environment="https_proxy=https://<hostname>:234"
    Environment="HTTP_PROXY=http://<hostname>:234"
    Environment="HTTPS_PROXY=http://<hostname>:234"
    
  4. Restart the RaaS service:

    systemctl restart raas
    

    After the service restarts, content begins to download. This may take up to 20 minutes.

Manual content ingestion

Air-gapped Enterprise API systems must update SaltStack Protect content from one of the Enterprise API (RaaS) nodes. Air-gapped systems are defined by a configuration setting of vman/download_enabled = False.

To configure ingestion for air-gapped systems:

  1. Download the SaltStack Protect content from the Downloads page.

  2. Log in to an Enterprise API (RaaS) node.

  3. Copy the SaltStack Protect content tarball to the Enterprise API (RaaS) node (tmp is recommended).

    This content could be delivered by email or any other means.

  4. Ingest the tarball contents.

    su - raas -c "raas vman_ingest /path/to/vman.tar.gz.e"
    

    This returns:

    Extracting: /tmp/vman.tar.gz -> /tmp/extracted-1551290468.5497127
    
    Cleaning up: /tmp/extracted-1551290468.5497127
    
    Results:
    
    {'errors': [], 'success': True}
    

Configuration options

The following table describes the configuration options that are available for SaltStack Protect:

Option Description
vman_dir Location where SaltStack Protect content is expanded before ingestion. If the path is relative (no leading /), then it is relative to the RaaS service cache dir /var/lib/raas/cache
download_enabled If True, SaltStack Protect content downloading is enabled. Set to False for air gapped systems
download_frequency The frequency in seconds of automated SaltStack Protect content downloads and ingestion
username Username used to log in to enterprise.saltstack.com to get content
content_url URL from which SaltStack Protect content will be downloaded
ingest_on_boot If True, SaltStack Protect content will be downloaded and ingested soon after the RaaS service boots (default: True)
compile_stats_interval How often (in seconds) SaltStack Protect stats will be compiled
stats_snapshot_interval How often (in seconds) SaltStack Protect stats will be collected
old_policy_file_lifespan Lifespan (in days) of old policy files that will remain in the Enterprise API (RaaS) file system
delete_old_policy_files_interval How often (in seconds) old SaltStack Protect policy files will be deleted from the Enterprise API (RaaS) file system
tenable_asset_import_enabled If True, minion grains in SaltStack Enterprise will be sent to Tenable.io for matching assets (default: True)
tenable_asset_import_grains

List of minion grains to send to Tenable.io, if tenable asset import is enabled.

SaltStack Protect supports only fqdn, ipv4, ipv6, and hostname out of the box, however you can send other information by defining custom grains. For more on grains, including how to write custom grains, see Salt documentation: Grains.

If you have only a subset keys in your grains data, only those in the subset will be synced.

fqdn and ipv4 will be sent even if you do not list them here.

For more information, see the Tenable Import assets documentation.

FAQ

  • Q: How often is new SaltStack Protect content released?

    • A: The current release frequency is about once per quarter. However, content might be released more frequently in the future.
  • Can I get access to new content sooner if I use automatic content ingestion instead of manual ingestion?

    • A: The same content is available, whether you ingest manually or automatically.

      However, if you use manual ingestion, you need to plan to check for security content updates and develop a process to manually ingest updated content when it is available.

Next steps

After configuring SaltStack Protect, there may be additional post-installation steps. Check the list of post-installation steps to ensure you have completed all the necessary steps.