SaltStack SecOps configuration

Overview

vRealize Automation SaltStack SecOps is an add-on that provides the following types of content:

  • Compliance - Automated compliance detection and remediation for your infrastructure. The compliance content library consists of industry best-practice security and compliance content, such as CIS.
  • Vulnerability - Manages vulnerabilities on all the systems in your environment. Its content library includes advisories based on the latest Common Vulnerabilities and Exposures (CVE) entries.

Both content libraries update regularly as security standards change. You can configure content to download (or ingest) automatically as security standards change, which is recommended for most standard systems.

As an alternative, the libraries include the option to download content manually, or to access content from the RaaS node via an HTTP(s) proxy. Manual ingestion is useful for air-gapped systems, while downloading via proxy is useful to avoid downloading content directly from the internet. Downloading via proxy also provides more control and visibility into what’s being downloaded and where.

Prerequisites

Configuring SaltStack SecOps is one post-installation step in a series of several steps that should be followed in a specific order. First, complete one of the installation scenarios and then read the following post-installation pages:

Install Python 3 rpm libraries

SaltStack SecOps uses the Python 3 rpm libraries to reliably compare package versions. These programs need the increased accuracy provided by these libraries to determine version compliance or assess vulnerabilities.

Currently, any minions using RedHat or CentOS 7 might need the Python 3 rpm libraries in order to run accurate compliance or vulnerability assessments. If you intend to run assessments on minions that use these versions of RedHat or CentOS, you need to manually install the Python 3 rpm library on these machines.

Note

Other workarounds are available. If you need an alternate workaround, Contact Support.

To install the Python 3 rpm library:

  1. Install the EPEL repository using the following command:

    yum install -y epel-release
    
  2. Install the Python 3 rpm library:

    yum install -y python3-rpm
    

Automatic content ingestion for compliance content

For non-air-gapped RaaS systems, content is downloaded and ingested on a periodic basis as determined by the settings in the configuration file. In SaltStack Config 8.3.0, if you installed SaltStack Config using either a single-node or multi-node installation, automatic content ingestion is already configured and no further action is required.

If you installed SaltStack Config manually, follow these steps to configure automatic compliance content ingestion:

  1. To enable the compliance content, add the following to the RaaS service configuration file /etc/raas/raas in the sec section, adapting it as necessary:

    sec:
      stats_snapshot_interval: 3600
      username: secops
      content_url: https://enterprise.saltstack.com/secops_downloads
      ingest_saltstack_override: true
      ingest_custom_override: true
      locke_dir: locke
      post_ingest_cleanup: true
      download_enabled: true
      download_frequency: 86400
      compile_stats_interval: 10
      archive_interval: 300
      old_policy_file_lifespan: 2
      delete_old_policy_files_interval: 86400
      ingest_on_boot: true
      content_lock_timeout: 60
      content_lock_block_timeout: 120
    

    For more information about these configuration settings, see Configuration options.

  2. To enable the vulnerability content, add the following section to the RaaS service configuration file /etc/raas/raas, adapting it as necessary:

    vman:
      vman_dir: vman
      download_enabled: true
      download_frequency: 86400
      username: vman
      content_url: 'https://enterprise.saltstack.com/vman_downloads'
      ingest_on_boot: true
      compile_stats_interval: 60
      stats_snapshot_interval: 3600
      old_policy_file_lifespan: 2
      delete_old_policy_files_interval: 86400
      tenable_asset_import_enabled: True
      tenable_asset_import_grains: ['fqdn', 'ipv4', 'ipv6', 'hostname', 'mac_address', 'netbios_name',
                                    'bios_uuid', 'manufacturer_tpm_id', 'ssh_fingerprint',
                                    'mcafee_epo_guid', 'mcafee_epo_agent_guid', 'symantec_ep_hardware_key',
                                    'qualys_asset_id', 'qualys_host_id', 'servicenow_sys_id', 'gcp_project_id',
                                    'gcp_zone', 'gcp_instance_id', 'azure_vm_id', 'azure_resource_id',
                                    'aws_availability_zone', 'aws_ec2_instance_ami_id',
                                    'aws_ec2_instance_group_name', 'aws_ec2_instance_state_name',
                                    'aws_ec2_instance_type', 'aws_ec2_name', 'aws_ec2_product_code',
                                    'aws_owner_id', 'aws_region', 'aws_subnet_id', 'aws_vpc_id',
                                    'installed_software', 'bigfix_asset_id'
                                    ]
    
  3. Save the file.

  4. Restart the RaaS service:

    systemctl restart raas
    

After the service restarts, compliance content begins to download. This may take up to five minutes, depending on your internet connection.

Ingesting content via http(s) proxy

For ingestion via proxy, you’ll need to create an override to the RaaS service and add new environment variables for http proxy and https proxy.

To configure the RaaS node to use https proxy:

  1. Complete the previous steps to enable automatic ingestion.

  2. On the Salt controller in the command line, edit the RaaS service:

    systemctl edit raas
    
  3. Add the following lines to the generated file.

    [Service]
    Environment="http_proxy=http://<hostname>:234"
    Environment="https_proxy=https://<hostname>:234"
    Environment="HTTP_PROXY=http://<hostname>:234"
    Environment="HTTPS_PROXY=http://<hostname>:234"
    
  4. If your proxy requires password authentication, you may need to set this as part of the proxy environment variables. For example:

    Environment="HTTP_PROXY=http://USER:PASSWORD@<hostname>:234"
    
  5. If your proxy uses an internal Certificate Authority, you may also need to set the REQUESTS_CA_BUNDLE environment variable to ensure that the proxy is able to use it. For example:

    Environment="REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt"
    
  6. Restart the RaaS service:

    systemctl restart raas
    

After the service restarts, content begins to download. This may take up to 20 minutes.

Manual content ingestion

Air-gapped API (RaaS) systems must update compliance content from one of the RaaS nodes. Air-gapped systems are defined by a configuration setting of sec/download_enabled = False.

To configure ingestion for air-gapped systems:

  1. Download the compliance content from the Downloads page.

  2. Log in to an RaaS node.

  3. Copy the compliance content tarball to the RaaS node (tmp is recommended).

    This content could be delivered by email or any other means.

  4. Ingest the tarball contents.

    su - raas -c "raas ingest /path/to/locke.tar.gz.e"
    

    This returns:

    Extracting: /tmp/locke.tar.gz -> /tmp/extracted-1551290468.5497127
    
    Cleaning up: /tmp/extracted-1551290468.5497127
    
    Results:
    
    {'errors': [], 'success': True}
    

Set up Splunk integration

SaltStack SecOps integrates with Splunk to help you optimize and secure your digital infrastructure using the SaltStack Config Add-On for Splunk Enterprise. The add-on is available on Splunkbase, and requires SaltStack Config version 6.3 or higher.

The SaltStack Config add-on in Splunk takes advantage of a new, Prometheus-compatible metrics endpoint which reports over 25 unique SaltStack Config metrics. These metrics provide insight into the health of your infrastructure. Accessing them in Splunk is useful for monitoring for outages, identifying abnormal activity, and more. It also gives you the ability to take automated actions based on a specific Splunk event using SaltStack Config.

For instructions on how to install and configure the add-on, see the full add-on documentation in the SaltStack knowledge base.

For more on the SaltStack Config metrics endpoint, see the Help Documentation embedded in the SaltStack Config user interface.

Configuration options

The following table describes the configuration options available for compliance content:

Option Description
stats_snapshot_interval How often (in seconds) compliance stats will be collected
compile_stats_interval How often (in seconds) compliance stats will be compiled
username Username to use when connecting to SaltStack Config to download the most recent compliance content (default: secops)
content_url URL used to download compliance content (default: enterprise.saltstack.com/docs/downloads.html#saltstack-comply-and-protect-content)
ingest_override When ingesting new content, overwrite existing benchmarks and checks (default: True)
locke_dir Path where ingestion expects to find new content (default: locke). If you use a relative path (no leading /), then it is relative to the RaaS service cache dir /var/lib/raas/cache
post_ingest_cleanup Remove the expanded content from the file system after ingestion (default: True)
download_enabled Whether compliance content downloads are allowed (default: True). Set this to False for air gapped systems.
download_frequency How often in seconds will the RaaS service attempt to download compliance content (default: 86400 for 24 hours)
ingest_on_boot Should the RaaS service attempt to download compliance content on boot? (default: True)
content_lock_timeout How long in seconds will content download locks last (default: 60)
content_lock_block_timeout How long in seconds will content download locks block before failing (default: 120)

The following table describes the configuration options that are available for vulnerability content:

Option Description
vman_dir Location where vulnerability content is expanded before ingestion. If the path is relative (no leading /), then it is relative to the RaaS service cache dir /var/lib/raas/cache
download_enabled If True, vulnerability content downloading is enabled. Set to False for air gapped systems
download_frequency The frequency in seconds of automated vulnerability content downloads and ingestion
username Username used to log in to enterprise.saltstack.com to get content
content_url URL from which vulnerability content will be downloaded
ingest_on_boot If True, vulnerability content will be downloaded and ingested soon after the RaaS service boots (default: True)
compile_stats_interval How often (in seconds) vulnerability stats will be compiled
stats_snapshot_interval How often (in seconds) vulnerability stats will be collected
old_policy_file_lifespan Lifespan (in days) of old policy files that will remain in the RaaS file system
delete_old_policy_files_interval How often (in seconds) old vulnerability policy files will be deleted from the RaaS file system
tenable_asset_import_enabled If True, minion grains in SaltStack Config will be sent to Tenable.io for matching assets (default: True)
tenable_asset_import_grains

List of minion grains to send to Tenable.io, if tenable asset import is enabled.

vulnerability supports only fqdn, ipv4, ipv6, and hostname out of the box, however you can send other information by defining custom grains. For more on grains, including how to write custom grains, see Salt documentation: Grains.

If you have only a subset keys in your grains data, only those in the subset will be synced.

fqdn and ipv4 will be sent even if you do not list them here.

For more information, see the Tenable Import assets documentation.

FAQ

  • Q: How often is new Vulnerability content released?

    • A: The current release frequency is about once per quarter. However, content might be released more frequently in the future.
  • Q: Can I get access to new content sooner if I use automatic content ingestion instead of manual ingestion?

    • A: The same content is available, whether you ingest manually or automatically.

      However, if you use manual ingestion, you need to plan to check for security content updates and develop a process to manually ingest updated content when it is available.

Next steps

After configuring SaltStack SecOps, there may be additional post-installation steps. Check the list of post-installation steps to ensure you have completed all the necessary steps.