SaltStack Comply configuration

Overview

SaltStack Comply is an add-on that provides automated compliance detection and remediation for your infrastructure. Its content library consists of industry best-practice security and compliance content, such as CIS.

The content library updates regularly as security standards change. You can configure content to download (or ingest) automatically as security standards change, which is recommended for most standard systems.

As an alternative, the library includes the option to download content manually, or to access content from the Enterprise API (RaaS) node via an HTTP(s) proxy. Manual ingestion is useful for air-gapped systems, while downloading via proxy is useful to avoid downloading content directly from the internet. Downloading via proxy also provides more control and visibility into what’s being downloaded and where.

Prerequisites

Configuring SaltStack Comply is one post-installation step in a series of several steps that should be followed in a specific order. First, complete one of the installation scenarios and then read the following post-installation pages:

• Install the license key
• Install and configure the Salt Master plugin
• Log in for the first time and change default credentials
• Accept the Salt Master key and back up data
• Set up SSL certificates

Install Python 3 rpm libraries

SaltStack Comply and SaltStack Protect use the Python 3 rpm libraries to reliably compare package versions. These programs need the increased accuracy provided by these libraries to determine version compliance or assess vulnerabilities.

Currently, any minions using RedHat or CentOS 7 might need the Python 3 rpm libraries in order to run accurate SaltStack Comply or SaltStack Protect assessments. If you intend to run assessments on minions that use these versions of RedHat or CentOS, you need to manually install the Python 3 rpm library on these machines.

Note

Other workarounds are available. If you need an alternate workaround, Contact Support.

To install the Python 3 rpm library:

1. Install the EPEL repository using the following command:

   yum install -y epel-release
   

2. Install the Python 3 rpm library:

   yum install -y python3-rpm
   

Automatic content ingestion for standard systems

For non-air-gapped Enterprise API systems, content is downloaded and ingested on a periodic basis as determined by the settings in the configuration file. In SaltStack Enterprise 6.4.0, if you installed SaltStack Enterprise using either a single-node or multi-node installation, automatic content ingestion is already configured and no further action is required.

If you installed SaltStack Enterprise manually, follow these steps to configure automatic SaltStack Comply content ingestion:

1. Add the following to the RaaS service configuration file /etc/raas/raas in the sec section, adapting it as necessary:

   sec:
     stats_snapshot_interval: 3600
     username: secops
     content_url: https://enterprise.saltstack.com/secops_downloads
     ingest_saltstack_override: true
     ingest_custom_override: true
     locke_dir: locke
     post_ingest_cleanup: true
     download_enabled: true
     download_frequency: 86400
     compile_stats_interval: 10
     archive_interval: 300
     old_policy_file_lifespan: 2
     delete_old_policy_files_interval: 86400
     ingest_on_boot: true
     content_lock_timeout: 60
     content_lock_block_timeout: 120
   

   For more information about these configuration settings, see Configuration options.

2. Save the file.

3. Restart the RaaS service:

   systemctl restart raas
   

   After the service restarts, SaltStack Comply content begins to download. This may take up to five minutes, depending on your internet connection.

Ingesting content via http(s) proxy

For ingestion via proxy, you’ll need to create an override to the RaaS service and add new environment variables for http proxy and https proxy.

To configure the Enterprise API (RaaS) node to use https proxy:

1. Complete the previous steps to enable automatic ingestion.

2. On your Salt Master service, edit the RaaS service:

   systemctl edit raas
   

3. Add the following lines to the generated file.

   [Service]
   Environment="http_proxy=http://<hostname>:234"
   Environment="https_proxy=https://<hostname>:234"
   Environment="HTTP_PROXY=http://<hostname>:234"
   Environment="HTTPS_PROXY=http://<hostname>:234"
   

4. Restart the RaaS service:

   systemctl restart raas
   

   After the service restarts, content begins to download. This may take up to 20 minutes.

Manual content ingestion

Air-gapped Enterprise API systems must update SaltStack Comply content from one of the Enterprise API (RaaS) nodes. Air-gapped systems are defined by a configuration setting of sec/download_enabled = False.

To configure ingestion for air-gapped systems:

1. Download the SaltStack Comply content from the Downloads page.

2. Log in to an Enterprise API (RaaS) node.

3. Copy the SaltStack Comply content tarball to the Enterprise API (RaaS) node (tmp is recommended).

   This content could be delivered by email or any other means.

4. Ingest the tarball contents.

   su - raas -c "raas ingest /path/to/locke.tar.gz.e"
   

   This returns:

   Extracting: /tmp/locke.tar.gz -> /tmp/extracted-1551290468.5497127
   
   Cleaning up: /tmp/extracted-1551290468.5497127
   
   Results:
   
   {'errors': [], 'success': True}
   

Configuration options

The following table describes the configuration options available for SaltStack Comply:

Option	Description
stats_snapshot_interval	How often (in seconds) SaltStack Comply stats will be collected
compile_stats_interval	How often (in seconds) SaltStack Comply stats will be compiled
username	Username to use when connecting to SaltStack Enterprise to download the most recent SaltStack Comply content (default: secops)
content_url	URL used to download SaltStack Comply content (default: enterprise.saltstack.com/docs/downloads.html#saltstack-comply-and-protect-content)
ingest_override	When ingesting new content, overwrite existing benchmarks and checks (default: True)
locke_dir	Path where ingestion expects to find new content (default: locke). If you use a relative path (no leading /), then it is relative to the RaaS service cache dir /var/lib/raas/cache
post_ingest_cleanup	Remove the expanded content from the file system after ingestion (default: True)
download_enabled	Whether SaltStack Comply content downloads are allowed (default: True). Set this to False for air gapped systems.
download_frequency	How often in seconds will the RaaS service attempt to download SaltStack Comply content (default: 86400 for 24 hours)
ingest_on_boot	Should the RaaS service attempt to download SaltStack Comply content on boot? (default: True)
content_lock_timeout	How long in seconds will content download locks last (default: 60)
content_lock_block_timeout	How long in seconds will content download locks block before failing (default: 120)

Next steps

After configuring SaltStack Comply, there may be additional post-installation steps. Check the list of post-installation steps to ensure you have completed all the necessary steps.