Introduction to VMware vRealize Automation SaltStack SecOps
A Brief History of VMware vRealize Automation SaltStack SecOps
Previously released in April 2019 alongside SaltStack Enterprise 6.0, the SaltStack SecOps add-on added security policy compliance and vulnerability remediation capabilities to SaltStack Enterprise. SaltStack SecOps was well received in the industry and won several awards, including being named the hottest new cybersecurity product at RSA 2019 by CSO Online. In September 2020, VMware announced its intent to acquire SaltStack. By October 2020, VMware announced that it had closed on this acquisition and introduced VMware vRealize Automation SaltStack Config as the configuration management component in VMware vRealize Automation. Finally, in February 2021, VMware announced the release of VMware vRealize Automation SaltStack SecOps.
What Is VMware vRealize Automation SaltStack SecOps?
VMware vRealize Automation SaltStack SecOps is an add-on for VMware vRealize Automation SaltStack Config, which comes as part of the vRealize Automation product. VMware describes the product as the “compliance and vulnerability management component of vRealize Automation, delivering full-service, closed-loop automation for IT system compliance and vulnerability remediation.” The add-on introduces two additional sections within the VMware vRealize Automation SaltStack Config user interface: Compliance and Vulnerability. I will explore each of these components in more detail below.
SaltStack SecOps Compliance
The Compliance portion of the SecOps add-on allows you to manage benchmarks, checks, and define assessment policies. Per VMware, the product “includes a database of up-to-date, certified security content based on CIS and Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs).” However, as I’ve found with many compliance benchmarking products, the out-of-box content is often outdated and missing the latest operating system releases. In the case of DISA STIGs, earlier this year, VMware vRealize Automation SaltStack SecOps only contained a single STIG (Red Hat Enterprise Linux 7), but as of this month, STIG content for both Microsoft Windows Server 2016 and Microsoft Windows Server 2019 is now available. DISA recently released the Microsoft Windows Server 2022 STIG, Version 1, Release 1 on September 28, 2022. Hopefully, it will become available within VMware vRealize Automation SaltStack SecOps sooner than later.
Compliance Benchmarks
VMware’s Supported Security and Compliance Benchmarks documentation provides a list of supported benchmarks within VMware vRealize Automation SaltStack SecOps. However, I’ve found that the list is inaccurate (as of October 2022). Based on my review of the available compliance benchmarks in the product, the following compliance benchmarks are available in VMware vRealize Automation SaltStack SecOps:
| OS/SW Name | Benchmark Authority | Benchmark Version | Benchmark Profiles |
|---|---|---|---|
| CentOS Linux 6 | CIS | v2.1.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| CentOS Linux 7 | CIS | v2.2.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| Debian Linux 9 | CIS | v1.0.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| Docker 1.13.0 | CIS | v1.0.0 | Level 1 - Docker Level 2 - Docker Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| Microsoft Windows 10 Enterprise Release 1703 | CIS | v1.3.0 | Level 1 - Workstation + BitLocker Level 2 - Workstation + BitLocker |
| Microsoft Windows Server 2012 R2 | CIS | v2.3.0 | Level 1 - Domain Controller Level 2 - Domain Controller Level 1 - Member Server Level 2 - Member Server |
| Microsoft Windows Server 2016 | DISA STIG | V2, R3 V2, R4 |
Category I Category II Category III |
| Microsoft Windows Server 2016 RTM (Release 1607) | CIS | v1.1.0 | Level 1 - Domain Controller Level 2 - Domain Controller Level 1 - Member Server Level 2 - Member Server Next Generation Windows Security |
| Microsoft Windows Server 2019 | DISA STIG | V2, R3 V2, R4 |
Category I Category II Category III |
| Microsoft Windows Server 2019 RTM (Release 1809) | CIS | v1.0.0 | Level 1 - Domain Controller Level 2 - Domain Controller Level 1 - Member Server Level 2 - Member Server Next Generation Windows Security - Domain Controller Next Generation Windows Security - Member Server |
| Oracle Linux 7 | CIS | v2.1.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| Red Hat Enterprise Linux 6 | CIS | v2.1.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| Red Hat Enterprise Linux 7 | CIS | v2.2.0 v3.1.1 |
Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| Red Hat Enterprise Linux 7 | DISA STIG | Version 2, Release 4 | Category I Category II Category III |
| Red Hat Enterprise Linux 8 | CIS | v1.0.0 v2.0.0 |
Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| SUSE Linux Enterprise Server 12 | CIS | v2.1.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| SUSE Linux Enterprise Server 15 | CIS | v1.0.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| Ubuntu Linux 14.04 LTS | CIS | v2.1.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| Ubuntu Linux 16.04 LTS | CIS | v1.1.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| Ubuntu Linux 18.04 LTS | CIS | v1.0.0 | Level 1 - Server Level 2 - Server Level 1 - Workstation Level 2 - Workstation |
| VMware Photon OS 3.0 | VMware Hardening Guide | Version 1 | Category II Category III |
Custom Compliance Content
VMware vRealize Automation SaltStack SecOps supports the creation of custom compliance content using the SaltStack SecOps Compliance Custom Content SDK. This SDK allows you to create, test, and build custom security content to use alongside the SaltStack SecOps built-in compliance library. Creating the custom compliance checks is as easy as utilizing the template files included in the SDK and defining both a state (.sls) file and a meta (.meta) file for each check. The SDK provides capabilities to test your content utilizing Docker containers, and once tested, the SDK can generate a tarball file suitable for uploading into VMware vRealize Automation SaltStack SecOps.
SaltStack SecOps Vulnerability
The Vulnerability portion of the VMware vRealize Automation SaltStack SecOps add-on allows you to assess and remediate your systems against the latest security advisories. Per VMware, it “is a vulnerability remediation solution that allows Security and IT teams to work together to assess the vulnerability status of your systems against the latest security advisories, including those that reference Common Vulnerabilities and Exposures (CVE).” This task is accomplished by defining a vulnerability policy, scanning target systems based on the policy, and remediating any advisory with an available remediation package.
I find this portion of the product quite intriguing due to the following:
- VMware vRealize Automation SaltStack SecOps duplicates existing capabilities within VMware’s Carbon Black suite of products. It even provides the ability to import vendor scan data from VMware Carbon Black (among other products).
- VMware vRealize Automation SaltStack SecOps does not provide a list or database of known vulnerabilities which the product will scan or remediate.
- VMware vRealize Automation SaltStack SecOps Vulnerability data is only released quarterly, leaving the product outdated.
Based on the lack of visibility into the vulnerabilities supported and the lack of frequent updates to the vulnerability database, I find it difficult to view this product as a serious solution for use in vulnerability assessment and management. From my experience thus far, the tool appears to primarily surface missing patch findings based on the guest operating systems’ built-in patching capabilities.
Supported Operating Systems
VMware vRealize Automation SaltStack SecOps Vulnerability supports the following operating systems:
| Operating System | Versions |
|---|---|
| CentOS | 6, 7, 8 |
| Red Hat Enterprise Linux | 6, 7, 8 |
| Oracle Linux | 6, 7, 8 |
| Ubuntu Linux | 16.x, 18.x |
| Microsoft Windows | Microsoft Windows 10 Microsoft Windows Server 2008+ Microsoft Windows Server 2012 R2 Microsoft Windows Server 2016 R1607 Microsoft Windows Server 2019 R1809 |
It’s worth noting that the list does not contain the latest operating systems, including:
- CentOS Stream 9 (released in December 2021)
- Red Hat Enterprise Linux 9 (released in May 2022)
- Oracle Linux 9 (released in June 2022)
- Ubuntu 20.x (released April 2020)
- Ubuntu 22.x (released April 2022)
- Microsoft Windows 11 (released October 2021)
- Microsoft Windows Server 2022 (released August 2021)
Third-Party Security Scans
VMware vRealize Automation SaltStack SecOps supports importing results from third-party security scanners. After import, vRealize Automation SaltStack SecOps can be used to remediate the security advisories. The following third-party security scanning solutions are supported:
- Tenable
- Rapid7
- Qualys
- Kenna Security
- Carbon Black
SaltStack SecOps Compliance and Vulnerability Content Updates
By default, vRealize Automation SaltStack SecOps will regularly download and ingest the latest compliance and vulnerability data directly from VMware. If necessary, the product supports downloading this data via an HTTP proxy. If your SaltStack SecOps systems are on an air-gapped network, you can optionally download the data manually from VMware Customer Connect and import the tarball files into the product. Per VMware, vulnerability data is updated quarterly, although they also state that this frequency could change in the future. VMware does not specify a frequency for new benchmark data releases but says that benchmarks are released independently of SaltStack SecOps releases.
Conclusion
VMware vRealize Automation SaltStack SecOps has the potential to be a useful tool when it comes to enforcing compliance with industry benchmarks. However, I’ve observed that new industry benchmarks have not been released in a timely fashion for enforcement via SaltStack SecOps. The lack of timely updates could be a roadblock to adopting the product within specific industries.
Regarding the tool’s vulnerability scanning and remediation capabilities, I do not see the product as a viable solution. The lack of a published vulnerability database and the infrequency of updates prevent the end user from knowing whether or not specific vulnerabilities exist within a system or if the tool is even checking systems for the vulnerability. Until VMware vRealize Automation SaltStack SecOps can list which vulnerabilities a system does and does not have, the solution itself will only be useful for remediating vulnerabilities imported from third-party vulnerability scanners.
See Also
- Compliance Management with VMware Aria Automation SaltStack SecOps -
- Automated Alert Remediation in vRealize Operations 7.x using vRealize Orchestrator -
- DISA Releases VMware vSphere 6.7 STIG - Version 1, Release 3 -
- vRealize Automation 7.6 Cumulative Security Update for April 2022 Now Available -
- Deploy Salt Minions Automatically Using VMware Tools -
Search
Get Notified of Future Posts
Follow Me
Recent Posts
