This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Cloud Foundation

Performing compliance automation tasks for VMware Cloud Foundation.

1: Audit Cloud Foundation 5.x
2: Remediate Cloud Foundation 5.x
3: Audit Cloud Foundation 4.x

1 - Audit Cloud Foundation 5.x

Auditing VCF 5.x for STIG Compliance

Overview

Auditing VCF for STIG compliance involves scanning the SDDC Manager appliance.

Scanning other components of a VCF deployment such as vSphere and NSX is documented in those sections on this site.

Prerequisites

Versions listed below were used for this documentation. Other versions of these tools may work as well but if issues are found it is recommended to try the versions listed here.

InSpec/CINC Auditor 6.6.0
SAF CLI 1.4.0
STIG Viewer 2.17
A VCF 5.x environment.
An account with access to VCF.

Assumptions

Commands are being ran from a Linux machine. Windows will also work but paths and commands may need to be adjusted from the examples.
The DOD Compliance and Automation repository downloaded and extracted to /usr/share/stigs.
CINC Auditor is used in lieu of InSpec. If InSpec is used replace cinc-auditor with inspec when running commands.

Auditing SDDC Manager

Important

The example commands below are specific to the product version and the supported STIG content for the version you are running. Select the example command tabs for the version in your environment.

Generate bearer token for SDDC Manager

The SDDC Manager InSpec profile connects to the API via a bearer token to query some configurations when auditing.

This example uses curl to generate a token. This can also be done via other methods such as Postman or the UI as shown below.

curl -k 'https://sddc-manager.vrack.vsphere.local/v1/tokens' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -d '{
  "username" : "administrator@vsphere.local",
  "password" : "replaceme"
}'

curl -k 'https://sddc-manager.vrack.vsphere.local/v1/tokens' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -d '{
  "username" : "administrator@vsphere.local",
  "password" : "replaceme"
}'

A token can also be generated UI by going to the Developer Center » API Explorer » Tokens.
alt text

Retrieve token by copying the value in the accessToken field.
alt text

Update profile inputs

Included in the vmware-cloud-foundation-sddcmgr-5x-stig-baseline is an example inputs file with variables relevant to SDDC Manager. This is used to provide InSpec with values specific to the environment being audited.

Open the inputs file for editing.

# Navigate to the InSpec profile folder
cd /usr/share/stigs/vcf/5.x/v1r2-srg/inspec/vmware-cloud-foundation-sddcmgr-5x-stig-baseline/

# Edit the inputs file
vi inputs-vcf-sddcmgr-example.yml

# Navigate to the InSpec profile folder
cd /usr/share/stigs/vcf/5.x/v1r1-srg/inspec/vmware-cloud-foundation-sddcmgr-5x-stig-baseline/

# Edit the inputs file
vi inputs-vcf-sddcmgr-example.yml

Update the inputs as shown below with values relevant to your environment. Specifically syslogServer,sddcManager,bearerToken,sftpBackupsEnabled,sftpServer,ntpServers,currentVersion,and myVmwareAccount.

# Inputs for Photon OS.
authprivlog: /var/log/messages
sshdcommand: "sshd -T -C 'user=vcf'"
# Enter environment specific syslog server with port. replace.local:514
syslogServer: 'replace.local:514'
# Inputs for PostgreSQL. No updates needed.
postgres_user: postgres
pg_data_dir: /data/pgdata/
pg_log_dir: /var/log/postgres
pg_owner: postgres
pg_group: users
# SDDC Manager Application
# Enter SDDC Manager FQDN/IP
sddcManager: 'sddc-manager.vsphere.local'
# Enter bearer token for API based tests
bearerToken: 'Bearer eyJhbGciOiJIUzI1NiJ9.eyJqd...'
# Set to true if file based/sftp backups are used for SDDC Manager. Set to false if image based backups are used.
sftpBackupsEnabled: true
# Enter environment specific sftp server.
sftpServer: '10.1.2.3'
# Enter environment specific ntp servers. This is an array.
ntpServers: ['time-a-g.nist.gov','time-b-g.nist.gov']
# Enter latest version of SDDC manager with build.
currentVersion: '5.1.0.0-22688368'
# Enter myvmware account used to pull updates in SDDC Manager if used.
myVmwareAccount: 'myvmwarevcfaccount@test.local'

# Inputs for Photon OS.
authprivlog: /var/log/audit/auth.log
sshdcommand: "sshd -T -C 'user=vcf'"
# Enter environment specific syslog server with port. replace.local:514
syslogServer: 'replace.local:514'
# Inputs for PostgreSQL. No updates needed.
postgres_user: postgres
pg_data_dir: /data/pgdata/
pg_log_dir: /var/log/postgres
pg_owner: postgres
pg_group: users
# SDDC Manager Application
# Enter SDDC Manager FQDN/IP
sddcManager: 'sddc-manager.vsphere.local'
# Enter bearer token for API based tests
bearerToken: 'Bearer eyJhbGciOiJIUzI1NiJ9.eyJqd...'
# Set to true if file based/sftp backups are used for SDDC Manager. Set to false if image based backups are used.
sftpBackupsEnabled: true
# Enter environment specific sftp server.
sftpServer: '10.1.2.3'
# Enter environment specific ntp servers. This is an array.
ntpServers: ['time-a-g.nist.gov','time-b-g.nist.gov']
# Enter latest version of SDDC manager with build. 5.0.0.0-21822418
currentVersion: '5.0.0.0-21822418'
# Enter myvmware account used to pull updates in SDDC Manager if used.
myVmwareAccount: 'myvmwarevcfaccount@test.local'

Update the SSH config to allow scan

By default the SDDC Manager appliance does not allow root SSH and the vcf does not have the required privileges to complete the scan so root SSH must be temporarily enabled to complete the scan. These steps can be reversed once the audit is complete.

# Allow root SSH into SDDC manager
ssh vcf@sddc-manager.vsphere.local
su -
vi /etc/ssh/sshd_config
# Update PermitRootLogin from no to yes and save
systemctl restart sshd

Run the audit

In this example we will be scanning a target SDDC Manager, specifying an inputs file, and outputting a report to the CLI and to a JSON file ran from a linux machine.

# Navigate to the InSpec profile folder
cd /usr/share/stigs/vcf/5.x/v1r2-srg/inspec/vmware-cloud-foundation-sddcmgr-5x-stig-baseline/

# Run InSpec
cinc-auditor exec . -t ssh://root@sddc-manager.vsphere.local --password 'replaceme' --show-progress --enhanced-outcomes --input-file inputs-vcf-sddcmgr-example.yml --reporter cli json:/tmp/reports/VCF_5.1.0_SDDC_Manager_STIG_Report.json

# Shown below is the last part of the output at the CLI.
  ✔  CFUI-5X-000019: The SDDC Manager UI service log files must only be accessible by privileged users.
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/access.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/access.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/access.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddc-manager-ui-activity.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddc-manager-ui-activity.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddc-manager-ui-activity.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/cspViolationReport.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/cspViolationReport.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/cspViolationReport.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/supervisor.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/supervisor.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/supervisor.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.server.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.server.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.server.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.client.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.client.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.client.log group is expected to cmp == "vcf"
  ✔  CFUI-5X-000022: The SDDC Manager UI service must offload logs to a centralized logging server.
     ✔  File /etc/rsyslog.d/stig-services-sddc-manager-ui-app.conf content is expected to eq "module(load=\"imfile\" mode=\"inotify\")\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/vcf/sd...     Tag=\"vcf-sddc-manager-ui-app-user-logs\"\n      Severity=\"info\"\n      Facility=\"local0\")"
  ✔  CFUI-5X-000034: The SDDC Manager UI service must have Web Distributed Authoring (WebDAV) disabled.
     ✔  Command: `(cd /opt/vmware/vcf/sddc-manager-ui-app/server/node_modules/ && npm list 2>/dev/null | grep webdav)` stdout.strip is expected to eq ""
  ✔  CFUI-5X-000044: The SDDC Manager UI service directory tree must be secured.
     ✔  Command: `find /opt/vmware/vcf/sddc-manager-ui-app/ -xdev -type f -a '(' -perm -o+w -o -not -user vcf_sddc_manager_ui_app -o -not -group vcf ')' -exec ls -ld {} \;` stdout.strip is expected to eq ""

Profile Summary: 200 successful controls, 9 control failures, 0 controls skipped
Test Summary: 974 successful, 21 failures, 0 skipped

# Navigate to the InSpec profile folder
cd /usr/share/stigs/vcf/5.x/v1r1-srg/inspec/vmware-cloud-foundation-sddcmgr-5x-stig-baseline/

# Run InSpec
cinc-auditor exec . -t ssh://root@sddc-manager.vsphere.local --password 'replaceme' --show-progress --enhanced-outcomes --input-file inputs-vcf-sddcmgr-example.yml --reporter cli json:/tmp/reports/VCF_5.0.0_SDDC_Manager_STIG_Report.json

# Shown below is the last part of the output at the CLI.
  ✔  CFUI-5X-000019: The SDDC Manager UI service log files must only be accessible by privileged users.
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/access.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/access.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/access.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddc-manager-ui-activity.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddc-manager-ui-activity.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddc-manager-ui-activity.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/cspViolationReport.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/cspViolationReport.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/cspViolationReport.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/supervisor.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/supervisor.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/supervisor.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.server.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.server.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.server.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.client.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.client.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/user-logs/administrator-vsphere.local/administrator.client.log group is expected to cmp == "vcf"
  ✔  CFUI-5X-000022: The SDDC Manager UI service must offload logs to a centralized logging server.
     ✔  File /etc/rsyslog.d/stig-services-sddc-manager-ui-app.conf content is expected to eq "module(load=\"imfile\" mode=\"inotify\")\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/vcf/sd...     Tag=\"vcf-sddc-manager-ui-app-user-logs\"\n      Severity=\"info\"\n      Facility=\"local0\")"
  ✔  CFUI-5X-000034: The SDDC Manager UI service must have Web Distributed Authoring (WebDAV) disabled.
     ✔  Command: `(cd /opt/vmware/vcf/sddc-manager-ui-app/server/node_modules/ && npm list 2>/dev/null | grep webdav)` stdout.strip is expected to eq ""
  ✔  CFUI-5X-000044: The SDDC Manager UI service directory tree must be secured.
     ✔  Command: `find /opt/vmware/vcf/sddc-manager-ui-app/ -xdev -type f -a '(' -perm -o+w -o -not -user vcf_sddc_manager_ui_app -o -not -group vcf ')' -exec ls -ld {} \;` stdout.strip is expected to eq ""

Profile Summary: 200 successful controls, 9 control failures, 0 controls skipped
Test Summary: 974 successful, 21 failures, 0 skipped

Convert the results to CKL

If a STIG Viewer CKL file is needed then the results from the scans can be converted to CKL with the SAF CLI.

# Converting the VCSA scan results from the prior section to CKL
saf convert hdf2ckl -i /tmp/reports/VCF_5.1.0_SDDC_Manager_STIG_Report.json -o /tmp/reports/VCF_5.1.0_SDDC_Manager_STIG_Report.ckl --hostname sddc-manager.vsphere.local --fqdn sddc-manager.vsphere.local --ip 10.2.3.4 --mac 00:00:00:00:00:00

Opening the CKL file in STIG Viewer will look like the screenshot below. Note the InSpec results are included in the Finding Details pane. alt text

2 - Remediate Cloud Foundation 5.x

Remediating VCF 5.x for STIG Compliance

Overview

Remediating VCF for STIG compliance involves running an Ansible playbook against the target SDDC Manager appliance over SSH to configure any non-compliant controls.

Remediating other components of a VCF deployment such as vSphere and NSX is documented in those sections on this site.

Prerequisites

Versions listed below were used for this documentation. Other versions of these tools may work as well but if issues are found it is recommended to try the versions listed here.

Ansible 2.14.2
A VCF 5.x environment.
An account with access to VCF.

Assumptions

The DOD Compliance and Automation repository downloaded and extracted to /usr/share/stigs.
Ansible installed and all playbook dependencies resolved as provided in the requirements.yml file in each playbook. Install with ansible-galaxy roles install -r requirements.yml.
The dependent Photon OS Ansible roles(Photon 3.0 for VCF 5.0.x and Photon 4 for VCF 5.1.x) installed and available. Verify role installation with ansible-galaxy role list.

Remediating SDDC Manager

Important

The example commands below are specific to the product version and the supported STIG content for the version you are running. Select the example command tabs for the version in your environment.

Warning

Before running it is highly advised to have a backup of the SDDC Manager and/or snapshot available if a rollback is required. Also the playbook will backup files configured before updates and place them under the /tmp directory in a folder directly on the SDDC Manager appliance.

Generate bearer token for SDDC Manager

The SDDC Manager Ansible playbook connects to the API via a bearer token to update product controls while the appliance controls are configured via SSH.

This example uses curl to generate a token. This can also be done via other methods such as Postman or the UI as shown below.

curl -k 'https://sddc-manager.vrack.vsphere.local/v1/tokens' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -d '{
  "username" : "administrator@vsphere.local",
  "password" : "replaceme"
}'

curl -k 'https://sddc-manager.vrack.vsphere.local/v1/tokens' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -d '{
  "username" : "administrator@vsphere.local",
  "password" : "replaceme"
}'

A token can also be generated UI by going to the Developer Center » API Explorer » Tokens.
alt text

Retrieve token by copying the value in the accessToken field.
alt text

Update vars file

In order to run the playbook, environment specific values need to be provided. An example vars file vars-sddcmgr-example.yml is provided.

Open the inputs file for editing.

# Navigate to the Ansible playbook folder
cd /usr/share/stigs/vcf/5.x/v1r2-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening

# Edit the vars file
vi vars-sddcmgr-example.yml

# Navigate to the Ansible playbook folder
cd /usr/share/stigs/vcf/5.x/v1r1-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening

# Edit the vars file
vi vars-sddcmgr-example.yml

Update the variables as shown below with values relevant to your environment. Specifically var_sddc_manager, var_bearer_token, var_time_servers, var_password_rotate_days.

# General
run_create_backups: true

# Photon OS
create_backups: true
run_etc_issue_dod: true
var_rsyslog_server_name: 'syslog.test.local'
var_rsyslog_server_port: '514'
var_rsyslog_server_protocol: 'tcp'

# Application
# Enter SDDC Manager FQDN or IP for API Calls
var_sddc_manager: 'sddc-manager.vsphere.local'
# Enter generated bearer token here
var_bearer_token: ''
# Enter an array of 1 to 2 NTP servers
var_time_servers:
  - 'time-a-g.nist.gov'
  - 'time-b-g.nist.gov'
# Between 30 and 90
var_password_rotate_days: 90

# General
run_create_backups: true

# Photon OS
var_syslog_authpriv_log: '/var/log/audit/auth.log'
## Update login banner with DoD banner
run_sshd_banner_issue: true
# NTP is covered in the Application controls
run_set_ntp_server: false

# Application
# Enter SDDC Manager FQDN or IP for API Calls
var_sddc_manager: 'sddc-manager.vrack.vsphere.local'
# Enter generated bearer token here
var_bearer_token: 'UNDT1VOVF9XUklURSIsIk5FVFdPUktfUE9PTF9SRUFEIi'
# Enter an array of 1 to 2 NTP servers
var_time_servers:
  - 'time-a-g.nist.gov'
  - 'time-b-g.nist.gov'
# Between 30 and 90
var_password_rotate_days: 90

Update the SSH config to allow scan

# Allow root SSH into SDDC manager
ssh vcf@sddc-manager.vsphere.local
su -
vi /etc/ssh/sshd_config
# Update PermitRootLogin from no to yes and save
systemctl restart sshd

Running the playbook

To run all of the SDDC Manager controls, follow the example below.

# Navigate to the Ansible playbook folder
cd /usr/share/stigs/vcf/5.x/v1r2-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening

# The -k parameter will prompt for password and we are using extra-vars to specify a variable file for the playbook to use. Command assume it is being ran from the playbook folder.
> ansible-playbook -i 10.0.0.4, -u 'root' playbook.yml -k -v --extra-vars @vars-sddcmgr-example.yml

# Output example
TASK [application : CFAP-5X-000127 - Set credential rotate policy] ************************************************************************************************************************************************************************
changed: [10.0.0.4] => {"cache_control": "no-cache, no-store, max-age=0, must-revalidate", "changed": true, "connection": "close", "content_type": "application/json", "cookies": {}, "cookies_string": "", "date": "Thu, 01 Jun 2023 18:19:36 GMT", "elapsed": 0, "expires": "0", "json": {"id": "f0f9e481-9555-46ea-bbc0-76d144323fe6", "status": "IN_PROGRESS"}, "location": "https://sddc-manager.vrack.vsphere.local/v1/tasks/f0f9e481-9555-46ea-bbc0-76d144323fe6", "msg": "OK (unknown bytes)", "pragma": "no-cache", "redirected": false, "server": "nginx", "status": 202, "transfer_encoding": "chunked", "url": "https://sddc-manager.vrack.vsphere.local/v1/credentials", "x_content_type_options": "nosniff", "x_frame_options": "DENY", "x_xss_protection": "1; mode=block"}

TASK [application : CFAP-5X-000127 - Wait for task to complete] ***************************************************************************************************************************************************************************
ok: [10.0.0.4] => {"attempts": 1, "cache_control": "no-cache, no-store, max-age=0, must-revalidate", "changed": false, "connection": "close", "content_type": "application/json;charset=UTF-8", "cookies": {}, "cookies_string": "", "date": "Thu, 01 Jun 2023 18:19:37 GMT", "elapsed": 0, "expires": "0", "json": {"creationTimestamp": "2023-06-01T18:19:36.784Z", "errors": [], "id": "f0f9e481-9555-46ea-bbc0-76d144323fe6", "isCancellable": false, "name": "Credentials update auto rotate policy operation", "resolutionStatus": "UNRESOLVED", "status": "SUCCESSFUL", "subTasks": [{"completionTimestamp": "2023-06-01T18:19:36.784Z", "creationTimestamp": "2023-06-01T18:19:36.784Z", "description": "Prevalidation of password update auto rotate policy request", "name": "Password update auto rotate policy prevalidation", "status": "SUCCESSFUL"}], "type": "PASSWORD_AUTO_ROTATE_POLICY_UPDATE"}, "msg": "OK (unknown bytes)", "pragma": "no-cache", "redirected": false, "referrer_policy": "no-referrer", "server": "nginx", "status": 200, "strict_transport_security": "max-age=15768000", "transfer_encoding": "chunked", "url": "https://sddc-manager.vrack.vsphere.local/v1/tasks/f0f9e481-9555-46ea-bbc0-76d144323fe6", "x_content_type_options": "nosniff, nosniff", "x_frame_options": "DENY, SAMEORIGIN", "x_xss_protection": "1; mode=block"}

TASK [application : CFAP-5X-000128 - The SDDC Manager must use an account dedicated for downloading updates and patches.] *****************************************************************************************************************
ok: [10.0.0.4] => {
    "msg": "CFAP-5X-000128 - This control must be manually remediated."
}

TASK [application : CFAP-5X-000129 - Get current basic auth status] ***********************************************************************************************************************************************************************
ok: [10.0.0.4] => {"cache_control": "no-cache, no-store, max-age=0, must-revalidate", "changed": false, "connection": "close", "content_type": "application/json;charset=UTF-8", "cookies": {}, "cookies_string": "", "date": "Thu, 01 Jun 2023 18:19:39 GMT", "elapsed": 0, "expires": "0", "json": {"basicAuthDetails": {"status": "ENABLED", "username": "admin"}, "domain": {"id": "529797b0-1b5c-4f90-a956-44b2398edba9"}, "fqdn": "sddc-manager.vrack.vsphere.local", "id": "dd56c751-49b5-4a69-957c-009a7ea79147", "ipAddress": "10.0.0.4", "version": "5.0.0.0-21822418"}, "msg": "OK (unknown bytes)", "pragma": "no-cache", "redirected": false, "referrer_policy": "no-referrer", "server": "nginx", "status": 200, "strict_transport_security": "max-age=15768000", "transfer_encoding": "chunked", "url": "https://sddc-manager.vrack.vsphere.local/v1/sddc-manager", "x_content_type_options": "nosniff, nosniff", "x_frame_options": "DENY, SAMEORIGIN", "x_xss_protection": "1; mode=block"}

TASK [application : CFAP-5X-000129 - Disable Basic Auth] **********************************************************************************************************************************************************************************
changed: [10.0.0.4] => {"cache_control": "no-cache, no-store, max-age=0, must-revalidate", "changed": true, "connection": "close", "content_length": "0", "cookies": {}, "cookies_string": "", "date": "Thu, 01 Jun 2023 18:19:40 GMT", "elapsed": 0, "expires": "0", "msg": "OK (0 bytes)", "pragma": "no-cache", "redirected": false, "referrer_policy": "no-referrer", "server": "nginx", "status": 200, "strict_transport_security": "max-age=15768000", "url": "https://sddc-manager.vrack.vsphere.local/v1/sddc-manager", "x_content_type_options": "nosniff, nosniff", "x_frame_options": "DENY, SAMEORIGIN", "x_xss_protection": "1; mode=block"}

# Navigate to the Ansible playbook folder
cd /usr/share/stigs/vcf/5.x/v1r1-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening

# The -k parameter will prompt for password and we are using extra-vars to specify a variable file for the playbook to use. Command assume it is being ran from the playbook folder.
> ansible-playbook -i 10.0.0.4, -u 'root' playbook.yml -k -v --extra-vars @vars-sddcmgr-example.yml

# Output example
TASK [application : CFAP-5X-000127 - Set credential rotate policy] ************************************************************************************************************************************************************************
changed: [10.0.0.4] => {"cache_control": "no-cache, no-store, max-age=0, must-revalidate", "changed": true, "connection": "close", "content_type": "application/json", "cookies": {}, "cookies_string": "", "date": "Thu, 01 Jun 2023 18:19:36 GMT", "elapsed": 0, "expires": "0", "json": {"id": "f0f9e481-9555-46ea-bbc0-76d144323fe6", "status": "IN_PROGRESS"}, "location": "https://sddc-manager.vrack.vsphere.local/v1/tasks/f0f9e481-9555-46ea-bbc0-76d144323fe6", "msg": "OK (unknown bytes)", "pragma": "no-cache", "redirected": false, "server": "nginx", "status": 202, "transfer_encoding": "chunked", "url": "https://sddc-manager.vrack.vsphere.local/v1/credentials", "x_content_type_options": "nosniff", "x_frame_options": "DENY", "x_xss_protection": "1; mode=block"}

TASK [application : CFAP-5X-000127 - Wait for task to complete] ***************************************************************************************************************************************************************************
ok: [10.0.0.4] => {"attempts": 1, "cache_control": "no-cache, no-store, max-age=0, must-revalidate", "changed": false, "connection": "close", "content_type": "application/json;charset=UTF-8", "cookies": {}, "cookies_string": "", "date": "Thu, 01 Jun 2023 18:19:37 GMT", "elapsed": 0, "expires": "0", "json": {"creationTimestamp": "2023-06-01T18:19:36.784Z", "errors": [], "id": "f0f9e481-9555-46ea-bbc0-76d144323fe6", "isCancellable": false, "name": "Credentials update auto rotate policy operation", "resolutionStatus": "UNRESOLVED", "status": "SUCCESSFUL", "subTasks": [{"completionTimestamp": "2023-06-01T18:19:36.784Z", "creationTimestamp": "2023-06-01T18:19:36.784Z", "description": "Prevalidation of password update auto rotate policy request", "name": "Password update auto rotate policy prevalidation", "status": "SUCCESSFUL"}], "type": "PASSWORD_AUTO_ROTATE_POLICY_UPDATE"}, "msg": "OK (unknown bytes)", "pragma": "no-cache", "redirected": false, "referrer_policy": "no-referrer", "server": "nginx", "status": 200, "strict_transport_security": "max-age=15768000", "transfer_encoding": "chunked", "url": "https://sddc-manager.vrack.vsphere.local/v1/tasks/f0f9e481-9555-46ea-bbc0-76d144323fe6", "x_content_type_options": "nosniff, nosniff", "x_frame_options": "DENY, SAMEORIGIN", "x_xss_protection": "1; mode=block"}

TASK [application : CFAP-5X-000128 - The SDDC Manager must use an account dedicated for downloading updates and patches.] *****************************************************************************************************************
ok: [10.0.0.4] => {
    "msg": "CFAP-5X-000128 - This control must be manually remediated."
}

TASK [application : CFAP-5X-000129 - Get current basic auth status] ***********************************************************************************************************************************************************************
ok: [10.0.0.4] => {"cache_control": "no-cache, no-store, max-age=0, must-revalidate", "changed": false, "connection": "close", "content_type": "application/json;charset=UTF-8", "cookies": {}, "cookies_string": "", "date": "Thu, 01 Jun 2023 18:19:39 GMT", "elapsed": 0, "expires": "0", "json": {"basicAuthDetails": {"status": "ENABLED", "username": "admin"}, "domain": {"id": "529797b0-1b5c-4f90-a956-44b2398edba9"}, "fqdn": "sddc-manager.vrack.vsphere.local", "id": "dd56c751-49b5-4a69-957c-009a7ea79147", "ipAddress": "10.0.0.4", "version": "5.0.0.0-21822418"}, "msg": "OK (unknown bytes)", "pragma": "no-cache", "redirected": false, "referrer_policy": "no-referrer", "server": "nginx", "status": 200, "strict_transport_security": "max-age=15768000", "transfer_encoding": "chunked", "url": "https://sddc-manager.vrack.vsphere.local/v1/sddc-manager", "x_content_type_options": "nosniff, nosniff", "x_frame_options": "DENY, SAMEORIGIN", "x_xss_protection": "1; mode=block"}

TASK [application : CFAP-5X-000129 - Disable Basic Auth] **********************************************************************************************************************************************************************************
changed: [10.0.0.4] => {"cache_control": "no-cache, no-store, max-age=0, must-revalidate", "changed": true, "connection": "close", "content_length": "0", "cookies": {}, "cookies_string": "", "date": "Thu, 01 Jun 2023 18:19:40 GMT", "elapsed": 0, "expires": "0", "msg": "OK (0 bytes)", "pragma": "no-cache", "redirected": false, "referrer_policy": "no-referrer", "server": "nginx", "status": 200, "strict_transport_security": "max-age=15768000", "url": "https://sddc-manager.vrack.vsphere.local/v1/sddc-manager", "x_content_type_options": "nosniff, nosniff", "x_frame_options": "DENY, SAMEORIGIN", "x_xss_protection": "1; mode=block"}

A more conservative and preferred approach is to target any non-compliant controls or run each component separately allowed you to perform any functional testing in between.

# Navigate to the Ansible playbook folder
cd /usr/share/stigs/vcf/5.x/v1r2-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening

# Providing the tag "application" will instruct the playbook to only run the application role. This tag can be seen in each roles task/main.yml file.
> ansible-playbook -i 10.0.0.4, -u 'root' playbook.yml -k -v --extra-vars @vars-sddcmgr-example.yml --tags application

# Providing the tag "CFAP-5X-000002" will instruct the playbook to only run task tagged with the STIG ID of CFAP-5X-000002.
> ansible-playbook -i 10.0.0.4, -u 'root' playbook.yml -k -v --extra-vars @vars-sddcmgr-example.yml --tags CFAP-5X-000002

# Navigate to the Ansible playbook folder
cd /usr/share/stigs/vcf/5.x/v1r1-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening

# Providing the tag "application" will instruct the playbook to only run the application role. This tag can be seen in each roles task/main.yml file.
> ansible-playbook -i 10.0.0.4, -u 'root' playbook.yml -k -v --extra-vars @vars-sddcmgr-example.yml --tags application

# Providing the tag "CFAP-5X-000002" will instruct the playbook to only run task tagged with the STIG ID of CFAP-5X-000002.
> ansible-playbook -i 10.0.0.4, -u 'root' playbook.yml -k -v --extra-vars @vars-sddcmgr-example.yml --tags CFAP-5X-000002

3 - Audit Cloud Foundation 4.x

Auditing VCF 4.x for STIG Compliance

Overview

Auditing VCF for STIG compliance involves scanning the SDDC Manager appliance.

Scanning other components of a VCF deployment such as vSphere and NSX is documented in those sections on this site.

Prerequisites

Versions listed below were used for this documentation. Other versions of these tools may work as well but if issues are found it is recommended to try the versions listed here.

The vmware-cloud-foundation-sddcmgr-4x-stig-baseline profile downloaded.
The vmware-photon-3.0-stig-inspec-baseline profile downloaded.
InSpec/Cinc Auditor 5.22.3
SAF CLI 1.2.20
STIG Viewer 2.17
A VCF 4.x environment. 4.5.1 was used in these examples.
An account with access to VCF.

Auditing SDDC Manager

Generate bearer token for SDDC Manager

The SDDC Manager InSpec profile connects to the API via a bearer token to query the configurations to audit.

This is a curl example. This can also be done via other methods such as Postman.

# Ran from a Linux machine.
curl -k 'https://sddc-manager.vrack.vsphere.local/v1/tokens' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -d '{
  "username" : "administrator@vsphere.local",
  "password" : "replaceme"
}'

A token can also be generated UI by going to the Developer Center » API Explorer » Tokens.
alt text

Retrieve token by copying the value in the accessToken field.
alt text

Update profile inputs

Included in the vmware-vcf-sddcmgr-4x-stig-baseline is an example inputs-vcf-sddcmgr-4x-example file with the following inputs relevant to SDDC Manager.

# Inputs for NGINX
nginx_conf_path: /etc/nginx/nginx.conf
limit_conn_ip_limit: '100'
limit_conn_server_limit: '1000'
nginx_ssl_ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'
# Inputs for Photon OS.
authprivlog: /var/log/audit/auth.log
sshdcommand: "sshd -T -C 'user=vcf'"
# Enter environment specific syslog server with port. replace.local:514
syslogServer: 'replace.local:514'
# SDDC Manager Application
# Enter SDDC Manager FQDN/IP
sddcManager: 'sddc-manager.vsphere.local'
# Enter bearer token for API based tests
bearerToken: 'Bearer eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJhOGVjYTViMS04OTMwLTRiOGYtOGJmMy0xM2U4NTg2MzE3MmYiLCJpYXQiOjE2ODU1NDUyMzQsInN1YiI6ImFkbWluaXN0cmF0b3JAdnNwaGVyZS5sb2NhbCIsImlzcyI6InZjZi1hdXRoIiwiYXVkIjoic2RkYy1zZXJ2aWNlcyIsIm5iZiI6MTY4NTU0NTIzNCwiZXhwIjoxNjg1NTQ4ODM0LCJ1c2VyIjoiYWRtaW5pc3RyYXRvckB2c3BoZXJlLmxvY2FsIiwibmFtZSI6ImFkbWluaXN0cmF0b3JAdnNwaGVyZS5sb2NhbCIsInNjb3BlIjpbIlJFU09VUkNFX0ZVTkNUSU9OQUxJVFlfV1JJVEUiLCJMSUNFTlNJTkdfSU5GT19SRUFEIiwiU0REQ19GRURFUkFUSU9OX1dSSVRFIiwiQVZOX1dSSVRFIiwiU0REQ19NQU5BR0VSX1JFQUQiLCJDRVJUX1dSSVRFIiwiQ09NUE9TQUJJTElUWV9XUklURSIsIkxJQ0VOU0VfS0VZX1JFQUQiLCJDT01QT1NBQklMSVRZX1JFQUQiLCJFREdFX0NMVVNURVJfV1JJVEUiLCJVU0VSX1JFQUQiLCJDUkVERU5USUFMX1dSSVRFIiwiQkFDS1VQX0NPTkZJR19SRUFEIiwiQ0xVU1RFUl9XUklURSIsIkFWTl9SRUFEIiwiVkFTQV9QUk9WSURFUl9SRUFEIiwiRE9NQUlOX1dSSVRFIiwiQ0VJUF9SRUFEIiwiU09TX1dSSVRFIiwiU0REQ19NQU5BR0VSX1dSSVRFIiwiTlRQX1dSSVRFIiwiVEFHX1dSSVRFIiwiREVQT1RfQ09ORklHX1dSSVRFIiwiU1lTVEVNX1JFQUQiLCJERVBPVF9DT05GSUdfUkVBRCIsIkhPU1RfV1JJVEUiLCJSRVNPVVJDRV9MT0NLX1dSSVRFIiwiQkFDS1VQX1JFU1RPUkVfUkVBRCIsIkNFUlRfUkVBRCIsIlVTRVJfV1JJVEUiLCJVUEdSQURFX1JFQUQiLCJPVEhFUl9SRUFEIiwiTElDRU5TSU5HX1dSSVRFIiwiU09TX1JFQUQiLCJFVkVOVF9XUklURSIsIlNFQ1VSSVRZX0NPTkZJR19SRUFEIiwiQ1JFREVOVElBTF9SRUFEIiwiSE9TVF9SRUFEIiwiQ0VJUF9XUklURSIsIlJFU09VUkNFX0xPQ0tfUkVBRCIsIk9USEVSX1dSSVRFIiwiTElDRU5TRV9LRVlfV1JJVEUiLCJSRVNPVVJDRV9GVU5DVElPTkFMSVRZX1JFQUQiLCJDQV9SRUFEIiwiVEFHX1JFQUQiLCJMSUNFTlNJTkdfUkVBRCIsIk5FVFdPUktfUE9PTF9XUklURSIsIldDUF9SRUFEIiwiTElDRU5TSU5HX0lORk9fV1JJVEUiLCJCQUNLVVBfUkVTVE9SRV9XUklURSIsIk5UUF9SRUFEIiwiRURHRV9DTFVTVEVSX1JFQUQiLCJFVkVOVF9SRUFEIiwiQkFDS1VQX0NPTkZJR19XUklURSIsIldDUF9XUklURSIsIlNFUlZJQ0VfQUNDT1VOVF9XUklURSIsIk5FVFdPUktfUE9PTF9SRUFEIiwiQ0FfV1JJVEUiLCJDTFVTVEVSX1JFQUQiLCJWQVNBX1BST1ZJREVSX1dSSVRFIiwiRE5TX1dSSVRFIiwiU1lTVEVNX1dSSVRFIiwiVlJTTENNX1dSSVRFIiwiRE5TX1JFQUQiLCJTRVJWSUNFX0FDQ09VTlRfUkVBRCIsIlNERENfRkVERVJBVElPTl9SRUFEIiwiRE9NQUlOX1JFQUQiLCJWUlNMQ01fUkVBRCIsIlVQR1JBREVfV1JJVEUiXSwicm9sZSI6WyJBRE1JTiJdfQ.Wqxti-ZId624KeH5vF'
# Set to true if file based/sftp backups are used for SDDC Manager. Set to false if image based backups are used.
sftpBackupsEnabled: true
# Enter environment specific sftp server.
sftpServer: '10.1.2.3'
# Enter environment specific ntp servers. This is an array.
ntpServers: ['time-a-g.nist.gov','time-b-g.nist.gov']
# Enter latest version of SDDC manager with build. 4.5.1.0-21682411
currentVersion: '4.5.1.0-21682411'
# Enter myvmware account used to pull updates in SDDC Manager if used.
myVmwareAccount: 'myvmwarevcfaccount@test.local'

Update the SSH config to allow scan

By default the SDDC Manager appliance does not allow root SSH and the vcf does not have the required privileges to complete the scan so root SSH must be temporarily enabled to complate the scan. These steps can be reversed once the audit is complete.

# Allow root SSH into SDDC manager
ssh vcf@sddc-manager.vsphere.local
su -
vi /etc/ssh/sshd_config
# Update PermitRootLogin from no to yes and save
systemctl restart sshd

Run the audit

In this example we will be scanning a target SDDC Manager, specifying an inputs file, and outputting a report to the CLI and to a JSON file ran from a linux machine.

# Note this command is being ran from the root of the profile folder. Update paths as needed if running from a different location.
> inspec exec . -t ssh://root@sddc-manager.vsphere.local --password 'replaceme' --show-progress --input-file inputs-vcf-sddcmgr-4x-example.yml --reporter cli json:/tmp/reports/VCF_4.5.1_SDDC_Manager_STIG_Report.json

# Shown below is the last part of the output at the CLI.
Profile:   VMware Cloud Foundation SDDC Manager UI Profile (VMware Cloud Foundation SDDC Manager UI Profile)
Version:   1.0.4
Target:    ssh://root@10.0.0.4:22
Target ID: 3cb5cfd9-709c-564d-b529-36fb03269263

  ✔  CFUI-4X-000001: The SDDC Manager UI service log files must only be accessible by privileged users.
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/access.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/access.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/access.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/supervisor.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/supervisor.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/supervisor.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/cspViolationReport.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/cspViolationReport.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/cspViolationReport.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddc-manager-ui-activity.log is expected not to be writable by others
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddc-manager-ui-activity.log group is expected to cmp == "vcf"
     ✔  File /var/log/vmware/vcf/sddc-manager-ui-app/sddc-manager-ui-activity.log owner is expected to cmp == "vcf_sddc_manager_ui_app"
  ✔  CFUI-4X-000002: The SDDC Manager UI service files must be verified for their integrity.
     ✔  Command: `rpm -V sddc-manager-ui-app | grep \"^..5......\"|grep -v -E "|\.properties"` stdout.strip is expected to eq ""
  ✔  CFUI-4X-000003: The SDDC Manager UI service must have WebDAV disabled.
     ✔  Command: `(cd /opt/vmware/vcf/sddc-manager-ui-app/server/node_modules/ && npm list 2>/dev/null | grep webdav)` stdout.strip is expected to eq ""
  ✔  CFUI-4X-000004: The SDDC Manager UI service directory tree must have permissions in an "out of the box" state.
     ✔  Command: `find /opt/vmware/vcf/sddc-manager-ui-app/ -xdev -type f -a '(' -perm -o+w -o -not -user vcf_sddc_manager_ui_app -o -not -group vcf ')' -exec ls -ld {} \;` stdout.strip is expected to eq ""
  ✔  CFUI-4X-000005: The SDDC Manager UI service log files must be moved to a permanent repository in accordance with site policy.
     ✔  File /etc/rsyslog.d/stig-services-sddc-manager-ui-app.conf content is expected to eq "module(load=\"imfile\" mode=\"inotify\")\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/vcf/sd...\"\n      Tag=\"vcf-sddc-manager-ui-app-misc\"\n      Severity=\"info\"\n      Facility=\"local0\")"
  ×  CFUI-4X-000006: The SDDC Manager UI service systemd service definition permissions must be configured appropriately. (2 failed)
     ×  File /etc/systemd/system/sddc-manager-ui-app.service is expected not to be more permissive than "0640"
     expected `File /etc/systemd/system/sddc-manager-ui-app.service.more_permissive_than?("0640")` to be falsey, got true
     ✔  File /etc/systemd/system/sddc-manager-ui-app.service group is expected to cmp == "root"
     ✔  File /etc/systemd/system/sddc-manager-ui-app.service owner is expected to cmp == "root"
     ×  File /etc/systemd/system/sddc-manager-ui-db.service is expected not to be more permissive than "0640"
     expected `File /etc/systemd/system/sddc-manager-ui-db.service.more_permissive_than?("0640")` to be falsey, got true
     ✔  File /etc/systemd/system/sddc-manager-ui-db.service group is expected to cmp == "root"
     ✔  File /etc/systemd/system/sddc-manager-ui-db.service owner is expected to cmp == "root"


Profile Summary: 199 successful controls, 19 control failures, 2 controls skipped
Test Summary: 691 successful, 36 failures, 4 skipped

Convert the results to CKL

If a STIG Viewer CKL file is needed then the results from the scans can be converted to CKL with the SAF CLI.

# Converting the VCSA scan results from the prior section to CKL
saf convert hdf2ckl -i /tmp/reports/VCF_4.5.1_SDDC_Manager_STIG_Report.json -o /tmp/reports/VCF_4.5.1_SDDC_Manager_STIG_Report.ckl --hostname sddc-manager.vsphere.local --fqdn sddc-manager.vsphere.local --ip 10.2.3.4 --mac 00:00:00:00:00:00

Opening the CKL file in STIG Viewer will look like the screenshot below. Note the InSpec results are included in the Finding Details pane.

alt text