This topic gives you an overview of Compliance Scanner for VMware Tanzu. This product provides platform operators and auditors an assessment of each Linux VM running on Xenial or Jammy stemcells and, if it is compliant, with configuration guidelines.
The following VM types on an Vmware Tanzu Operations Manager instance are skipped for scanning and do not have Compliance Scanner deployed on them:
- Linux VMs running on Trusty or Bionic stemcells
- Non-Linux VMs
Compliance Scanner for VMware Tanzu is certified by the Center for Internet Security (CIS). For more information about all the versions certified for CIS Benchmarks:
- For Compliance Scanner v1.2.48 and later, see the VMware - Certified Products CIS page.
Overview
Benchmarks for existing commercial configuration scanners are intended for use against traditional Ubuntu servers. This means that running these benchmark scans against a stemcell results in numerous false positives.
Compliance Scanner addresses this issue by tuning industry-recognized Ubuntu configuration benchmarks for stemcells.
Compliance Scanner packages the following files for deployment on each BOSH-managed Linux VM:
- The OpenSCAP (OSCAP) scanner
- XFiles: A group of YAML files that contains configuration tests written in YAML.
- The XCCDF Generator (XGen): This translates XFiles tests to the SCAP format.
Compliance Scanner is installed through Tanzu Operations Manager. As part of the installation, it deploys each packaged component to each Linux VM and instantiates a new Linux VM, oscap_store, for log retrieval.
Scans are errands that are triggered through Tanzu Operations Manager. After a successful scan, operators can retrieve reports through the tile. Operators can download these reports to their local machine.
For more information on the tests, test coverage, and test criteria covered by these benchmarks, see the PDF files included on the Compliance Scanner release page on Broadcom Support.
Key Features
Compliance Scanner includes the following key features:
- CIS certification
- Compatible with DISA STIG Viewer
- Modified version of industry-recognized configuration benchmarks tuned for stemcells
- Bundled tests written in YAML, allowing for easier readability
- Reports of scan results for each Linux VM in the deployment that highlight the compliance posture
Product Snapshot
The following table provides version and version-support information about Compliance Scanner.
| Element | Details |
|---|---|
| Tile version | 1.3.6 |
| Release date | September 19, 2024 |
| Software component version | OpenSCAP 1.3.3 |
| Compatible Tanzu Operations Manager versions | 3.0, 2.10, 2.9 |
| Compatible VMware Tanzu Application Service for VMs versions | 6.0, 5.0, 4.0, 3.0, 2.13, 2.12, 2.11 |
| IaaS support | AWS, Azure, GCP, and vSphere |
| IPsec support | Yes |
Ports
Compliance Scanner uses the following ports:
| VM Type | Description | Port |
|---|---|---|
| oscap_store | The port used by oscap_store to receive the scan results from VMs with Compliance Scanner. The oscap_store VM initiates scan requests to other VMs and aggregates the results. |
28894 |
| VM with Compliance Scanner | The port used by the scanning server running on each of the VMs with Compliance Scanner installed. This starts the scan on the VM through the daemon client using the rpc_port. |
28893 |
| VM with Compliance Scanner | The port bound to the loopback interface. The scanning server that receives the request passes the request to the RPC server using the port that is doing the scan. | 28895 |
Limitations
Compliance Scanner has the following limitations:
-
Because of stemcell-related customization, benchmarks are not certified by a governing body.
-
Windows VMs are not supported at this time.
-
BOSH DNS cannot resolve the
oscap_storeVM URL if there is any capitalization in the network name.
Compliance Scanner can only scan Linux VMs running on Xenial stemcells 97.x and 170.x and later and Jammy stemcells 1.x and later.
