Configure Tanzu Salt security scanning features

Tanzu Salt provides two security libraries. Both content libraries update regularly as security standards change. You can configure content to download (or ingest) automatically as security standards change, which is recommended for most standard systems.

The following types of content are provided as part of Tanzu Salt:

Compliance - Automated compliance detection and remediation for your infrastructure. The compliance content library consists of industry best-practice security and compliance content, such as CIS.
Vulnerability - Manages vulnerabilities on all the systems in your environment. Its content library includes advisories based on the latest Common Vulnerabilities and Exposures (CVE) entries.

As an alternative, the library includes the option to download content manually, or to access content from the RaaS node using an HTTP(s) proxy. Manual ingestion is useful for air-gapped systems, while downloading using a proxy is useful to avoid downloading content directly from the internet. Downloading via proxy also provides more control and visibility into what’s being downloaded and where.

Install Python 3 rpm libraries

Tanzu Salt uses the Python 3 rpm libraries to reliably compare package versions. These programs need the increased accuracy provided by these libraries to determine version compliance or assess vulnerabilities.

Currently, any nodes using RedHat or CentOS 7 might need the Python 3 rpm libraries in order to run accurate compliance or vulnerability assessments. If you intend to run assessments on minions that use these versions of RedHat or CentOS, you need to manually install the Python 3 rpm library on these machines.

Note: Other workarounds are available. If you need an alternate workaround, contact support.

To install the Python 3 rpm library on the Salt master running the Master Plugin:

Install the EPEL repository using the following command:
```
yum install -y epel-release
```
Install the Python 3 rpm library:
```
yum install -y python3-rpm
```

Automatic content ingestion for standard systems

For non-air-gapped RaaS systems, content is downloaded and ingested on a periodic basis as determined by the settings in the configuration file. By default, automatic content ingestion is already configured in Tanzu Salt and no further action is required.

If you installed Tanzu Salt manually, follow these steps to configure automatic security content ingestion:

Add the following to the RaaS service configuration file /etc/raas/raas in the sec section, adapting it as necessary:

sec:
  stats_snapshot_interval: 3600
  username: secops
  content_url: https://enterprise.saltstack.com/secops_downloads
  ingest_saltstack_override: true
  ingest_custom_override: true
  locke_dir: locke
  post_ingest_cleanup: true
  download_enabled: true
  download_frequency: 86400
  compile_stats_interval: 10
  archive_interval: 300
  old_policy_file_lifespan: 2
  delete_old_policy_files_interval: 86400
  ingest_on_boot: true
  content_lock_timeout: 60
  content_lock_block_timeout: 120

Save the file.
Restart the RaaS service:
```
systemctl restart raas
```
After the service restarts, Tanzu Salt security content begins to download. This may take up to five minutes, depending on your internet connection.

Ingesting content using http(s) proxy

For ingestion using a proxy, you’ll need to create an override to the RaaS service and add new environment variables for httpproxy and httpsproxy.

To configure the RaaS node to use https proxy:

Complete the previous steps to enable automatic ingestion.
On the master in the command line, edit the RaaS service:
```
systemctl edit raas
```

Add the following lines to the generated file.

[Service]
Environment="http_proxy=http://<hostname>:234"
Environment="https_proxy=https://<hostname>:234"
Environment="HTTP_PROXY=http://<hostname>:234"
Environment="HTTPS_PROXY=http://<hostname>:234"

If your proxy requires password authentication, you may need to set this as part of the proxy environment variables. For example:
```
Environment="HTTP_PROXY=http://USER:PASSWORD@<hostname>:234"
```
If your proxy uses an internal Certificate Authority, you may also need to set the REQUESTS_CA_BUNDLE environment variable to ensure that the proxy is able to use it. For example:
```
Environment="REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt"
```
Restart the RaaS service:
```
systemctl restart raas
```

After the service restarts, content begins to download. This may take up to 20 minutes.

Manual content ingestion for compliance content

If your environment is air-gapped, which means it cannot connect to an external site to download updates, you must manually update Automation for Secure Hosts Compliance content by downloading the tarball from Customer Connect and transferring it to your RaaS node.

Also, if your system is air-gapped, change the download configuration setting in the RaaS configuration file to False:

sec:
  download_enabled: False

The RaaS configuration file is located in /etc/raas/raas. You might also need to restart the RaaS service after applying these configuration settings:

systemctl restart raas

To manually ingest the Automation for Secure Hosts Compliance tarball:

Download the Automation for Secure Hosts Compliance content.
Log in to an RaaS node.
Copy the compliance content tarball to the RaaS node in the tmp folder.

This content could be delivered by email or any other means.
Verify the permissions of locke.tar.gz.e are set to raas:raas.

Ingest the tarball contents.

su - raas -c "raas ingest /path/to/locke.tar.gz.e"

This returns:

Extracting: /tmp/locke.tar.gz -> /tmp/extracted-1551290468.5497127

Cleaning up: /tmp/extracted-1551290468.5497127

Results:

{'errors': [], 'success': True}

Manual content ingestion for vulnerability content

If your environment is air-gapped, which means it cannot connect to an external site to download updates, you must manually update vulnerability content by downloading the tarball from Customer Connect and transferring it to your RaaS node.

Also, if your system is air-gapped, change the download configuration setting in the RaaS configuration file to False:

sec:
  download_enabled: False

The RaaS configuration file is located in /etc/raas/raas. You might also need to restart the RaaS service after applying these configuration settings:

systemctl restart raas

To manually ingest the Automation for Secure Hosts Vulnerability tarball:

Download the vulnerability content tarball.
Log in to an RaaS node.
Copy the vulnerability content tarball to the RaaS node in the tmp folder.

This content could be delivered by email or any other means.
Verify the permissions of locke.tar.gz.e are set to raas:raas.

Ingest the tarball contents, replacing the name of the tarball in this command with the exact file name of the tarball:

su - raas -c "raas vman_ingest /tmp/vman_date_example123.tar.gz.e"

This returns:

'adv': {'error': 0, 'success': 60334},
  'adv_cve_xref': {'error': 0, 'success': 243781},
  'cve': {'error': 0, 'success': 162251},
  'pkgfile': {'error': 0, 'success': 42},
  'py': {'error': 0, 'success': 7},
  'sls': {'error': 0, 'success': 3}

Troubleshooting manual ingestion

If you try running the manual ingestion commands for either the compliance or vulnerability content, you might see an error message similar to this message:

/home/centos/locke_date_example123.tar.gz.e not found or not readable

This error message sometimes appears if you do not place the tarball in the tmp folder. Placing the tarball in the tmp folder resolves the issue.

Set up Splunk integration

Tanzu Salt integrates the vulnerability library with Splunk to help you optimize and secure your digital infrastructure using the Tanzu Salt Add-On for Splunk Enterprise. The add-on is available on Splunkbase, and requires Tanzu Salt version 6.3 or higher.

The Tanzu Salt add-on in Splunk takes advantage of a Prometheus-compatible metrics endpoint which reports over 25 unique Tanzu Salt metrics. These metrics provide insight into the health of your infrastructure. Accessing them in Splunk is useful for monitoring for outages, identifying abnormal activity, and more. It also gives you the ability to take automated actions based on a specific Splunk event using Tanzu Salt.

For instructions on how to install and configure the add-on, see the full add-on documentation in the VMware knowledge base.

For more on the Tanzu Salt metrics endpoint, see the product documentation for Automation for Secure Hosts.

Configuration options

The following table describes the configuration options available for compliance content:

Option	Description
`stats_snapshot_interval`	How often (in seconds) Automation for Secure Hosts Compliance stats will be collected
`compile_stats_interval`	How often (in seconds) Automation for Secure Hosts Compliance stats will be compiled
`username`	Username to use when connecting to Tanzu Salt to download the most recent Automation for Secure Hosts Compliance content (default: `secops`)
`content_url`	URL used to download Automation for Secure Hosts Compliance content
`ingest_override`	When ingesting new content, overwrite existing benchmarks and checks (default: `True`)
`locke_dir`	Path where ingestion expects to find new content (default: `locke`). If you use a relative path (no leading `/`), then it is relative to the RaaS service cache dir `/var/lib/raas/cache`
`post_ingest_cleanup`	Remove the expanded content from the file system after ingestion (default: `True`)
`download_enabled`	Whether Automation for Secure Hosts Compliance content downloads are allowed (default: `True`). Set this to `False` for air-gapped systems
`download_frequency`	How often in seconds will the RaaS service attempt to download Automation for Secure Hosts Compliance content (default: `86400` for 24 hours)
`ingest_on_boot`	Should the RaaS service attempt to download Automation for Secure Hosts Compliance content on boot? (default: `True`)
`content_lock_timeout`	How long in seconds will content download locks last (default: `60`)
`content_lock_block_timeout`	How long in seconds will content download locks block before failing (default: `120`)

The following table describes the configuration options that are available for vulnerability content:

Option	Description
`vman_dir`	Location where Automation for Secure Hosts Vulnerability content is expanded before ingestion. If the path is relative (no leading `/`), then it is relative to the RaaS service cache dir `/var/lib/raas/cache`
`download_enabled`	If `True`, Automation for Secure Hosts Vulnerability content downloading is enabled. Set to `False` for air-gapped systems
`download_frequency`	The frequency in seconds of automated Automation for Secure Hosts Vulnerability content download and ingestion
`username`	Username used to log in to `enterprise.saltstack.com` to get content
`content_url`	URL from which Automation for Secure Hosts Vulnerability content will be downloaded
`ingest_on_boot`	If `True`, Automation for Secure Hosts Vulnerability content will be downloaded and ingested soon after the RaaS service boots (default: `True`).
`compile_stats_interval`	How often (in seconds) Automation for Secure Hosts Vulnerability stats will be compiled
`stats_snapshot_interval`	How often (in seconds) Automation for Secure Hosts Vulnerability stats will be collected
`old_policy_file_lifespan`	Lifespan (in days) of old policy files that will remain in the RaaS file system
`delete_old_policy_files_interval`	How often (in seconds) old Automation for Secure Hosts Vulnerability policy files will be deleted from the RaaS file system
`tenable_asset_import_enabled`	If `True`, minion grains in Tanzu Salt will be sent to Tenable.io for matching assets (default: `True`)
`tenable_asset_import_grains`	List of minion grains to send to Tenable.io, if tenable asset import is enabled. Automation for Secure Hosts Vulnerability supports only `fqdn`, `ipv4`, `ipv6`, and `hostname` out of the box, however you can send other information by defining custom grains. For more on grains, including how to write custom grains, see Salt documentation: Grains. If you have only a subset keys in your grains data, only those in the subset will be synced. `fqdn` and `ipv4` will be sent even if you do not list them here. For more information, see the Tenable import assets documentation.

Frequently asked questions

Q: How often is new Automation for Secure Hosts content released?

A: The current release frequency is about once per quarter. However, content might be released more frequently in the future.
Can I get access to new content sooner if I use automatic content ingestion instead of manual ingestion?

A: The same content is available, whether you ingest manually or automatically.

However, if you use manual ingestion, you need to plan to check for security content updates and develop a process to manually ingest updated content when it is available.