As Compliance Officer, to ensure the continuous OS compliance of your environment, you integrate Cloud Guardrails with the SaltStack Idem plug-in.

With the SaltStack Idem plug-in, you can ensure that your environment aligns with consensus-based CIS best practices and standards.

The SaltStack Idem plug-in exposes stateful programming constructs that simplify tasks such as enforcing the state of an application. By integrating Cloud Guardrails with the SaltStack Idem Plug-in, in the SaltStack environment you can create, delete, and describe:

  • A target
  • A policy

The SaltStack Idem plug-in can collect policy information, support continuous enforcement on your infrastructure, and run SLS files that enforce remediations.

Table 1. What the SaltStack Idem plug-in does
OS compliance actions What the SaltStack Idem plug-in does
Collect information from SaltStack targets and SaltStack policies.

Collects information about:

  • Targets in the SaltStack environment.
  • Policies in the SaltStack environment.
Run SLS files that enforce remediations from SaltStack SecOps.
  • Enforce remediation automatically for a set of different operating systems (OS).
  • Enforce a policy on-demand.

The SaltStack Idem plug-in can work with all available benchmarks and checks in SaltStack.

This procedure assumes that you already configured SaltStack Config and the Salt minions, and that automation for deploying the Salt minions, including public cloud grain, and registering them is completed.

Prerequisites

  • Verify that you are familiar with the SaltStack architecture. See SaltStack Config System Architecture documentation.
  • If you are using the on-premises version of SaltStack Config, verify that your SaltStack Config environment, with the minions, is integrated with your vRealize Automation instance so that you can use it from Cloud Guardrails. See the on-premises SaltStack installation documentation at Installing and Configuring SaltStack Config.
  • If you are using the cloud version of SaltStack Config, verify that your SaltStack Config environment, with the minions, is integrated with your vRealize Automation instance so that you can use it from Cloud Guardrails. See the cloud SaltStack Config installation documentation at Create a SaltStack Config integration in vRealize Automation Cloud.

Procedure

  1. Access Cloud Guardrails from your vRealize Automation Cloud instance.
  2. Create a security template for SaltStack enforcement.
    1. On the Guardrails tab, click +New.
    2. Click From scratch.
    3. Enter a name and description for the template.
    4. Select the category named Security.
      When you create a Cloud Guradrails template from scratch, you must select a category and a project.
    5. Select a project, and click Continue.
  3. Copy the SaltStack security enforcement code into the template editor.
    1. Using the enforcement policy code in this topic, copy the code into the template editor.
    2. Click Validate.
      Cloud Guardrails displays a messge that the template is valid.
    3. Click Create.
      After you create the template, you can run the desired state for the SaltStack policy enforcement.
      Cloud Guardrails displays a message that the template is created and displays the assigned ID for it.
  4. Create a desired state for the SaltStack enforcement.
    1. Click Create Desired State.
    2. Enter a name and description for the desired state.
    3. Select the template that you created. For example, select Create SaltStack Enforcement.
    4. Select a cloud account and a cloud account region, and click Create.
  5. Verify if the SaltStack security enforcement desired states are accurate for your needs, and update them as necessary.
    1. Click Create Target.
    2. Verify the input parameter values for Target, Target Name, and Target Type.
    3. If changes are necessary, update the input parameter values.
      For example, Target Type supports Grain, List, Glob, and Compound.
    4. Update the code to reflect any changes that you made to the Create Target desired state.
    5. Click Create Policy on target.
    6. Verify the input parameter values for Target Name, Remediate, and Policy Name.
    7. If changes are necessary, update the input parameter values.
      For example, you can set Remediate to Yes or No.
    8. Update the code to reflect any changes that you made to the Create Policy on target desired state.
  6. To validate the template and save your changes, click Validate and click Save.
    Cloud Guardrails displays a message that the input parameters are valid and that the template saved successfully.
  7. Run the desired state and review the resulting enforcement.
    1. Click Run Desired State.
    2. Click the Enforcements tab and verify if the desired state ran successfully.
      If the enforcement fails, correct any errors and attempt to run the desired state again.

Results

You used the SaltStack Idem plug-in to ensure the continuous OS compliance of your environment.

Example: Create a SaltStack enforcement by using these SLS templates

Code for an enforcement policy:

META:
  name: Create Saltstack Enforcement
  provider: SALTSTACK
  category: SECURITY
  description: Create target in saltstack, create policy over this target, add CIS benchmark checks on the policy and run remediation

{% set tgt_name = params.get('tgt_name', 'CentOS_Target') %}
{% set policy_name = params.get('policy_name', 'CIS_Benchmark_policy') %}
{% set tgt_type = params.get('tgt_type', 'grain') %}
{% set tgt_value = params.get('tgt_value', 'os:CentOS') %}
{% set remediate = params.get('remediate', true) %}

{{ tgt_name }}-target:
  META:
    name: Create Target
    parameters:
      tgt_name:
        description: Name of the target
        name: Target Name
        uiElement: text
      tgt_type:
        description: Type of the target
        name: Target Type
        uiElement: select
        options:
        - name: Grain
          value: grain
        - name: List
          value: list
        - name: Glob
          value: glob
        - name: Compound
          value: compound
      tgt_value:
        description: Value of target type
        name: Target Value
        uiElement: text
  saltstack.target.present:
  - name: {{ tgt_name }}
  - desc: idem sls
  - tgt_type: {{ tgt_type }}
  - tgt: {{tgt_value}}

{{ policy_name }}-policy:
  META:
   name: Create Policy on target
   parameters:
     policy_name:
       description: Name of the policy
       name: Policy Name
       uiElement: text
     tgt_name:
       description: Name of the target
       name: Target Name
       uiElement: text
     remediate:
       description: Whether remediation has to run on policy
       name: Remediate
       uiElement: select
       options:
         - name: "Yes"
           value: true
         - name: "No"
           value: false
  saltstack.policy.present:
  - require:
    - saltstack.target: {{ tgt_name }}-target
  - name: {{ policy_name }}
  - tgt_name: {{ tgt_name }}
  - remediate: {{ remediate }}
  - benchmark_names:
    - "CIS_CentOS_Linux_7_Benchmark_v2.2.0_server_level1-1"
  - check_names:
    - "Ensure cron daemon is enabled"
    - "Ensure access to the su command is restricted"
    - "Ensure mounting of cramfs filesystems is not enabled"

Code for a delete policy:

META:
  name: Delete Saltstack policy 
  provider: SALTSTACK
  category: SECURITY
  description: Delete Saltstack policy 

{% set policy_name = params.get('policy_name', 'CIS_Benchmark_policy') %}

{{ policy_name }}-policy:
  saltstack.policy.absent:
    - name: {{ policy_name }}

Code for a delete target policy:

META:
  name: Delete Saltstack target
  provider: SALTSTACK
  category: SECURITY
  description: Delete Saltstack target

{% set tgt_name = params.get('tgt_name', 'all_minion_target') %}

{{ tgt_name }}-target:
  saltstack.target.absent:
    - name: {{ tgt_name }}

What to do next

Continue to use ensure the OS compliance of your SaltStack environment by running the templates in Cloud Guardrails and monitoring the desired states.