{"id":392,"date":"2025-02-28T18:32:59","date_gmt":"2025-02-28T18:32:59","guid":{"rendered":"https:\/\/blog.lottabytes.com\/?p=392"},"modified":"2025-02-28T18:47:28","modified_gmt":"2025-02-28T18:47:28","slug":"application-of-stig-baseline-to-vmware-photon","status":"publish","type":"post","link":"https:\/\/blog.lottabytes.com\/index.php\/2025\/02\/28\/application-of-stig-baseline-to-vmware-photon\/","title":{"rendered":"Application of STIG Baseline to VMware Photon"},"content":{"rendered":"\n

There has been a lot of great work done to generate STIG baselines for the various VMware products. This content is publicly-available on Github under the vmware\/dod-compliance-and-automation repository<\/a>. As I’m currently focused on using VMware Photon 5, I’m going to explore that process with you now.<\/p>\n\n\n\n

Initial Testing<\/h2>\n\n\n\n

Before applying your STIG, you’ll probably want to run the CINC auditor (think Chef InSpec) to check and see what the current state of your Photon 5 device is. You can install the auditor using the below command, or, from their website<\/a>.<\/p>\n\n\n\n

#https:\/\/cinc.sh\/download\/\ncurl -L https:\/\/omnitruck.cinc.sh\/install.sh | sudo bash -s -- -P cinc-auditor -v 6<\/code><\/pre>\n\n\n\n
Once installed, navigate to the applicable directory from the Github repo and run the inspec command.  You’ll want to modify the input-file to match your environment, but I’m reusing the sample here.<\/p>\n\n\n\n
cd dod-compliance-and-automation\/photon\/5.0\/v2r1-srg\/inspec\/vmware-photon-5.0-stig-baseline &&\ninspec exec . -t ssh:\/\/root@192.168.1.211 --show-progress --input-file inputs-example.yml -i ~\/.ssh\/id_rsa\n<\/code><\/pre>\n\n\n\n
This scan will run and then give you a detailed, as well as summarized view for the machine’s current state when compared to the STIG rules.  In this case, my instance has a significant number of deviations.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
That same Github repository also contains applicable Ansible playbooks for the application or all or some<\/span> of the applicable settings.  See the Readme in the top level<\/a> to determine the best approach for you.  For this example, I’m just going to apply the all the defaults that don’t require extra-vars.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Once the Ansible Playbook has completed it’s application, you can now re-run the CINC Auditor to validate a successful application.  As you can see below, the delta is now significantly smaller.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It’s important to note that I discovered once this activity was completed some logs from \/var\/log\/messages<\/em> no longer ingest correctly using the configuration specified in Different Logging Approaches<\/a>.  I noticed that almost immediately new logging failures appeared in the Fluentd log.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
After doing some analysis, the log events have a pretty wide variety of syntaxes, with some (but not all) including the PID, and some (but not all) placing the process name in parenthesis.   Some examples are shown below.<\/p>\n\n\n\n
2025-02-27T22:03:16.190527+00:00 photon-test-5 audit: BPF prog-id=27 op=UNLOAD\n\n2025-02-28T17:19:50.996789+00:00 photon-test-5 env[675]<\/strong>: Starting Wazuh v4.10.1...\n\n2025-02-28T17:19:44.501078+00:00 photon-test-5 (<\/strong>udev-worker)[534]: <\/strong>Network interface NamePolicy= disabled on kernel command line.\n\n2025-02-28T17:19:43.981900+00:00 photon-test-5 (<\/strong>systemd)<\/strong>: pam_warn(systemd-user:setcred): function=[pam_sm_setcred] flags=0x8002 service=[systemd-user] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]\"\n<\/code><\/pre>\n\n\n\n
Because of these variances, you can no longer use the native Syslog parser.  Instead, I have created a regular expression that allows for all the variances to be detected and correctly classified.<\/p>\n\n\n\n
<source>\n  @type tail\n  path \/host-var-log\/messages\n  pos_file \/var\/log\/td-agent\/messages.pos\n  tag system.log\n  <parse>\n    @type regexp\n    expression \/(?<timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{1,6}\\+\\d{2}:\\d{2}) (?<host>[\\w|\\-|_|\\d]*) (?<proc>\\(?[\\w|_|-]*\\)?)\\[?(?<pid>[\\d]*)?\\]?:(?<message>.*)\/\n  <\/parse>\n<\/source><\/code><\/pre>\n\n\n\n
Using this, you should now have a successfully hardened device, as well as continued logging capabilities if you’re using Fluentd.<\/p>\n","protected":false},"excerpt":{"rendered":"
There has been a lot of great work done to generate STIG baselines for the various VMware products. This content is publicly-available on Github under the vmware\/dod-compliance-and-automation repository. As I’m currently focused on using VMware Photon 5, I’m going to explore that process with you now. Initial Testing Before applying your STIG, you’ll probably want … <\/p>\n
Read more “Application of STIG Baseline to VMware Photon”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[98,97,84,96,93,92,95,94],"class_list":["post-392","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ansible","tag-cinc-auditor","tag-fluentd","tag-inspec","tag-srg","tag-stig","tag-syslog-parser","tag-vmware-photon"],"_links":{"self":[{"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/posts\/392","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/comments?post=392"}],"version-history":[{"count":7,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/posts\/392\/revisions"}],"predecessor-version":[{"id":406,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/posts\/392\/revisions\/406"}],"wp:attachment":[{"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/media?parent=392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/categories?post=392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/tags?post=392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}