DISA STIG Auditing for the VMware vRealize Log Insight SOC

I previously created a VMware vRealize Log Insight security operations center (SOC), which has been updated to support vSphere 6.5 U1. This release, with the SecureESX teaser, has been released on GitHub already.  SecureESX has a bit of history behind it and has always been about auditing ESX and vSphere for security issues.

When SecureESX was first created, back in the days of ESX 2.x, there were no hardening guides that were any good. Specifically, there were no guides from VMware. There was a DISA STIG and a CIS Security guide. Soon afterward, VMware started to publish its own guide. The reason was simple. The DISA STIG and CIS guides were Linux-based, and as of ESX v3, Linux was not part of the equation any more.

This tool started as a shell script, migrated to Perl and then to PowerShell, and eventually to where it is now, a combination of vSphere Perl SDK and shell scripting.  At one point, the tool used its own audit files as well, which combined VMware’s, CISecurity’s, and DISA’s audits into one file.  However, this approach proved unworkable.  So, the name stuck.  SecureESX is really about vSphere: not ESX specifically, but VMs and ESXi at this time.

The approach used today is to take the raw guide from VMware, parse it, convert it and, using SCAP, gather audit data per Figure 1: SecureESX Workflow.

Figure 1: SecureESX Workflow

The long and short of this workflow is that by using standard processes, I can leverage the existing and accepted Security Content Automation Protocol (SCAP) tools, which require data in the eXtensible Configuration Checklist Description Format (XCCDF). These are extremely well known and are the format of the DISA STIG.

Now, with the latest vSphere Security Configuration Guide from VMware, the DISA STIG IDs for each audit element are listed within the guide. This means that we can use these IDs instead of the ones provided by VMware, which are subject to change. The DISA STIG ones are not subject to change between versions of the Security Guide.

First we use the SecureESX SOC add-on to show the current state of our vSphere environment according to the Security Guide published by VMware. Since the hardening guide contains multiple profiles (each more secure than the previous one) we can see how those profiles are impacted by the current state of the vSphere environment.

Figure 2: SecureESX By Profile, Status, and Percentage

We can also view status by DISA STIG id: in this case, the failed DISA STIG ESXi Host and VM elements.

Figure 3: DISA STIG Failed Status

To get more detail, we would go to interactive views of the failed host or VM dashboards. Inside here, we can find out exactly which rules have failed.

Once we know the rules that failed, we can create corrective actions to take place. We can even automate those actions using any number of tools.

By using the DISA STIG IDs, the VMware Security Guide takes on new meaning and new use cases, and it becomes the master guide for all of vSphere.

The SecureESX Addon to the Security Operations Center improves visibility and adds into the log analysis tool VMware vRealize Log Insight more visibility. We now can add data that has real import and impact into our environment: data you just cannot get from the logs. You can only get it from doing an audit!

Now, when your security team says to implement the security guide, you can run through the SecureESX Audit and ask them which profile they wish to implement. You can show the differences, the passes, and the failures.

As vSphere is upgraded, you will also see the changes within the security guide, the actual elements that were impacted and the corrective actions that needs to be repeated to have a secure vSphere environment. On top of that, it audits against the DISA STIG!

Edward Haletky

Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.

One thought on “DISA STIG Auditing for the VMware vRealize Log Insight SOC”

  1. Hi Ed,
    I took your Vmworld Class and I am trying to implement this portion of the Content Pak. I have a FULL license and I have imported the VLCP SOC. MY Log Insight Server shows that I have 5 syslog agents. 1 for my Vcenter and 4 for my ESXi hosts. But when I click on the Secure ESX portion of the content pack the dashboard has no results.

    Please help.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 − 3 =