Table of Contents
Important!
Alert Symptoms and Definitions can be set up in Aria Operations, but they will not truly monitor the the virtual machine accurately unless the virtual machines have already been secured!
A lot of the settings in the STIG do not exist by default and therefore cannot be monitored with confidence. It is very important to use a hardened template to save a lot of work. If virtual machines already exist, but have not been secured, you can use the following script (PowerCLI: Multiple Virtual Machines Script) to cut down on the level of effort by tackling more than one virtual machine at a time.
Overview
VMware Aria Operations (formerly vRealize Operations) can be used to monitor and alert on VMware vSphere 7.0 STIG compliance. This is helpful for when the environment has already been secured, but during troubleshooting, or other maintenance, the security standards were relaxed and never re-applied. Compliance drifts from the baseline are common and hard to detect without some sort of monitoring system. VMware Aria Operations can alert staff and remind them to button up the security compliance.
I am running a VMware Aria Operations 8.12.1 appliance in my lab for this post.
But VMware Aria Operations Already has a Compliance Benchmark!
Yes, this is true that VMware Aria Operations already has a DISA Compliance Benchmark.
However, the compliance it measures are based off of the vSphere 6.0 STIG! Navigate to the Symptom Definitions (Configure > Alerts > Symptom Definitions) and type in VMCH- in the search bar. From here you can see Definition names like VMCH-06 and VMCH-65. End of General Support (EOGS) for vSphere 6.0 was March 12, 2020 and even EOGS for vSphere 6.5 and vSphere 6.7 was October 15, 2022. (https://kb.vmware.com/s/article/66977)
There is a lot going on here, I’ll admit. Adding all of the STIG checks are likely not something that will probably get completed in a single sitting, but I will do my best to explain what is going on. We will work through configuring a custom group, one Alert Symptom, one Recommendation, and one Alert Definition.
Create a Custom Group
We are going to be creating a new Policy next, so first we should make a new Custom Group (Environment > Custom Groups) that will dynamically update the type of objects (Virtual Machines | ESXi Hosts | etc.)
For this post, I am going to focus on Virtual Machines. Provide a Name, Description, choose the Group Type, and check the box to Keep group membership up to date.
Under Define membership criteria, type or select Virtual Machine on the Select the Object Type that matches all of the following criteria drop-down. Select Object name, does not contain, and type in vCLS, to make sure we exclude the vSphere Cluster Services virtual machines.
When ready, click Preview to make sure the objects you expect to see are added in the group.
Policy Definitions
Everything in VMware Aria Operations can be found rooted in a policy. Navigate to the Policy Definitions (Configure > Policies > Policy Definition) and see the number of policies.
The only Active and Default policy in use right now is vSphere Solution’s Default Policy, which can be verified by looking at the Status column and the Priority column.
Create a Custom Policy
I am going to create a custom policy for monitoring STIG items for virtual machines (from our custom group above) to keep the information organized. In the future, when new STIG are released, the policy can also be altered to reflect any changes.
I am going to start with the Virtual Machine STIG since it only contains 28 items.
On the right, I have the DISA STIG Viewer open and the Virtual Machine STIG open. I copied the text that we should be checking (isolation.tools.copy.disable) from the first check (VMCH-70-000001).
On the left, I created a new policy named vSphere 7.0 – Virtual Machine and provided the version, release, and benchmark date in the Description field.
Since the text copied from the STIG is a Property Configuration item, I am going to select Metrics and Properties.
This particular STIG is for Virtual Machines, so I choose Virtual Machine from the Select Object Type: field and I paste the text that was copied from the STIG to narrow down the Properties.
Once the filter is applied, navigate down to the lowest level. Notice that this Property is already Activated, but with Force beside it. This indicates state change due to a dependency. (https://docs.vmware.com/en/VMware-Aria-Operations/SaaS/Configuring-Operations/GUID-15653E40-4357-4115-AAEF-AC47E7B763B0.html)
I am going to change this State to Activated and click the Save button.
Right now, this policy is not applied to any objects, so it has a Status of Inactive. Let’s apply this policy to our custom group.
Click Groups and Objects so that the group we created earlier can be assigned.
Check the box next to the All Virtual Machines group that we created earlier. I also expanded the group just to verify that the objects I expect to see are in fact in the group. Click Save and click the X on the Policy to go back to the list of policies.
Now when we go back out to look at the Policy Definition screen, we can see that there is a Policy under the default policy and there is a 1 in the Priority column and that the status is Active.
Go back into the policy and Activate as many Properties as necessary. Later, when configuring Alert Symptoms, if a Property is missing, check the Policy to see if it might just not be active.
Create Alert Symptoms
Once there are some activated Metrics and Properties in the policy, we can create Alert Symptoms (Configure > Alerts > Symptom Definitions).
Click Add to start configuring an Alert Symptom.
For the Base Object Type, choose Virtual Machine. Select Properties from Symptom Type. You can drill down, but I find it easier to just type or copy and paste in what I am looking for. In this example, I am searching for isolation.tools.copy.disable, so I type that in and drag the Property up into the left box. The property condition is specific to the STIG check, but this example checks for the setting to exist and be true, so I set the condition with the logic, “If property Does not contain true trigger Warning.” Criticality can also be adjusted, but the Warning will provide a yellow triangle with an exclamation mark in it when the Alert is active.
Create Alert Recommendation
Alert Recommendations (Configure > Alerts > Recommendations) are not necessary, but I like to add the STIG ID and the “Fix” text of the STIG to the recommendation. This saves me from having to hunt down the STIG check, and later, Fix text to make the setting compliant again.
Unfortunately, there is no way to add formatting to the Recommendation, so the text will look like one giant paragraph.
Create an Alert Definition
Now that there is a Symptom Definition and a Recommendation, we can create an Alert Definition (Configure > Alerts > Alert Definitions).
Provide a Name for the Alert Definition. Keep it generic as we are going to add more than one Alert Symptom after this demo. For now, we are only going to add the one to test, but once we know our logic works, we can populate this Alert Definition with more Alert Symptoms so that we have a one to many relationship. The alternative is to have one to one, that is one Alert Symptom to one Alert Definition. I have done this in the past, but it’s messy and unnecessary, really.
Provide a Base Object Type, for this example, I am going to continue with Virtual Machine. Expand the Advanced Settings and change the following fields accordingly.
Impact: Risk
Criticality: Symptom Based
Alert Type & Subtype: Virtualization/Hypervisor : Compliance
Wait Cycle: 1
Cancel Cycle: 1
Click Next.
Change the tab to Symptoms and type in the Alert Symptom previously created. If you are following along, the STIG ID should directly find the symptom defined earlier. Locate the symptom and drag to the left to create a new set. If you have created more than one Alert Symptom, add additional symptoms to the left and change the This set is met when to Any.
Click Next.
If you are doing one to one, it makes sense to add in Recommendations. On the Recommendations section, filter for the Recommendation created earlier, if any. Again, if you are following along, the STIG ID should pinpoint the exact Recommendation.
Same thing as before, when the Recommendation displays, drag it over to the left and if there are more than one, drag and order by priority.
If this is a one to many configuration, it might make sense to provide either a generic Recommendation or no recommendation at all.
Click Next.
Add a checkbox to the Policy that was created earlier, in my case, vSphere 7.0 – Virtual Machine.
Click Create or Update if you are modifying the Alert Definition.
Alert Definition Check
Click in the Filter and type in the name of the Alert Definition that was just created. This will ensure the definition looks correct and saved correctly.
Remember that VMware Aria Operations works in cycles and by default is set to five minutes. This Symptom Definition was configured with 1 in the Wait Cycle and 1 in the Cancel Cycle. This means that if the condition of the Property (in this case) is seen for over five minutes, it will trigger the Alert. If the condition is fixed, then the opposite will take place. If the condition of the Property is opposite, then it will not be in the Active Alerts, but will remain as an Alert until it is Deleted.
Create a Custom Compliance Benchmark
To create a custom Compliance Benchmark (Optimize > Compliance), click Add Custom Compliance. Provide a Name and Description. Click Next.
Choose the Alert Definition or Alert Definitions if you want to add more than one. Click Next.
Finally, choose the Policy that this should be attached to (which policy holds objects this will affect). Click Finish.
Wait for a couple cycles to pass and review the active Alerts. You may need to break compliance or build a test virtual machine that is out of compliance so that you have a control machine to test logic.
Things to Look out For!
So, I was testing this in my lab and found that by default, the virtual machines do not have certain properties configured…they just do not exist by default! Using the first STIG check above as an example, isolation.tools.copy.disable, this property is not present on a brand new virtual machine. The following is a screenshot of checking with PowerCLI.
Interesting enough, if we navigate to a virtual machine object in Aria Operations and look at the properties, the metric is there, but with a yellow badge that indicates an anomaly.
Even more interesting, if I try to create a Custom Group, can test if the Property exists.
I can actually click on Preview and see the virtual machines all show this property existing! I am so confused! Does it exist or not exist?
The takeaway, here, is to make sure STIG has been applied to the vSphere infrastructure before relying on Aria Operations to monitor and alert on configuration drift.