Lab 9: Continuous Compliance

Scenario

In the domain of compliance management, Security and Operations teams collaborate on corporate IT security policies. Despite their efforts, disjointed tools, workflows, and priorities hinder them. The SecOps Automation platform steps in, enabling effective compliance enforcement and automated remediation. You’ll learn how to use Automation for Secure Hosts (SecOps add-on for Automation Config) to manage compliance effectively.

Task A. Create Target - Windows Server 2019 (Skip if you already created this Target)

  1. Click Targets in the side menu to open the Targets workspace and view your targets
  2. Click Create button
    • Input the following details
      • Name = Win2019
      • Description = Windows Server 2019
      • All masters = (Checked)
      • Criteria
        • Target type (1) = Grain
        • Grain key (1) = osfinger
        • Grain value (1) = Windows-2019Server Create Target for Windows Server 2019
  3. Click SAVE button

Task B. Create Policy

  1. Click Compliance > Policies from the side menu
  2. Click CREATE POLICY button to create a new policy
  3. In the Target step page:
    • Input the following details
      • Policy name = CIS Win2019 Benchmark (the job you have created in the previous task)
      • Targets = Win2019
    • Click NEXT button Create Policy - Select Target
  4. In the Benchmarks step page:
    • Check CIS Microsoft Windows Server 2019 RTM Release 1809 Benchmark v1.0.0
    • Click NEXT button Create Policy - Select Benchmarks
  5. In the Checks step page:
    • Check the first three benchmark checks, for example:
      • Configure ‘Accounts: Rename administrator account’
      • Configure ‘Accounts: Rename guest account’
      • Configure all Account lockout policies checks
    • Click NEXT button Create Policy - Select Benchmark Checks
  6. In the Variables step page:
    • Leave all input values unchanged
    • Click NEXT button Create Policy - Input Variables
  7. In the Schedule step page:
    • Select Not scheduled (on demand)
    • Leave Run assessment on save unchecked
    • Click SAVE button Create Policy - Schedule

Task C. Run Assessment

  1. (Optional) Click Compliance > Policies from the side menu
  2. (Optional) Locate and click CIS Win2019 Benchmark to open the policy you created
  3. Click RUN ASSESSMENT on the top right corner
    • In the pop-up dialog
      • Click RUN ASSESSMENT to confirm Run Assessment Run Assessment - Confirm
  4. Wait until assessment is completed
    • Click Activity tab
    • Click Refresh Icon periodically and wait until status of assessment becomes Completed Run Assessment - Completed
    • Click Checks tab
  5. Examine the benchmark check results
    • Examine the assessment results: Check name, Compliant & Not compliant
    • Note the Compliant % & Not Compliant %, which will be compared to that after remediation Run Assessment - Results

Task D. Remediate

  1. (Optional) Click Compliance > Policies from the side menu
  2. (Optional) Locate and click CIS Win2019 Benchmark to open the policy you created
  3. In CIS Win2019 Benchmark policy page
    • Check the first benchmark check
    • Click ADD EXEMPTION to temporarily ignore this check
      • In the pop-up dialog, input following details
        • Reason for exemption: Deferring this setting for now
        • Click ADD EXEMPTION
      • (This benchmark check will appear in the Exemptions tab) Add Excemption
    • Uncheck the first benchmark check
    • Check the second and third benchmark check
    • Click REMEDIATE to remediate minions non-compliant to this check
      • In the confirmation dialoge
        • Click REMEDIATE Remediate
  4. Wait until remediation is completed
    • Click Activity tab
    • Click Refresh Icon periodically and wait until status of remediation becomes Completed
    • Click Checks tab to show policy summary
  5. Click RUN ASSESSMENT to run the assessment again
    • In the pop-up dialog
      • Click RUN ASSESSMENT to confirm
  6. Wait until assessment is completed
    • Click Activity tab
    • Click Refresh Icon periodically and wait until status of assessment becomes Completed
    • Click Checks tab to view updated compliance policy summary

Task E. Check Results

  1. (Optional) Click Compliance > Policies from the side menu
  2. (Optional) Locate and click CIS Win2019 Benchmark to open the policy you created
  3. Examine the benchmark check results in this policy
    • Compliance level should now increased Policy Summary
  4. Click Compliance > Policies from the side menu
    • The page will show oversall summary of all policies
    • Examine the updated Overall Summary, Compliance Summary and Assessment Summary Overview Summary

Summary

VMware Automation for Secure Hosts enhances compliance oversight using established frameworks and streamlined corrective actions:

  • Implementing industry best practices, such as CIS & DISA STIG for robust security hardening
  • Enhancing visibility by providing compliance summaries and assessment reports
  • Ensuring continuous adherence through automated compliance evaluations
  • Enabling Swift and efficient compliance remediation through automation
  • Creating tailor-made compliance benchmark check for unique needs using the Compliance SDK