vmware / dod-compliance-and-automation

Security hardening content for VMware solutions to US Department of Defense standards
Other
150 stars 61 forks source link

INSPEC: VMCH-70-Multiple not filtering vCLS #129

Open pbarrette opened 1 year ago

pbarrette commented 1 year ago

Describe the bug

Executing a scan against all VMs results in failures on multiple controls for vCLS-X VMs.

My understanding is that the configuration of the vCLS machines is not supposed to be changed. Additionally, attempting to modify them results in an error.

Reproduction steps

  1. Execute an inspec scan against VMCH controls.

Expected behavior

The STIG should be updated to note that vCLS machines are exempt from the failing controls.

If they should not be exempt, VMware should be creating the vCLS machines with the proper controls already applied.

The inspec controls should be updated to ignore the vCLS VMs and produce a compliant scan.

Additional context

I've changed the following line in all VMCH controls from: vms = powercli_command('Get-VM | Sort-Object Name | Select -ExpandProperty Name').stdout.gsub("\r\n", "\n").split("\n")

To: vms = powercli_command('Get-VM | Where-Object { $_.Folder -notmatch "vCLS" } | Sort-Object Name | Select -ExpandProperty Name').stdout.gsub("\r\n", "\n").split("\n")

This ignores all VMs in the vCenter created "vCLS" folder.

rlakey commented 1 year ago

Yea we technically can't fix these VMs in 7 but they aren't necessarily excluded from being compliant either the way things are currently written (they didn't exist until later versions of 7). We'll have to reconsider this in a future update after the official STIG is out.

In 8.0 this won't be an issue as these VMs are all compliant with the guidance when that comes out.