SaltStack Expands into Security Compliance Scanning and Remediation – InApps Technology 2022

SaltStack wants to save operations folk from “audit hell.”

A new feature of the company’s flagship configuration management software Saltstack Enterprise will include capabilities for auditing and instant remediation of configuration errors and vulnerabilities.

SaltStack debuted SaltStack SecOps, which will become generally available early next year, at the company’s annual user conference, SaltConf18, being held in Salt Lake City this week.

The feature came about as a result of getting a lot of questions from users about how to extend the Salt configuration management software to also encompass security, noted Alex Peay, SaltStack vice president of product.

An increasing number of organizations have been using scanning assessment tools from security providers. Such tools typically can scan a set of machines to ensure they are configured correctly, and issue a report listing the machines that failed the audit, and what the specific issues are. An incorrectly configured machine can offer malicious attackers and entry point to do damage.

“We approach this problem differently than all the other assessment tools out there,” Peay said, noting that it takes advantage of Salt’s complex targeting capabilities to offer a fully automated discovery and instant remediation service, a first for both configuration management and security compliance software.

While existing services from the security companies can help in meeting external or internal security and compliance requirements, they pose a challenge for operations teams, who must fix the troubled computers after a scan and rerun the scan, Peay explained. Sometimes the machine can be fixed through a tool such as SaltStack’s, or by manual scripts. But the task of moving the list of issues into a remediation process is a manual — and time-consuming — one.

“It leads to a lot of late nights and weekends,” said Peay. And for an organization moving to an automated DevOps process, remediation can be a serious bottleneck.

Most security scanning companies offer a report of mis-configured computers and not much else, leaving #Ops to remediate, often manually. “This whole process is fraught w/ inefficiencies” — @SaltStack’s @AlexPeay #SaltConf18 #DevOps #SecOps #DevSecOps pic.twitter.com/4cNTGQI15x

— InApps Technology (@thenewstack) September 12, 2018

SaltStack automates the process of discovery and remediation. The software can check thousands of machines, and, if configuration errors are found, immediately fix them. Or, it can generate a report, allowing the administrator to set a time to fix them (during off-hours, for instance).

Initially, SaltStack will use desired configuration settings from the Center for Information Security (CIS), the U.S. Defense Information Agency’s Security Technical Implementation Guides (DISA STIGS), and the National Institute of Standards and Technology (NIST). Such guides have thousands of checks for operating systems, ranging from shutting down a telnet port to defining settings that guide user access permissions. Users can also define their own checks, and use a mixture of external and internal compliance checklists.

Such a remediation service can be easily executed by Salt Minions, the agents installed on each Salt-controlled machine. The service will initially support most widely used Linux and Unix distributions, as well as recent editions of Windows. The configurations will be managed in-house and kept on a public repository (likely GitHub).

Initially, SaltStack SecOps will focus on configuration settings, though over time it may include other security needs, such as patch management and vulnerability remediation, Peay said.