vmware/dod-compliance-and-automation vmware/dod-compliance-and-automation

  • Stars
    star
    144
  • Rank 255,590 (Top 6 %)
  • Language
    Ruby
  • License
    Other
  • Created almost 5 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
vmware/dod-compliance-and-automation
github

vmware

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Security hardening content for VMware solutions to US Department of Defense standards

Lint Tests Docs Deployment

dod-compliance-and-automation

Announcements

Please visit our new docs page at: https://vmware.github.io/dod-compliance-and-automation/

Overview

VMware is a trusted partner in highly secure, mission critical systems around the world, including the US Department of Defense (DoD). In the DoD, all IT systems must adhere to the rigorous Risk Management Framework (RMF) as defined in DoDI 8510.01. A critical component of RMF is the mandatory implementation of Security Technical Implementation Guides (STIGs) and Security Requirements Guidelines (SRGs) as maintained by the Defense Information Systems Agency (DISA). Where a product specific STIG is not available, the relevant SRGs must be used instead.

DoDI 8510.01

STIGs are product-specific and document applicable DoD policies and security requirements, as well as best practices and configuration guidelines. STIGs are associated with security controls through CCIs, which are decompositions of NIST SP 800-53 security controls into single, actionable, measurable items. SRGs are developed by DISA to provide general security compliance guidelines and serve as source guidance documents for STIGs. When a STIG is not available for a product, an SRG may be used.

DoD Cybersecurity Discipline Implementation Plan

STIGs and SRGs provide configuration for technologies such as operating systems, browsers, antivirus, web services, databases, Active Directory, and domain name services. The combination of applicable STIGs and SRGs will result in a secure configuration to prevent issues such as insider threats, data exfiltration, or advanced persistent threats.

In order to better serve the needs of our DoD partners, and those who wish to meet the bar set by the DoD, VMware is providing three elements for community consumption and contribution.

  • STIG Readiness Guides
    • SRG based content that is either the source material for an in process STIG, or that can be used in the absence of an official STIG.
  • Auditing Automation
    • Automation to audit and report on the state of compliance for an associated set of SRG/STIG controls.
  • Remediation Automation
    • Automation to remediate findings with a set of SRG/STIG controls using publicly accessible methods and APIs.

STIG Readiness Guides

STIG development is essentially an exercise where a specific product is filtered through all applicable SRGs to produce product-specific, NIST 800-53 backed hardening guidance. That content is then vetted, tested and approved by the DISA Risk Management Executive (RME) and posted on public.cyber.mil. VMware has a number of official STIGs published and we are working on many more. While we go through the official DISA vendor process, we want to make the SRG content available for public consumption and contributions while we wait for the official posting for products that are in process or are not scheduled to be submitted.

For more information on STIG Readiness Guides please read about our STIG program.

NOTE: This project represents VMware's effort to document our compliance against the SRG requirements and nothing more. A published STIG is our eventual goal, in most cases, but this content should not be viewed to be "as good as a STIG". A DISA published STIG includes technical validation, review of requirement fulfillment, accuracy and style, risk acceptance and is digitally signed by the RME and posted on a .mil. This SRG content is intended to provided value to our partners while the STIGs are in process. Except for products that have published STIGs already, there is no explicit or implied DISA approval of the provided content.

Compliance Automation

STIG documents are written to be portable, offline hardening documentation where a sysadmin can go through, step by step, and STIG a system with no external dependencies. That said, many STIGs are either too complex or need to be applied to so many instances that manual steps are just not feasible. To augment the plain language STIG content, we are providing a number of ways to script or fully automate your VMware compliance activities.

Documentation

Depending on the product, there may be a need to host DoD specific whitepapers, notes and addendums that have no other appropriate place. These items will be provided under the docs path where applicable.

Support

More information on support for STIGs and STIG Readiness Guides is available in the Support document.

Contributing

The dod-compliance-and-automation project team welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our FAQ.

  • STIG Readiness Guides Content - VMware owns the state of the SRG/STIG controls provided here, including their applicability and how the requirements are addressed. That said, we are open to ideas for further hardening, additional methods, refinements, expansion, etc.

  • Automation Content - VMware provides the automation content in a beta complete state. Once it is used by the broad github audience, we expect the need for refinements and we highly encourage feedback and direct contributions.

Disclaimer

VMware accepts no liability for the consequences of applying specific configuration settings made on the basis of the SRGs/STIGs. It must be noted that the configuration settings specified should be evaluated in a local, representative test environment before implementation in a production environment, especially within large user populations. The extensive variety of environments makes it impossible to test these configuration settings for all potential software configurations.

For some production environments, failure to test before implementation may lead to a loss of required functionality. Evaluating the risks and benefits to a system’s particular circumstances and requirements is the system owner's responsibility. The evaluated risks resulting from not applying specified configuration settings must be approved by the responsible Authorizing Official.

Furthermore, VMware implies no warranty that the application of all specified configurations will make a system 100 percent secure. Security guidance is provided for the Department of Defense. While other agencies and organizations are free to use it, care must be given to ensure that all applicable security guidance is applied both at the device hardening level as well as the architectural level. Some of the controls may not be configurable in environments outside the DoDIN.

License

The dod-compliance-and-automation project is available under the Apache License, Version 2.0.

More Repositories

1

photon

Minimal Linux container host
Python
3,017
star
2

govmomi

Go library for the VMware vSphere API
Go
2,286
star
3

open-vm-tools

Official repository of VMware open-vm-tools project
C
2,226
star
4

pyvmomi

VMware vSphere API Python Bindings
Python
2,208
star
5

differential-datalog

DDlog is a programming language for incremental computation. It is well suited for writing programs that continuously update their output in response to input changes. A DDlog programmer does not write incremental algorithms; instead they specify the desired input-output mapping in a declarative manner.
Java
1,362
star
6

pyvmomi-community-samples

A place for community contributed samples for the pyVmomi library.
Python
1,014
star
7

PowerCLI-Example-Scripts

PowerShell
753
star
8

vsphere-automation-sdk-python

Python samples, language bindings, and API reference documentation for vSphere, VMC, and NSX-T using the VMware REST API
Python
744
star
9

splinterdb

High Performance Embedded Key-Value Store
C
684
star
10

vic

vSphere Integrated Containers Engine is a container runtime for vSphere.
Go
639
star
11

burp-rest-api

REST/JSON API to the Burp Suite security tool.
Java
546
star
12

versatile-data-kit

One framework to develop, deploy and operate data workflows with Python and SQL.
Python
420
star
13

concord-bft

Concord byzantine fault tolerant state machine replication library
C++
378
star
14

chap

chap analyzes un-instrumented core files for leaks, memory growth, and corruption
C++
362
star
15

kube-fluentd-operator

Auto-configuration of Fluentd daemon-set based on Kubernetes metadata
Go
319
star
16

vsphere-automation-sdk-java

Java samples, language bindings, and API reference documentation for vSphere, VMC, and NSX-T using the VMware REST API
Java
208
star
17

goipmi

Go IPMI library
Go
181
star
18

vic-product

vSphere Integrated Containers enables VMware customers to deliver a production-ready container solution to their developers and DevOps teams.
RobotFramework
177
star
19

ansible-for-nsxt

Ansible delivers simple IT automation that ends repetitive tasks and frees up DevOps teams for more strategic work. This project is to enable this automation for NSX-T installation.
Python
170
star
20

mangle

Git Repository for the Mangle tool
Java
162
star
21

vmware-go-kcl

KCL Implementation in Go lang by VMware
Go
154
star
22

weathervane

Virtual-Infrastructure and Cloud Performance Benchmark
Java
153
star
23

terraform-provider-vcd

Terraform VMware Cloud Director provider
Go
147
star
24

dscr-for-vmware

The Repository contains Microsoft PowerShell Desired State Configuration (DSC) Resources for managing VC and ESXi settings.
PowerShell
139
star
25

terraform-provider-nsxt

Terraform Provider for VMware NSX
Go
131
star
26

tdnf

Tiny Dandified Yum
C
115
star
27

open-vmdk

Python
113
star
28

ansible-module-vcloud-director

ansible-module-vcloud-director
Python
108
star
29

terraform-provider-vra

Terraform Provider for VMware Aria Automation
Go
101
star
30

powerclicore

PowerCLI Core Dockerfile
Dockerfile
99
star
31

load-balancer-and-ingress-services-for-kubernetes

Load Balancer and Ingress services for Kubernetes
Go
94
star
32

clarity-city

Clarity City
CSS
91
star
33

hamlet

Multi-Vendor Service Mesh Interoperation
86
star
34

go-vcloud-director

Golang SDK for VMware Cloud Director
Go
80
star
35

container-service-extension

Container Service for VMware vCloud Director
Python
78
star
36

vrealize-developer-tools

Extension for Visual Studio Code that provides code intelligence features and enables a more developer-friendly experience when creating vRealize content
TypeScript
75
star
37

flowgate

Project FlowGate is an open-source vendor-neutral project that helps enterprises integrate facility systems data and IT data to form a single holistic view of their operations. By combining these two disparate data sets into one view, data center operators/IT admins are better equipped to optimize operations which were previously impossible.
Java
73
star
38

nsx-t-datacenter-ci-pipelines

CI pipelines for VMware NSX-T Datacenter
Python
71
star
39

alb-sdk

Avi SDK and Utilities
Java
70
star
40

nsx-powerops

NSX-v Operationalization project. Automate Networking Documentation and HealthCheck.
Python
69
star
41

singleton

A service that provides support for Software Internationalization and Localization
Java
67
star
42

esx-boot

The ESXi bootloader
C
66
star
43

node-replication

An operation-log based approach for data replication.
Rust
62
star
44

data-annotator-for-machine-learning

Data annotator for machine learning allows you to centrally create, manage and administer annotation projects for machine learning
TypeScript
58
star
45

te-ns

Traffic Emulator for Network Services
C
55
star
46

go-vmware-nsxt

golang library for NSX-T REST API
Go
54
star
47

idm

51
star
48

bitfusion-with-kubernetes-integration

Bitfusion with Kubernetes Integration Support
Go
48
star
49

replay-app-for-tvos

tvOS application that converts an Apple TV into to a digital signage / kiosk
Swift
48
star
50

build-tools-for-vmware-aria

Build Tools for VMware Aria provides development and release management tools for implementing automation solutions based on the VMware Aria Suite and VMware Cloud Director. The solution enables Virtual Infrastructure Administrators and Automation Developers to use standard DevOps practices for managing and deploying content.
Java
47
star
51

photon-docker-image

Shell
45
star
52

power-validated-solutions-for-cloud-foundation

PowerShell Module for VMware Validated Solutions
PowerShell
44
star
53

nsx-alb-datascript-samples-library

DataScript Examples Library
Lua
41
star
54

go-ipfix

An ipfix library in Go
Go
39
star
55

c-rest-engine

C
39
star
56

terraform-provider-vra7

Terraform VMware vRealize Automation 7 provider - VMware has ended the active development of this Terraform Provider, so this repository will no longer be updated.
Go
39
star
57

ansible-vsphere-gos-validation

Guest OS validation test set for vSphere using Ansible
Python
38
star
58

terraform-provider-tanzu-mission-control

Terraform provider to manage resources of Tanzu Mission Control
Go
37
star
59

cluster-api-provider-cloud-director

Cluster API Provider for VMware Cloud Director. The project is an open source implementation of K8s ClusterAPI project and allows customers to provision resources directly from VMware Cloud Director. It enables Cloud Director powered Clouds to be treated as yet-another-cloud in the multi-cloud journey for VMware Cloud Providers.
Go
37
star
60

likewise-open

Likewise OSS project
C
37
star
61

harbor-boshrelease

CFF BOSH Release for Project Harbor
Shell
36
star
62

vrops-export

vRealize Operations Export Tool
Java
35
star
63

script-runtime-service-for-vsphere

The Repository contains Script Runtime Service for vSphere. A service for managing server-side PowerCLI instances to run commands and scripts against VCenter servers.
Smalltalk
35
star
64

powershell-module-for-vmware-cloud-foundation

PowerShell Module for VMware Cloud Foundation
PowerShell
34
star
65

photon-packer-templates

VMware Photon Packer Templates
HCL
33
star
66

network-config-manager

Network configuration manager is utility for easily configuring networking on a linux system
C
33
star
67

vsphere-automation-sdk-go

Go programming language SDK (Beta) for VMC. NSX-T and vSphere services will be added soon.
Go
32
star
68

terraform-provider-avi

Terraform AVI Networks provider
Go
31
star
69

nsx-container-plugin-operator

Kubernetes Operator for the NSX Container Plugin (NCP)
Go
30
star
70

nerpa

Network Programming with Relational and Procedural Abstractions (NERPA)
Rust
30
star
71

json-template-engine

This project provides implementations for the JSON template specification.
C++
30
star
72

vidm-saml-toolkit

VMware Identity Manager SAML Toolkit for Developers
Java
27
star
73

cloud-director-named-disk-csi-driver

Container Storage Interface (CSI) driver for VMware Cloud Director
Go
27
star
74

vic-ui

vSphere Integrated Containers Plug-In for vSphere Client provides information about your VIC setup and allows you to deploy VCHs directly from the vSphere Client.
TypeScript
26
star
75

terraform-provider-vmc

Terraform provider for VMware Cloud on AWS
Go
25
star
76

vsphere-guest-run

Python library for guest operations
Python
24
star
77

python-client-for-vmware-cloud-on-aws

Python Client for VMware Cloud on AWS is an open-source Python-based tool. Written in Python, the tool enables VMware Cloud on AWS users to automate the consumption of their VMware Cloud on AWS SDDC.
Python
24
star
78

vmware-openapi-generator

VMware-openapi-generator tool generates open-api documents from vapi metamodel format.
Python
23
star
79

workflowTools

Developer workflow tooling for jenkins, jira, reviewboard and git
Java
22
star
80

global-load-balancing-services-for-kubernetes

Global Load Balancing Services for Kubernetes
Go
22
star
81

nsx-advanced-load-balancer-tools

Repository to build Docker container with all Avi tools.
Dockerfile
22
star
82

vmware-go-kcl-v2

vmware-go-kcl is a vmware originated open-source project for AWS Kinesis Client Library in Go. It has been widely used by many external companies and internally by Carbon Black. vmware-go-kcl-v2 is its companion project by utilizing AWS Go SDK V2 which introduces lots of breaking changes. To keep the repo clean, it is better to have a separated repo vmware-go-kcl-v2 with better golang project structure improvement.
Go
22
star
83

vSphere-machine-learning-extension

vSphere Machine Learning Extension
Shell
21
star
84

ansible-collection-alb

VMware Advanced Load Balancer (formerly Avi) Ansible Collection
Python
20
star
85

cloud-provider-for-cloud-director

Kubernetes External Cloud Provider for VMware Cloud Director
Go
20
star
86

crest

Crest machine learning based automated accessibility tests
Python
20
star
87

network-event-broker

manages network configuration
Go
19
star
88

vra-sdk-go

VMware vRealize Automation SDK for Go
Python
19
star
89

terraform-provider-vcf

Terraform Provider for VMware Cloud Foundation
Go
19
star
90

django-yamlconf

Django settings values via external YAML formatted files simplifying the c onfiguration of Django applications
Python
19
star
91

kernel-event-collector-module

This is the Linux kernel module event collector for the Carbon Black Cloud.
C
18
star
92

cloud-director-extension-standard-library

Standard Library for VMware Cloud Director solutions add-ons and add-on elements.
TypeScript
18
star
93

upgrade-framework

A product-agnostic framework for defining and sequencing upgrades
Java
17
star
94

powershell-module-for-vmware-cloud-foundation-reporting

PowerShell Module for VMware Cloud Foundation Reporting
PowerShell
17
star
95

nsx-integration-for-openshift

NSX-T deployment playbooks for Openshift integration
Python
16
star
96

virtual-disks

Go Library for Virtual Disk Development Kit
Go
16
star
97

database-stream-processor-compiler

Infrastructure to run programs written in high-level languages on top of the Database Stream Processor (DBSP) runtime.
Rust
16
star
98

pmd

Photon Management Daemon
Go
15
star
99

antrea-operator-for-kubernetes

Antrea Operator for Kubernetes deployments
Go
15
star
100

vsan-integration-for-prometheus

vSAN Integration for Prometheus: making it easier using Prometheus to monitor vSAN performance
Python
15
star