Skip to main content
SaltStack Support

Enterprise Installation: SaltStack SecOps Configuration

SaltStack SecOps is a SaltStack Enterprise add-on that provides automated compliance detection and remediation for your infrastructure.

SaltStack SecOps includes a content library that consists of pre-built, industry best-practice security and compliance content, such as CIS.

The content library updates regularly as security standards change. You can configure SecOps content to download (or ingest) automatically (recommended for most standard systems) as security standards change, or you can download content manually.

Manual content ingestion

Download the SaltStack SecOps content.

Air-gapped systems must update SecOps content from one of the raas nodes. Air-gapped systems are defined by a configuration setting of sec/download_enabled = False.

To configure ingestion for air-gapped systems:

  1. Log in to a raas node.
  2. Copy the SecOps content tarball to the raas node (tmp is recommended).

    This content could be delivered by email or any other means.

  3. Run the following command:

    su - raas -c "raas ingest /path/to/locke.tar.gz.e"

    This returns:

    Extracting: /tmp/locke.tar.gz -> /tmp/extracted-1551290468.5497127
    Cleaning up: /tmp/extracted-1551290468.5497127
    {'errors': [], 'success': True}

Content ingestion for standard systems

For non-air-gapped raas systems, SecOps content is downloaded and ingested on a periodic basis based on the configuration.

The SecOps configuration options are located in a raas config file /etc/raas/raas in the sec section as follows.

Option Description
stats_snapshot_interval How often (in seconds) secops stats will be collected
compile_stats_interval How often (in seconds) secops stats will be compiled
username Username to use when connecting to SaltStack Enterprise to download the most recent SecOps content (default: secops)
content_url URL used to download SecOps content (default:
ingest_override When ingesting new content, overwrite existing benchmarks and checks
locke_dir Path where ingestion expects to find new content (default: locke) (if you use a relative path (no leading /), then it is relative to /var/lib/raas/cache)
post_ingest_cleanup Remove the expanded content from the file system after ingestion ( default: True)
download_enabled Whether SecOps content downloads are allowed (default: True). Set this to False for air gapped systems.
download_frequency How often in seconds will raas attempt to download SecOps content (default: 86400 for 24 hours)
ingest_on_boot Should raas attempt to download SecOps content on boot? (default: True)
content_lock_timeout How long in seconds will content download locks last (default: 60)
content_lock_block_timeout How long in seconds will content download locks block before failing (default: 120)
  • Was this article helpful?