In the simplest format, only Compliance Profiles, Controls, and Checks need to be defined. The Controls specified in the Profile are used as a reference for the Checks that need to be enforced.
For the following examples, assume a Puppet class widget_spinner exists and has a parameter audit_logging that can be set to true or false, indicating whether to enable or disable logging functionality.
The following sample compliance profile will enforce the Puppet class parameter widget_spinner::audit_logging to be set to true:
---
version: 2.0.0
profiles:
custom_profile:
controls:
apply_my_custom_profile: true
checks:
widget_spinner_audit_logging:
type: 'puppet-class-parameter'
controls:
apply_my_custom_profile: true
settings:
parameter: 'widget_spinner::audit_logging'
value: true
Use caution when adding Controls to custom profiles. We have added Controls to all of the configuration settings provided with SIMP Enterprise, referencing NIST, CIS, and other benchmark controls where appropriate. Adding these references to your custom profiles will enforce all settings with that Control defined.
A complete example of the entire data format is shown in the following example. The same Puppet class parameter from the previous example is enforced. However, this setting is only applied to specific Operating Systems and versions via the confine tag in the ce definition. Also in this custom profile we are disabling the CIS rule 1.1.2 configuration for EL 7 that is provided with SIMP Enterprise. The title and description tags are optional in the CE definition. By adding the nist_800_53:rev4:AU-2 control to the CE definition, this setting will also be enforced by any profile referencing that control.
---
version: 2.0.0
profiles:
custom_profile_1:
ces:
enable_widget_spinner_audit_logging: true
oval:simp.cis.el7.1.1.2_Ensure_tmp_is_configured:def:1: false
ce:
enable_widget_spinner_audit_logging:
controls:
nist_800_53:rev4:AU-2: true
title: 'Ensure logging is enabled for Widget Spinner'
description: 'This setting enables usage and security logging for the Widget Spinner application.'
confine:
os.release.major:
- 7
- 8
os.name:
- CentOS
- OracleLinux
- RedHat
checks:
widget_spinner_audit_logging:
type: 'puppet-class-parameter'
settings:
parameter: 'widget_spinner::audit_logging'
value: true
ces:
- enable_widget_spinner_audit_logging
---
version: 2.0.0
checks:
oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space:
settings:
parameter: simp::sysctl::kernel__randomize_va_space
value: 2
type: puppet-class-parameter
ces:
- oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
---
version: 2.0.0
profiles:
cis:level:1:server:
title: Level 1 - Server
description: 'Items in this profile intend to: be practical and prudent; provide
a clear security benefit; and not inhibit the utility of the technology beyond
acceptable means. This profile is intended for servers.'
ces:
oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1: true
ce:
oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1:
controls:
cis:el8:v1.0.0.1: true
identifiers:
cis: []
oval-ids:
- xccdf_org.cisecurity.benchmarks_rule_1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled
title: Ensure address space layout randomization (ASLR) is enabled
description: Address space layout randomization (ASLR) is an exploit mitigation
technique which randomly arranges the address space of key data areas of a process.
imported_data:
fixtext: 'Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*
file: kernel.randomize_va_space = 2 Run the following command to set the active
kernel parameter: # sysctl -w kernel.randomize_va_space=2'
confine:
os.release.major:
- '8'
os.name:
- RedHat
---
version: 2.0.0
checks:
oval:com.puppet.forge.simp-windows.machine-inactivity-limit-15min-locking-with-screensaver:def:1:
type: puppet-class-parameter
settings:
parameter: simp_windows::registry_values
value:
The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.:
key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
value: InactivityTimeoutSecs
type: dword
data: 900
ces:
- oval:simp.disa.V-92961:def:1
---
version: 2.0.0
profiles:
disa_stig:xccdf_mil.disa.stig_profile_mac-1_classified:
title: I - Mission Critical Classified
ces:
oval:simp.disa.V-92961:def:1: true
confine:
os.release.major:
- '2019'
kernel: windows
ce:
oval:simp.disa.V-92961:def:1:
controls:
disa_stig: true
disa_stig:Windows_2019: true
SRG-OS-000028-GPOS-00009: true
cci:CCI-000056: true
cci:CCI-000057: true
cci:CCI-000060: true
identifiers:
disa_stig:
- V-92961
- SRG-OS-000028-GPOS-00009
- CCI-000056
- CCI-000057
- CCI-000060
oval-ids:
- xccdf_mil.disa.stig_rule_SV-103049r1_rule
title: Windows Server 2019 machine inactivity limit must be set to 15 minutes
or less, locking the system with the screen saver.
description: |-
Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.
Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
imported_data:
fixtext: 'Configure the policy value for Computer Configuration >> Windows Settings
>> Security Settings >> Local Policies >> Security Options >> "Interactive
logon: Machine inactivity limit" to "900" seconds or less, excluding "0" which
is effectively disabled.'
confine:
os.release.major:
- '2019'
kernel: windows
Sicura
© copyright 2022