The format for SIMP Compliance Engine data is fully described here.
If you have a Puppet class that looks like this:
class profile::ssh_server (
Enum['yes', 'no'] $permit_root_login = 'yes',
) {
sshd_config { 'PermitRootLogin': value => $permit_root_login }
}
And you have compliance data that looks like this (comments optional):
---
version: 2.0.0 # Required in every file read by SCE
profiles:
my_profile: # Named profile, enabled by name in hiera
checks: # All checks contained in the profile
disable_root_login: true # Use the key from the checks hash!
checks:
disable_root_login: # Check name, used above in a profile
type: puppet-class-parameter
settings:
# The name of the Puppet parameter, the name used in hiera
parameter: profile::ssh_server::permit_root_login
# The policy compliant value
# It's quoted here because otherwise yaml would convert it to a boolean
value: "no"
The following also needs to be set in Hiera to select the profile to enforce:
---
compliance_markup::enforcement:
- 'my_profile'
During catalog compilation, Puppet will perform a lookup on the class parameter profile::ssh_server::permit_root_login. If set up properly, the SCE will be referenced by Puppet’s automatic parameter lookup and it return "no", forcing that parameter to be set to "no". After Puppet finishes running, the system will reflect the enforcement and the PermitRootLogin setting for sshd will be set to no.
You can also create a new profile using the compliant configuration settings we provide with the included profiles.
As an example, this custom profile configures the Account Lockout settings and auditing using the settings provided with the Windows DISA Stig compliance data:
---
version: 2.0.0 # Required in every file read by SCE
profiles:
my_profile:account_lockout_settings_only: # Named profile, enabled by name in hiera
checks: # Settings to enforce with the profile
oval:com.puppet.forge.simp-windows.local_security_policies.account-lockout-threshold:def:1: true
oval:com.puppet.forge.simp-windows.local_security_policies.reset-account-lockout-counter-after:def:1: true
oval:com.puppet.forge.simp-windows.local_security_policies.account-lockout-duration:def:1: true
oval:com.puppet.forge.simp-windows.audit_policies.account-lockout-success:def:1: true
oval:com.puppet.forge.simp-windows.audit_policies.account-lockout-failure:def:1: true
Then add the profile to the enforcement list in hiera:
---
compliance_markup::enforcement:
- 'my_profile:account_lockout_settings_only'
In the compliance data provided with SIMP Enterprise, the profile contains a list of Configuration Elements. Each Configuration Element is a translation of a single recommendation from an industry standard benchmark. The Configuration Elements tie the configuration settings required for compliance back to the profile.
To modify which benchmark recommendations are applied to your systems, use the compliance_map function to disable the Configuration Elements referencing the settings you want to disable.
Let’s assume you are enforcing the disa:mac-1:classified profile on a Windows 2019 system, and have decided that V-92965, Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access
on all systems is too restrictive for your environment.
Add the following to a hieradata file that will apply to the desired system:
---
compliance_markup::compliance_map:
version: 2.0.0
profiles:
disa:mac-1:classified: # Profile to customize, enabled by name in hiera
ces: # Configuration Elements included in this profile.
oval:simp.disa.V-92965:def:1: false # Set true to enable the CE, false to disable
Make sure the profile is in the enforcement list in hieradata:
---
compliance_markup::enforcement:
- disa:mac-1:classified
Some enforced configuration settings are exposed as Puppet class paramters and can be directly modified through hiera data. Details of those settings are found in the individual module documentation.
Sicura
© copyright 2022