1. Introduction
2. Installation
3. Commands
4. Configuration

Using SIMP Scanner

The SIMP Scanner can be executed from the command line with simp-scanner followed by subcommand. For a full list of subcommands and their functions, run simp-scanner help.

list

Running simp-scanner list will search all possible content locations as defined in your config and all benchmark files then displays all the profiles that can be used for scanning.

INFO[0000] Parsing benchmarks...                           
INFO[0002] /var/db/simp/scanner/state/benchmarks/scap/(stig or cis)/SIMP_Default_Content-Example.xml 
INFO[0002]       disa-stig_example_profile_name 
INFO[0002]       xccdf_org.cisecurity.benchmarks_profile_Level_2 
INFO[0002] /home/myUsername/benchmarks/MyCustomBenchmarks.xml 
INFO[0002]       disa-stig_example_profile_name
INFO[0002]       nist_800_53_example_profile_name

scan

The three flags for simp-scanner scan are -A, -b, and -p.

• -A int (optional) > Specify an API version
• -b string (optional) > Set benchmark file to be used for finding profiles.
• -p string (optional)

  Set profile to be used for scanning.

To perform a scan on your local system, run simp-scanner scan -A API Version -b file.xml -p profile .

Note: If no benchmark or profile are specified the scanner will prompt for a selection from the simp-scanner list results.

Note: If you have a benchmark located somewhere simp-scanner list does NOT already know about, you must specify the absolute path._

Example:

 simp-scanner scan -b /home/myUsername/benchmarks/MyCustomBenchmarks.xml -p disa-stig_example_profile_name

info

Running simp-scanner info will dump all system information being used by the SIMP Scanner.

INFO[0000] os.release.major: 7                      
INFO[0000] scap_filename:                               
INFO[0000] platform: cpe:/o:centos:7 
INFO[0000] cpe_list: {[cpe:/o:centos:7]} 
INFO[0000] os.family: centos                            
INFO[0000] os.release.full: 7                       
INFO[0000] fqdn: computer-hostname                     
INFO[0000] kernel: linux                                
INFO[0000] os.name: centos                              
INFO[0000] simp-scanner.statedir: /var/db/simp/scanner/state 
INFO[0000] simp-scanner.default_scap_scanner: OpenSCAP  

Note: Your output will vary from this example depending on your system.

fetch

To connect to each of the SIMP Console collectors (see simp-scanner.yaml section for details) and download new/updated content, run simp-scanner fetch.

INFO[0000] [1] Registering collector on http://192.168.0.100:6468/collector/default 
INFO[0000] Fetching Benchmark: scap/cis/SIMP_Default_Content-Example-CIS.xml 
INFO[0000] Fetching Benchmark: scap/stig/SIMP_Default_Content-Example-STIG.xml 
INFO[0000] [1] Benchmarks are up to date  

run

Scans can be scheduled for specific times (or immediately) from the SIMP Console UI. From the command line, simp-scanner run will launch the SIMP Scanner into a “waiting mode”. The scanner will then open connections against each collector, waiting for a scheduled scan.

install

To add the SIMP Scanner as a service to your host OS, run simp-scanner install

Service managers we support:

• Windows System Service
• systemd
• upstart
• systemv

remove

To remove the service for the SIMP Scanner run simp-scanner remove

start

The SIMP Scanner runs as a daemon/service. To start the service, run simp-scanner start. The SIMP Scanner will then run a simp-scanner run process in the background.

stop

To stop the service for the SIMP Scanner run simp-scanner stop

status

To check the current status of the SIMP Scanner service, run simp-scanner status