Notice: Hard drive specifications assume the database file is stored locally. If this is not the case, SIMP Console only requires 150MB of local storage.
SIMP console has currently been tested on Chrome version 50 and above, Safari version 12, and Microsoft Edge version 42.
At minimum your Linux system (or VM environment) should be able to utilize a dual-core CPU, 2GB of RAM and 500MB of local storage. We recommend a quad-core CPU with at least 6GB of RAM and 5GB of local storage to run SIMP Console comfortably.
The SIMP Enterprise repositories require a valid license key in order to install or upgrade any enterprise packages, including SIMP Enterprise and SIMP Console. Once you have received your license key file from your account executive, copy it to, or create it as a new file named /etc/simp/license.key on the server you are installing the SIMP Console to.
The SIMP Release package provides the SIMP Enterprise Yum repository configuration and GPG keys needed to install SIMP Enterprise packages.
yum install https://download.simp-project.com/simp-release-enterprise.rpm
Install the simp-console package via yum.
yum install simp-console
Configuring the system is done by adding settings to the /etc/simp/simp-console.yml file.
SIMP Console comes pre-loaded with multiple plugins, including google_auth and gitlab(notifiations) support. By default all plugins are loaded. If this is not the desired behavior, setting main.load_all_plugins = false in the simp-console.yml file will turn off this feature. You can then add the plugins you’d like to load to the plugins array.
SIMP Console creates this default account with full admin privileges:
Username: admin
Password: password
It is highly recommended to change the default username and password. You can also set a default admin token for the default administrative user to better facilitate using the REST API from systems like Puppet.
Passwords in the config file are only stored as crypt(3)-style salted hashes. In order to make it easier to generate, simp-console contains a helper flag that will take a plain text password and return the hash suitable for the configuration file:
simp-console -e ‘password’
And then add the output to the config file
main.default_admin_password: '$5$7c03659ec01eab77$RB.C4ovajCc9m/JL2.oGX02OlpgMqJmejI72FutgbM5'
It is also best practice to change the default ‘admin’ username to be something site specific:
main.default_admin_username: "simp_root_admin"
The default authentication token is used to interact with the REST API without an account
Notice: The default admin token is set to null and will not be usable until set.
main.default_admin_token: "mYxiQo0JCoVdGCZOwLzs"
Notice: In order to update the default admin password and token, you must also update the default admin username.
Notice: Although possible to add directory services to SIMP Console using the yml configuration. It is highly recommended that they are implemeneted using the user interface.
The LDAP plugin is installed in SIMP Console by default.
A directory service can be added by clicking Create New Entry in the directory services page under the administration tab.
To configure a directory service in the simp-console.yml add main.directory_services.
Each directory service is added as an element to main.directory_services and take the following parameters.
name - The canonical name of the service, this is the name that is shown when listed as a domain on the SIMP Console login page
Example: name: "Vagrant LDAP Test Server"
auth_provider - The authentication provider to use
Example: auth_provider: "ldap"
create_user - Specifies whether or not to automatically create a new SIMP Console user on successful login with an unlinked account.
Example: create_user: true
settings - A hash of additional plugin specific options
Simply click Create New Entry to add a new entry, select LDAP as the authentication provider, and fill in the relevant details
Example of two valid LDAP configurations
main.directory_services:
- name: "Vagrant LDAP Test Server"
auth_provider: 'ldap'
create_user: true
settings:
domain_component: "dc=jaeger,dc=local"
organization_unit: "People"
host: "127.0.0.1"
port: 9080
- name: "Staging LDAP Test Server"
auth_provider: 'ldap'
create_user: true
settings:
domain_component: "dc=staging,dc=local"
organization_unit: "People"
host: "192.168.0.27"
port: 9080
The following are specific settings relating to LDAP authentication, and are located in the settings hash of the file.
domain_component- The domain component string
organization_unit - The organization unit string
host - The IP or domain of the target LDAP server
port - The port to connect to the target LDAP server
Unlike other directory services, a Google Auth login must be configured in the simp-console.yml file.
The following parameters must be set in order for Google auth to correctly operate.
googleauth.client_id
googleauth.client_secret
googleauth.domain
googleauth.create_new_user
The first three parameters are provided by Google when registering an API to use for google auth. The final parameter can either be set to ‘true’ or ‘false’ and will have SIMP Console generate a new user if they successfully login but they do not have a SIMP Console account linked to their google login.
The following is a sample of what the configuration can look like:
googleauth.client_id: <clientid>.apps.googleusercontent.com
googleauth.client_secret: <client secret>
googleauth.domain: onyxpoint.com
googleauth.create_new_user: true
Without any configuration, SIMP Console stores its settings in a SQLite database located in /var/db/simp/simp-console.db. While this is sufficient for small sites or demonstration purposes it is recommended to use PostgreSQL for larger sites.
Make sure the SIMP Console user has read and write access to the file and its containing directory.
main.database: sqlite:///path/to/location/simp-console.db
Specify a full URL to the database you want to connect to, and the username and password to authenticate with:
main.database: 'postgres://user:password@localhost/my_db'
By default the SIMP Console configures a table prefix for all tables it manages. This allows admins the capability to run multiple SIMP Console instances using the same underlying database, for example, having a production, staging, or dev tables all within the same database.
By default this is set to production, but it can be changed:
main.database_table_prefix: dev
Which will create all database tables with dev_ in front of them.
main.schema_engine.signature_hash: "SHA384"
To keep the database from storing too many reports, the user can specify the maximum number of reports to store per node using the following setting. The default is 3
main.max_scans: 3
Some cryptographic settings used by the SIMP Console have configuration options specified in the config file to meet some policy requirements.
To set the hashing algorithm for the webserver’s HMAC algorithm use the following setting
main.rack-session.hmac: "SHA384"
The address and port can be specificed using the following parameters
main.listen_ip: localhost
main.listen_port: 6468
First, either self-generate or purchase an SSL certificate and key.
Place them in /etc/ssl/certs and /etc/ssl/private respectively.
In your simp-console.yml add the following configuration:
main.ssl.enabled = true
main.ssl.key = "/etc/ssl/private/mykey.key"
main.ssl.cert = "/etc/ssl/certs/mycert.pem"
# Enable SSL verify (Insecure if set to false)
main.ssl.verify = true
The collector is the communication point between the SIMP Scanner and SIMP Console. The current version of the collector is v2 which all SIMP Scanners since console version 1.2.0 fully support. If for whatever reason you want to use a scanner from previous releases you will need to enable the legacy collector.
main.flags:
"main.legacy_collector": true
By default the simp-console RPM creates a user called simp-console, and sets permissions on its default files based on the SIMP Console user. Commands for SIMP Console should be run by the simp-console user.
There is also a Puppet module available for management of the simp-console service and configuration.
To run simp-console from the command line run: sudo -u simp-console simp-console.
The simp-console RPM sets up a systemd unit file on el7, or a sysvinit service file on el6. You’ll need to enable the service, then start it.
chkconfig simp-console on
service simp-console start
systemctl enable simp-console
systemctl start simp-console
First, ensure simp-console is running. The simp-console-demo command is configured to send the demo data to localhost:6468. Therefore, a demo of SIMP Console should be run on the same machine where SIMP Console is already running on the default port. To run the script, simply type simp-console-demo. The script will automatically start feeding demo data into simp-console.
Sicura
© copyright 2022