The Client Installation page is the gateway to the SIMP Scanner. From here you can find links to the SIMP Scanner binaries, as well as all the information needed to get nodes registered to your console. For more information on registering a SIMP Scanner, see the simp-scanner register page.
The nodes tree allows you to organize your infrastructure any way you like. Each system that has been registered to the console appears here as a node.
There are 3 types of nodes that can exist inside the node tree: endpoint, folder, and server.
Represents a physical (or virtual) machine.
An endpoint is created during registration with the SIMP Scanner. Its name defaults to the hostname of the machine. A unique name can be set during the registration process or by right-clicking on the node and selecting ‘Rename’.
Other nodes cannot be stored inside of an endpoint.
Right-click and selecting ‘Delete’ will remove the endpoint from the database but will not remove any of the scans/reports associated with it. This is by design and is used for auditing purposes.
Is used to organize other nodes and folders.
Folders are created by right-clicking on a folder and selecting ‘New Folder’
By default two folders exist, All Nodes
and Unassigned
. All new nodes will be found in Unassigned
.
Folders can only be deleted when they are empty.
Is like a cross between an endpoint and a folder. This node is specific to systems using the SIMP Compliance Engine.
Servers are created during registration only when using compliance-engine
as a scanner type with the SIMP Scanner.
Acts similar to a folder in that endpoints can be dropped inside and organized.
Acts similar to an endpoint in that scans can be performed on that system.
The Nodes tab provides an overview of all nodes contained inside. The node name, IP address for that node, and last update date can be seen from this datatable.
The Scan Results tab is used to view the SCAP results from the SIMP Scanner.
For folders, the Status column in the datatable will show how many nodes contained within are passing, failing, not-applicable, etc.
Profile dropdown - This is the compliance profile as reported from SIMP Scanner that the scan was done against. If different compliance profiles have been scanned the results can be updated by selecting from here.
Scan Date - This is the date and time in which the scan was completed. This may be different than the time the scan was submitted.
The Scan details shows an overview of pass/fail status across all the checks from the scan. The scan details also provides filtering options so you can view results by specifically what you want to see.
The datatable provides a list of each check that was evaluated during the scan.
Rule name - Explains what the rule aims to ensure. Click this to open the scan drawer.
Controls - Lists the compliance controls this rule is relevant to.
Status - Shows passing/failing/other status based on the results of the scan.
After clicking a specific rule, this drawer opens to provide more information.
The description provides details on the check’s purpose and how it can be fixed manually.
The XCCDF ID is listed next.
If supported by SIMP enforcement, Puppet Hiera data is provided next to allow for easy remediation.
The Scan History tab provides a quick way to view the past scans done on a node (or nested nodes in the case of a folder/server). It provides information specific to date/time of scan and submission, what node the scan was done for, how many rules were checked in the scan result, what compliance profile the scan was done against, and what collector it was submitted to.
The Catalog Compliance tab provides an overview of your current catalog as reported from a SIMP server using SIMP Compliance Engine and the ‘compliance-engine’ scanner type on the SIMP Scanner.
The profile selector is a dropdown that allows you to pick which compliance profile results to view.
You can then sort the results by either SIMP parameters or by controls depending on how you want to audit the data.
Parameters:
Controls:
The Catalog History tab works the same way as “Scan History” except instead of showing the previous SCAP scan it shows all times the catalog was updated by doing a SCE Scan.
The Permissions tab is used (generally by administrators) to setup what roles different users and groups can have on any given node. The datatable shows the list of all permissions set. By default there is one permission that gives the group ‘Administrators’ the role of Admin over all nodes and their subsequent children.
By clicking “Add Permission”, you’ll be able to add additional Users/Groups to roles for this node. These permissions will be inherited down the tree.
NOTE: Your current session needs to have ‘UPDATE’ privileges in order to assign new permissions. Otherwise you’ll only be able to view them.
Properties displays metadata for the specific node selected. Depending on its type you’ll have more or less information.
Endpoint:
Folder:
Server:
Scan triggering comes in two ways, “Scan Now” and “Scheduled Scans”. Both require either a registered SIMP Scanner running in simp-scanner run
mode or as a service using simp-scanner start
.
Note: If running a scan on a folder or server type, the scans will take place recursively triggering scans for all children within the node.
“Scan Now” is the easier option to use if you want quick results and everything is already configured on the scanner side. All that is required to perform a scan is to click on the node desired and click the “Scan Now” button on the node view.
It is required that you have your SIMP Scanner config file pre-populated with the benchmark/profile you want the scanner to run with. If this is not set you will be prompted for more input when the scan is picked up by the scanner.
To schedule a scan, simply click the dropdown next to the “Scan Now” button and select “Schedule Scan”. This will open the schedule scan drawer.
Inside the schedule scan drawer you can select various options that will be passed along to the scanner when it goes to perform the action.
Shown above is an example of a scan being scheduled to run at 5:00pm on June 29, 2020.
Note: The times specified are the system time of the machine running the SIMP Console. Scanners are agnostic to the time of the console and will only pick up the scan when the console’s time has reached the time configured in the scan.
Note: If running a scan on a group of nodes, it is recommended that you set your benchmark/profile options within the SIMP Scanner config for each node in advance. Then run a scan using the type
Any Type
with nothing selected for benchmark and profile. This will allow each node to use whatever is set in their config instead of being overwritten by potentially conflicting information sent from the console.
Example: A Windows Server 2019 machine cannot run a scan using a benchmark with the name SIMP-Default-Content_CentOS_7.xml
The scanner connection status is a visualization for if the node has a actively running/connected scanner that is ready to accept scans.
There are 2 states the scanner can be in:
See using simp-scanner run or simp-scanner start to get a scanner connected.
Note: Requires the node be a Puppet server or member under a Puppet server in order to be used.
Just go to the ‘Catalog Compliance’ tab and click the ‘Check Catalog’ button in order to update.
Works the same as ‘Check Catalog’ except it allows you to set a time to perform the check. Simply click the arrow next to ‘Check Catalog’ and select ‘Schedule Check’ to open the drawer.
Enter in a name and time to schedule your catalog check for and click the ‘Schedule Check’ button.
Clicking this viewer button will open the viewer pop-up screen allowing you to view previously, running, or future scheduled scans for a node.
This shows a scan that failed to complete successfully, a scan that completed successfully, a scan running currently, a scheduled catalog check posted in the future, and a scheduled scan posted in the future.
Note: Both catalog checks and compliance scans show up in the same list.