SIMP Compliance Automation

Note: All of the following YAML options can be set in

      /etc/simp/simp-console.yaml

Any other options are set from within the Console UI.

Plugins

The SIMP Console is built on a framework that allows the developers to easily implement new plugins for additional functionality. This also allows users to pick the pieces of the console they want to use and omit the pieces they don’t want.

SIMP Console comes pre-loaded with multiple plugins. By default all plugins are loaded. If this is not the desired behavior, setting main.load_all_plugins = false in the simp-console.yaml file will turn off this feature. You can then add the plugins you’d like to load to the plugins array. For example if you wanted to just load the GitLab and Slack plugins. Your simp-console.yaml would include the following:

main.load_all_plugins: false
plugins:
  - 'gitlab'
  - 'slack'

The packaged plugins for the SIMP Console include:

Required (these plugins are required for the console to run properly and are loaded by default):

Client Download Manager - Includes SIMP Scanner binaries and install/configuration instructions
Demo - A mock plugin for testing purposes
Infrastructure - Infrastructure management and monitoring
SCAP - SCAP XCCDF Support
SCE - SIMP Compliance Engine Plugin
SIMP Console - SIMP Console wrapper
UI Framework - Built-In Framework

Optional (these plugins are generally broken down into notification and authentication providers):

google-auth - Enables OAuth 2.0 login via the “Sign in with Google” button on the login page
gitlab - Notification provider which submits issues to GitLab.
email - Notification provider which sends an email when triggered.
LDAP - Adds LDAP as an authentication provider to the “Authentication Providers” tab
slack - Slack notification plugin for Jaeger

Notification Providers - Will submit a notification specific to whatever platform is tied to this plugin whenever a relevant action is completed.

Authentication Providers - allow for authentication into the console.

Configuring Email

The email plugin is set-up from inside the SIMP Console UI. To set-up the email plugin navigate to Administration -> Notifications then click Create a New Notification. Inside the drawer, give the new provider a name and from the dropdown select email.

The options for email plugin setup looks like:

server: smtp.gmail.com
port: 587
username: the email you want to use to send emails
password: password for that email
interface: smtp for smtp server
encryption_method: TLS/STARTTLS
authentication_method: plain
recipient: email of the person receiving email
cc: (optional) additional recipient email
bcc: (optional) additional recipient email

Usage

Once properly configured, the new notification provider will appear anywhere in the Console that supports notifications. For example inside the report generator drawer, “Notify on Completion” will contain any notification providers set up for the console.

Configuring GitLab

The GitLab plugin is set-up from inside the SIMP Console UI. To set-up the GitLab plugin navigate to Administration -> Notifications then click Create a New Notification. Inside the drawer, give the new provider a name and from the dropdown select gitlab.

The options for GitLab plugin setup looks like:

GitLab URL: https://gitlab.example.com/api/v4
Access Token: Token of the user you want to generate the issue
Project ID: can be found on the project you wish to generate the issue for
Project labels: labels that should be assigned to the issue
Assignee ID: user ID to assign the issue to
Milestone ID: ID of the milestone to be assigned to issue

Configuring Google OAuth

Unlike other directory services, a Google OAuth login must be configured in the simp-console.yaml file.

The following parameters must be set in order for Google OAuth to correctly operate.

client_id
client_secret
domain
create_new_user

The first three parameters are provided by Google when registering an API to use for Google OAuth. The final parameter can either be set to true or false and will have SIMP Console generate a new user if they successfully login but they do not have a SIMP Console account linked to their Google login.

The following is a sample of what the configuration can look like:

main.directory_services:
  - name: "Google OAuth Login Config"
    auth_provider: 'google auth'
    create_user: true
    settings:
      client_id: <clientid>.apps.googleusercontent.com
      client_secret: <client secret>
      domain: onyxpoint.com

Directory Service Configuration

Notice: Although possible to add directory services to SIMP Console using the yaml configuration. It is highly recommended that they are implemented using the user interface.

The LDAP plugin is installed in SIMP Console by default.

Using the User Interface

A directory service can be added by clicking Create New Entry in the directory services page under the administration tab.

Using `simp-console.yaml`

To configure a directory service in the simp-console.yaml add main.directory_services.
Each directory service is added as an element to main.directory_services and take the following parameters:

name - The canonical name of the service, this is the name that is shown when listed as a domain on the SIMP Console login page
Example: name: "Vagrant LDAP Test Server"

auth_provider - The authentication provider to use
Example: auth_provider: "ldap"

create_user - Specifies whether or not to automatically create a new SIMP Console user on successful login with an unlinked account.
Example: create_user: true

settings - A hash of additional plugin specific options

LDAP Configuration

Using the LDAP User Interface

Simply click Create New Entry to add a new entry, select LDAP as the authentication provider, and fill in the relevant details.

Using simp-console.yaml

Example of two valid LDAP configurations

main.directory_services:
  - name: "Vagrant LDAP Test Server"
    auth_provider: 'ldap'
    create_user: true
    settings:
      search_base: "ou=People,dc=jaeger,dc=local"
      search_filter: ''
      login_attribute: 'uid'
      host: "127.0.0.1"
      port: 9080
      binddn: ''
      binddn_password: ''
  - name: "Staging LDAP Test Server"
    auth_provider: 'ldap'
    create_user: true
    settings:
      search_base: "ou=People,dc=staging,dc=local"
      search_filter: '(&(objectClass=person)(objectClass=user))'
      login_attribute: "uid"
      host: "192.168.0.27"
      port: 9080
      binddn: "cn=admin,dc=staging,dc=local"
      binddn_password: 'Pas$word1'

The following are specific settings relating to LDAP authentication, and are located in the settings hash of the file.
search_base- The organization unit and domain component string

search_filter - The filter to narrow down results

If a filter isn’t specified or set to null, then the default (&(objectClass=person)(objectClass=user)) will be used
To not use a filter, set the field to an empty string

login_attribute - The attribute by which user accounts will be looked up by in the LDAP server.

host - The IP or domain of the target LDAP server

port - The port to connect to the target LDAP server

binddn - The full path to the object you are authenticating against

binddn_password - The password to authenticate with

Note: Every LDAP setting except for search_filter must be configured. Use an empty string if a setting is not in use.

Configuring Slack

The slack plugin is set-up from inside the SIMP Console UI. To set-up the Slack plugin navigate to Administration -> Notifications then click Create a New Notification. Inside the drawer, give the new provider a name and from the dropdown select slack

An example configuration for the slack plugin looks like:

oauth_token: (token provided by the bot configuration)
channel: #slack-plugin-spam (or some other channel)