Sicura Console
  1. Introduction
  2. Installation
  3. Upgrades
  4. Running SIMP Console
  5. Configuration - Accounts
  6. Configuration - Collector
  7. Configuration - Database
  8. Configuration - Security
  9. Configuration - Plugins
  10. Sidebar - Administration
  11. Sidebar - Infrastructure
  12. Sidebar - Reports
  13. Commands
  14. Known Issues
  15. How To - Enforce compliance

Sidebar - Infrastructure

Client Page

The Client Installation page is the gateway to the SIMP Agent. From here you can find links to the SIMP Agent binaries, as well as all the information needed to get nodes registered to your console. For more information on registering a SIMP Agent, see the simp-agent register page.

Nodes Page

Nodes Tree

The nodes tree allows you to organize your infrastructure any way you like. Each system that has been registered to the console appears here as a node.

The tree can be collapsed by clicking the arrow tab or resized by clicking the resize bar on the right side.

There are three types of nodes that can exist inside the node tree: endpoint, folder, and server.

Endpoint

Folder

Server

Nodes (folders/servers only)

The Nodes tab provides an overview of all nodes contained inside. The node name, IP address for that node, and last update date can be seen from this datatable.

Scan Results

The Scan Results tab is used to view the SCAP results from the SIMP Agent.

For folders, the Status column in the datatable will show how many nodes contained within are passing, failing, not-applicable, etc.

Based on Enforcement Tolerance set within the Settings tab. Different rules can be remediated on some systems where others may not.

This is represented by the number displayed below the remediation checkbox

The scan details show an overview of pass/fail status across all the checks from the scan. The scan details also provide filtering options so you can view results by specifying what you want to see.

The datatable provides a list of each check that was evaluated during the scan.

Scan Drawer

After clicking a specific rule, this drawer opens to provide more information. The drawer has two sections:

Details

 Under this section you'll find:

  - The description provides details on the check's purpose and how it can be fixed manually.

  - The XCCDF ID for easy identification.

  - A list of controls this rule affects.

Remediation

 Under this section you'll find:

   - The **Remediate** button (if enabled in the config and user accessing has the role feature enabled) which can be used to automatically fix the finding on the specified node.

   - The relevant Puppet Hiera data which can be easily copied and pasted into your infrastructure code for continuous enforcement.

Scan History

The Scan History tab provides a quick way to view the past scans done on a node (or nested nodes in the case of a folder/server). It provides information specific to date/time of scan and submission, which node the scan was done for, how many rules were checked in the scan, what compliance profile the scan was done against, and to what collector it was submitted.

Catalog Compliance

The Catalog Compliance tab provides an overview of your current catalog as reported from a SIMP server using SIMP Compliance Engine and the ‘compliance-engine’ ability type on the SIMP Agent.

The profile selector is a dropdown that allows you to pick which compliance profile results to view.

You can then sort the results by either SIMP parameters or by controls depending on how you want to audit the data.

Parameters:

Controls:

Catalog History

The Catalog History tab works the same way as Scan History except instead of showing the previous SCAP scan, it shows all times the catalog was updated by doing a SCE Scan.

Permissions

The Permissions tab is used (generally by administrators) to setup what roles different users and groups can have on any given node. The datatable shows the list of all permissions set. By default there is one permission that gives the group Administrators the role of Admin over all nodes and their subsequent children.

By clicking Add Permission, you’ll be able to add additional Users/Groups to roles for this node. These permissions will be inherited down the tree.

NOTE: Your current session needs to have ‘UPDATE’ privileges in order to assign new permissions. Otherwise you’ll only be able to view them.

Properties

Properties displays metadata for the specific node selected. Depending on its type, you’ll have more or less information.

Settings

Settings contains the settings that have been set or inherited for the node.

A user must have UPDATE permissions on the node in order to apply changes to settings

Enforcement Tolerance:

Defines what level of risk will be allowed when remediating rules from the Scan Results page. By default, level 40 is inherited from the Unassigned or All Nodes folders.

This default can be overridden by toggling the Use custom value switch. If this switch is set on a folder all nodes within the folder without the custom switch toggled will inherit the value set on the parent folder.

Risk goes up the higher the value that is set. Only use risk 100 on experimental nodes as unexpected results may occur due to remediation.

A tolerance level of 0 will disable enforcement entirely for the node.

Endpoint:

Folder:

Server:

Scan Triggering

Scan triggering comes in two ways, Scan Now and Scheduled Scans. Both require either a registered SIMP Agent running in simp-agent run mode or as a service using simp-agent start.

Note: If running a scan on a folder or server type, it will scan only the direct children within that folder. Nested folders will need scans to be triggered independently.

Scan Now

Scan Now is the easier option to use if you want quick results and everything is already configured on the Agent side. All that is required to perform a scan is to click on the node desired and click the Scan Now button on the node view.

It is required that you have your SIMP Agent config file pre-populated with the benchmark/profile you want the agent to run with. If this is not set you will be prompted for more input when the scan is picked up by the agent.

Scheduled Scan

To schedule a scan, simply click the dropdown next to the Scan Now button and select Schedule Scan. This will open the Schedule Scan drawer.

Inside the Schedule Scan drawer you can select various options that will be passed along to the agent when it goes to perform the action.

Shown above is an example of a scan being scheduled to run at 5:00pm on June 29, 2020.

Note: The times specified are the system time of the machine running the SIMP Console. Agents are agnostic to the time of the console and will only pick up the scan when the console’s time has reached the time configured in the scan.

Note: If running a scan on a group of nodes, it is recommended that you set your benchmark/profile options within the SIMP Agent config for each node in advance. Then run a scan using the type Any Type with nothing selected for benchmark and profile. This will allow each node to use whatever is set in their config instead of being overwritten by potentially conflicting information sent from the console.

Example: A Windows Server 2019 machine cannot run a scan using a benchmark with the name SIMP-Default-Content_CentOS_7.xml

Agent Connection Status

The Agent connection status is a visualization for if the node has an actively running/connected Agent that is ready to accept scans.

There are two states the Agent can be in:

See using simp-agent run or simp-agent start to get an Agent connected.

Check Catalog

Note: Requires the node be a Puppet server or member under a Puppet server in order to be used.

Just go to the Catalog Compliance tab and click the Check Catalog button in order to update.

Schedule Check

Works the same as Check Catalog except it allows you to set a time to perform the check. Simply click the arrow next to Check Catalog and select Schedule Check to open the drawer.

Enter in a name and time to schedule your catalog check for and click the Schedule Check button.

Scheduled Scan Viewer

Clicking this viewer button will open the viewer pop-up screen allowing you to view previously, running, or future scheduled scans for a node.

This shows a scan that failed to complete successfully, a scan that completed successfully, a scan currently running, a scheduled catalog check posted in the future, and a scheduled scan posted in the future.

Note: Both catalog checks and compliance scans show up in the same list.