SIMP Logo
Sicura Enterprise Edition
  1. Introduction
  2. Licensing
  3. Installing Sicura Enterprise
  4. Server install from RPM
  5. Server install from ISO
  6. Upgrade Sicura Enterprise
  7. Server Installation via Control Repo
  8. Enable SIMP Compliance Engine
  9. Configure SIMP Compliance Engine
  10. Included Compliance Profiles
  11. Console install via Puppet
  12. Agent Install via Puppet
  13. Coverage - CIS, Windows
  14. Coverage - CIS, Linux
  15. Coverage - CMMC, Windows
  16. Coverage - CMMC, Linux
  17. Coverage - DISA, Windows
  18. Coverage - DISA, Linux
  19. Coverage - NIST 800-171 r2, Windows
  20. Linux DISA Module Usage
  21. Windows CIS module usage
  22. Linux CIS Module Usage
  23. Linux SSG Module Usage

Linux SSG Module usage

Limitations

There are a few items that the user must configure since there is no method for automatically determining the appropriate values.

Disk Partitioning

The SIMP ISO installation will appropriately configure the disk per the SSG profile requirements. Alternatively, the kickstart files provided as templates by the SIMP project can be used to kickstart a system.

If neither of these options are chosen, the user will need to set the partitions appropriately themselves.

Package Updates

Several profiles require that all security patches be applied to a system. SIMP makes no assumptions about the connectivity to a given set of repositories or the appropriateness of applying any given updates to your system.

That said, nightly updates are enabled via the simp::yum::schedule class and will update all packages to the latest version based on whatever repositories are present and configured on the system at that time.

High I/O Activities

Some checks that require scanning the entire filesystem (such as checking for incorrect permissions) would put a generally unacceptable load on the system in order to remediate at each run of Puppet. Users are encouraged to scan their systems regularly to find and address these kinds of issues.

If a suitable lightweight mechanism can be found to address this issue in the future, it will be added to the SIMP module space.

IPTables OUTPUT DROP

Several profiles require users to set the default OUTPUT iptables chain to DROP by default.

This is not set by this module since it causes all outbound communication to cease and there is no method for determining what access should be reasonably allowed by default.

To bring your system into compliance, set the following via Hiera:

iptables::rules::default_drop::filter_output: true

Remote Rsyslog Configuration

Given that there is no way to know where and/or if a syslog server may be present on the network, there are no remote syslog servers configured by default.

To bring your system into compliance, set the following via Hiera:

simp_options::syslog::log_servers:
  - log.server.one

To set failover log servers, set the following via Hiera:

simp_options::syslog::failover_log_servers:
  - failover.server.one

Limit SSH Access

While SSH access is limited by default via PAM, many profiles want the SSH user and group restrictions to be present in the SSH configuration directly. SIMP is unable to define a reasonable set of defaults for these items and made redundant by PAM.

To bring your system into compliance, set the following via Hiera:

ssh::server::conf::allowgroups:
  - group1
  - group2

ssh::server::conf::allowusers:
  - user1
  - user2