1. Introduction
2. Server Installation - ISO
3. Server Installation - Control Repo
4. Client Installation
5. Configuring SIMP Compliance Engine
6. Configuring SCAP Dashboard

Download SIMP components

In order to install SIMP into a control repo, you will need to get the installation tar archive from the download servers, as documented here

Once you extract the tar archive, you will have a directory named simp-enterprise-<version>.

Installing

Inside the simp-enterprise-<version> directory there will be a number of files and directories, but you only need to be worried about SIMP/assets and SIMP/modules

The SIMP/assets directory should be copied into a /usr/share/simp/assets directory on all puppet servers. The SIMP/modules will need to be deployed directly via the control-repo, in one of three ways:

• Add modules into a directory into the control repo
• Add modules into a single git repository
• Add modules individually

Add modules into a directory into the control repo

Adding modules directly into the control repo is the simplest option, and allows the most integration into a code promotion workflow. However the cost is a large sized control repo which can take time to deploy and manage.

The SIMP/modules directory can then inserted before modules in the modulepath in environment.conf. This is done in order to guarantee that SIMP modules would take priority over existing modules (in the modules directory) with the same name.

modulepath          = SIMP/modules:modules:$basemodulepath

Add modules into a single git repository

Another option is to create a SIMP module on your git server and commit the simp modules to that, while deploying it as a module in the Puppetfile of your control-repo. This lowers the size of the control-repo but decreases maintainability as branching of the control-repo requires maintaining branches of the SIMP repo.

Create a single git repository on your server, and copy the entire modules directory into the git repository. This can then be added as a SIMP module in Puppetfile with an empty install_path (in order to create a top-level SIMP directory in the control repo.

mod 'SIMP' ,
  :git            => 'git@<url>',
  :install_path   => '',
  :branch         => :control_branch,
  :default_branch => 'master'

The SIMP/modules directory can then inserted before modules in the modulepath in environment.conf. This is done in order to guarantee that SIMP modules would take priority over existing modules (in the modules directory) with the same name.

modulepath          = SIMP/modules:modules:$basemodulepath

Add modules individually

Another option is to create a git repository for each module, and commit these changes and deploy them individually in the Puppetfile. This method allows pinning versions of specific modules per environment, but at the cost of much more complexity.

Each module in SIMP/modules will need it’s own git repo, and the contents of the directory should be committed directly to the root of each modules git repository. Once committed, you have to add a mod specification for every git repository.

Hiera settings

In order to use simp, you need to add some settings into Hiera into a default layer. These settings are normally set by simp config, but because it needs to be part of a control-repo, it needs to be committed to the control-repo’s data directories.

Just copy the following file contents into your default layer:

# used by SIMP modules to set default access control rules. Add your local ip address subnets.
simp_options::trusted_nets:
- '<list of local networks>'

# As configured, this disables syslog redirection to an external syslog server.  **We recommend that this be set to a valid list of hosts in a production environment.**
simp_options::syslog::log_servers: []

# This disables the installation and configuration of clamav.
simp_options::clamav: false

# This disables the kernel FIPS-140-2 compliant mode and associated userspace settings.
simp_options::fips: false

# This disables the SIMP-provided LDAP server.
simp_options::ldap: false

# This disables the SIMP-provided PKI.  See http://simp.readthedocs.io/en/master/user_guide/Client_Management.html#apply-certificates for details.
simp_options::pki: false

# This disables the use of `stunnel` to wrap SIMP services.
simp_options::stunnel: false
simp::rsync_stunnel: false

# This disables `svckill`, which is used to kill (or warn, depending on the setting) unmanaged services.  More information on `svckill` can be found at http://simp.readthedocs.io/en/master/user_guide/Troubleshooting/My_Services_Are_Dying.html and https://forge.puppet.com/simp/svckill.
svckill::enable: false

# This disables scheduled `yum update` runs.
simp::yum::schedule::enable: false
# The following additional settings should be self-explanatory:

simp::runlevel: 3
simp_options::dns::search:
- "%{::domain}"
simp_options::dns::servers:
- '<DNS server IP>'
simp_options::ntpd::servers:
- '<NTP server IP>'
simp_options::puppet::ca: '<MoM FQDN>'
simp_options::puppet::ca_port: 8140
simp_options::puppet::server: '<compile master FQDN>'
simp::classes:
  - simp_windows::download_server

You will need to edit the Puppet servers’s Hiera configuration and add simp_windows::download_server to simp::classes by editing /etc/puppetlabs/code/environments/production/data/hosts/<servername>.yaml

---
simp::classes:
  - simp_windows::download_server

This will configure an Apache site on https://<servername>/assets/ that contains the Logstash plugins, Grafana plugins, and Windows MSI installers.

We recommend disabling FIPS mode and simp-config driven YUM repositories on all Windows servers by editing /etc/puppetlabs/code/environments/production/data/windows.yaml.

---
simp_options::fips: false
class_exclusions:
  - simp::yum::repo::local_os_updates
  - simp::yum::repo::local_simp

Adding classes via the console or site.pp.

You will need to classify server and client nodes via the PE Console or via site.pp, with the simp class.`