Sicura Enterprise Edition
  1. Introduction
  2. Licensing
  3. Installing SIMP EE
  4. Server install from RPM
  5. Server install from ISO
  6. Upgrade SIMP EE
  7. Server Installation via Control Repo
  8. Enable SIMP Compliance Engine
  9. Configure SIMP Compliance Engine
  10. Included Compliance Profiles
  11. Console install via Puppet
  12. Scanner Install via Puppet
  13. Simp-downloader script Reference
  14. Coverage - CIS, Windows
  15. Coverage - CIS, Linux
  16. Coverage - DISA, Windows
  17. Windows CIS module usage
  18. Linux CIS Module Usage

Configure SIMP Compliance Engine (SCE)

Applying a Compliance Profile

To apply a compliance profile to a node, add the following settings to the node’s Hiera data specifying the compliance profile(s) to apply and generate reports for:

---
# Linux nodes
classes:
  - 'simp'
  - 'simp_options'

# Setup catalog compliance reports
compliance_markup::report_types:
  - 'full'
compliance_markup::validate_profiles:
  - 'cis:level:1:server'

# Setup compliance engine enforcement
compliance_markup::enforcement:
  - 'cis:level:1:server'
# Windows nodes
classes:
  - 'simp_windows'

# Setup catalog compliance reports
compliance_markup::report_types:
  - 'full'
compliance_markup::validate_profiles:
  - 'cis:level:1:member:server'

# Setup compliance engine enforcement
compliance_markup::enforcement:
  - 'cis:level:1:member:server'

You can specify a list of compliance profiles to apply ordered from highest to lowest priority. Each profile will be compiled separately and values in the highest priority profile will be enforced by SCE. This can allow you to create a small custom profile based on a built-in profile with changes only to settings you wish to customize.

For example, to apply CIS Level 1 Member Server and DISA STIG MAC-1 Classified compliance settings and to force the CIS settings to always override DISA settings, add the following to Hiera:

---
compliance_markup::enforcement:
  - cis:level:1:member:server
  - disa_stig:xccdf_mil.disa.stig_profile_mac-1_classified

More information

For more information about SIMP Compliance Engine, see the official documentation here.