Sicura Enterprise Edition
  1. Introduction
  2. Licensing
  3. Installing SIMP EE
  4. Server install from RPM
  5. Server install from ISO
  6. Upgrade SIMP EE
  7. Server Installation via Control Repo
  8. Enable SIMP Compliance Engine
  9. Configure SIMP Compliance Engine
  10. Included Compliance Profiles
  11. Console install via Puppet
  12. Scanner Install via Puppet
  13. Simp-downloader script Reference
  14. Coverage - CIS, Windows
  15. Coverage - CIS, Linux
  16. Coverage - DISA, Windows
  17. Windows CIS module usage
  18. Linux CIS Module Usage

Scanner Install via Puppet

Setup

Setup Requirements

This module assumes that the user already has a simp-console running and ready to register new hosts. The user will need both the base url of the console and the registration key for the console they would like to send scan results to.

Beginning with simp_scanner

To install and configure simp-scanner setup, include the simp_scanner class in the classlist and provide a collectors hash containing the basic information to register the node to the console. This can be accomplished in hieradata:

classes:
  - 'simp_scanner'

simp_scanner::collectors:
  default:
    url: [simp_console_url]/collector/default
    registration_token: [console_registration_token]
    scanners:
    - openscap
    node-name: '%{facts.fqdn}'

The console registration token is available in the Console, on the Client Installation page.

A Note on Windows Installation

When using the module to install simp-scanner on Windows systems, the package_source parameter with a valid msi file location must also be added in the hieradata.

Add the following to /etc/puppetlabs/code/environments/production/data/windows.yaml:

simp_scanner::package_source: "[simp_console_url]/plugins/simp-console/simp-scanner-[simp_scanner_version].msi"

Usage

The following are several examples of hieradata for different simp-scanner configurations.

When the simp-scanner Package isn’t Available via Yum Repos

Add the following to /etc/puppetlabs/code/environments/production/data/linux.yaml:

simp_scanner::package_source: "[simp_console_url]/plugins/simp-console/simp-scanner-[simp_scanner_version].el7.x86_64.rpm"

Basic Linux OpenSCAP Configuration

These settings are specific to Linux systems, and should only be included in the hieradata for Linux systems.

classes:
  - 'simp_scanner'

simp_scanner::collectors:
  default:
    url: [simp_console_url]/collector/default
    registration_token: [console_registration_token]
    scanners:
    - openscap
    node-name: '%{facts.fqdn}'

simp_scanner::openscap_options:
  openscap.content_directory: '/var/db/simp/scanner/state/benchmarks/scap/stig'
  openscap.filename: '/var/db/simp/scanner/state/benchmarks/scap/stig/SIMP-Default-Content_CentOS_7.xml'
  openscap.profile: 'xccdf_org.ssgproject.content_profile_standard'

Basic Windows JsCat Configuration

These settings are specific to Windows systems, and should only be included in the hieradata for Windows systems.

classes:
  - 'simp_scanner'

simp_scanner::collectors:
  default:
    url: [simp_console_url]/collector/default
    registration_token: [console_registration_token]
    scanners:
    - complianceengine
    - jscat
    node-name: '%{facts.fqdn}'

simp_scanner::jscat_options:
  jscat.content_directory: 'C:\ProgramData\SIMP\Scanner\state\benchmarks\scap\stig'
  jscat.filename: 'SIMP-Default-Content_Windows-2016.xml'
  jscat.install-path: 'C:\Program Files\SIMP\SIMP Scanner\bin\jScat\s-cat.exe'
  jscat.profile: 'xccdf_mil.disa.stig_profile_MAC-1_Classified'

simp_scanner::package_source: "[simp_console_url]/plugins/simp-console/simp-scanner-[simp_scanner_version].msi"

Choose a Default Scanner With Multiple Configured

classes:
  - 'simp_scanner'

simp_scanner::collectors:
  default:
    url: [simp_console_url]/collector/default
    registration_token: [console_registration_token]
    scanners:
    - complianceengine
    - openscap
    - ciscat
    node-name: '%{facts.fqdn}'

simp_scanner::openscap_options:
  openscap.content_directory: '/var/db/simp/scanner/state/benchmarks/scap/stig'
  openscap.filename: '/var/db/simp/scanner/state/benchmarks/scap/stig/SIMP-Default-Content_CentOS_7.xml'
  openscap.profile: 'xccdf_org.ssgproject.content_profile_standard'

simp_scanner::ciscat_options:
  ciscat.content_directory: '/var/db/simp/scanner/state/benchmarks/scap/cis'
  ciscat.filename: '/var/db/simp/scanner/state/benchmarks/scap/cis/SIMP-Default-Content_CentOS_7.xml'
  ciscat.install-path: '/etc/simp/cis/Assessor-CLI/Assessor-CLI.jar'
  ciscat.profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server'

simp_scanner::default_scanner: "openscap"