This module assumes that the user already has a simp-console running and ready to register new hosts. The user will need both the base url of the console and the registration key for the console they would like to send scan results to.
simp_scanner
To install and configure simp-scanner setup, include the simp_scanner class in the classlist and provide a collectors hash containing the basic information to register the node to the console. This can be accomplished in hieradata:
classes:
- 'simp_scanner'
simp_scanner::collectors:
default:
url: [simp_console_url]/collector/default
registration_token: [console_registration_token]
scanners:
- openscap
node-name: '%{facts.fqdn}'
The console registration token
is available in the Console, on the Client Installation
page.
When using the module to install simp-scanner on Windows systems, the package_source
parameter with a valid msi file location must also be added in the hieradata.
Add the following to /etc/puppetlabs/code/environments/production/data/windows.yaml
:
simp_scanner::package_source: "[simp_console_url]/plugins/simp-console/simp-scanner-[simp_scanner_version].msi"
The following are several examples of hieradata for different simp-scanner configurations.
simp-scanner
Package isn’t Available via Yum ReposAdd the following to /etc/puppetlabs/code/environments/production/data/linux.yaml
:
simp_scanner::package_source: "[simp_console_url]/plugins/simp-console/simp-scanner-[simp_scanner_version].el7.x86_64.rpm"
These settings are specific to Linux systems, and should only be included in the hieradata for Linux systems.
classes:
- 'simp_scanner'
simp_scanner::collectors:
default:
url: [simp_console_url]/collector/default
registration_token: [console_registration_token]
scanners:
- openscap
node-name: '%{facts.fqdn}'
simp_scanner::openscap_options:
openscap.content_directory: '/var/db/simp/scanner/state/benchmarks/scap/stig'
openscap.filename: '/var/db/simp/scanner/state/benchmarks/scap/stig/SIMP-Default-Content_CentOS_7.xml'
openscap.profile: 'xccdf_org.ssgproject.content_profile_standard'
These settings are specific to Windows systems, and should only be included in the hieradata for Windows systems.
classes:
- 'simp_scanner'
simp_scanner::collectors:
default:
url: [simp_console_url]/collector/default
registration_token: [console_registration_token]
scanners:
- complianceengine
- jscat
node-name: '%{facts.fqdn}'
simp_scanner::jscat_options:
jscat.content_directory: 'C:\ProgramData\SIMP\Scanner\state\benchmarks\scap\stig'
jscat.filename: 'SIMP-Default-Content_Windows-2016.xml'
jscat.install-path: 'C:\Program Files\SIMP\SIMP Scanner\bin\jScat\s-cat.exe'
jscat.profile: 'xccdf_mil.disa.stig_profile_MAC-1_Classified'
simp_scanner::package_source: "[simp_console_url]/plugins/simp-console/simp-scanner-[simp_scanner_version].msi"
classes:
- 'simp_scanner'
simp_scanner::collectors:
default:
url: [simp_console_url]/collector/default
registration_token: [console_registration_token]
scanners:
- complianceengine
- openscap
- ciscat
node-name: '%{facts.fqdn}'
simp_scanner::openscap_options:
openscap.content_directory: '/var/db/simp/scanner/state/benchmarks/scap/stig'
openscap.filename: '/var/db/simp/scanner/state/benchmarks/scap/stig/SIMP-Default-Content_CentOS_7.xml'
openscap.profile: 'xccdf_org.ssgproject.content_profile_standard'
simp_scanner::ciscat_options:
ciscat.content_directory: '/var/db/simp/scanner/state/benchmarks/scap/cis'
ciscat.filename: '/var/db/simp/scanner/state/benchmarks/scap/cis/SIMP-Default-Content_CentOS_7.xml'
ciscat.install-path: '/etc/simp/cis/Assessor-CLI/Assessor-CLI.jar'
ciscat.profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server'
simp_scanner::default_scanner: "openscap"