This module assumes that you already have a Sicura Console running and ready to register new hosts. You will need both the base url of the Console and the registration key for the Console you would like to send scan results to.
sicura_agentTo install and configure Sicura Agents on systems, include the sicura_agent class in the classlist. You can provide a collectors hash containing the basic information to register the node to the console, but this is only necessary if you are not using automatic agent registration. This can be accomplished in hieradata:
classes:
- 'sicura_agent'
sicura_agent::collectors:
default:
url: [sicura_console_url]/collector/default
registration_token: [console_registration_token]
abilities:
- openscap
node-name: '%{facts.fqdn}'
The console registration token is available in the Console, on the Client Installation page.
When using the module to install sicura-agent on Windows systems, you must also add the package_source parameter with a valid msi file location to the hieradata.
Add the following to /etc/puppetlabs/code/environments/production/data/windows.yaml:
sicura_agent::package_source: "[sicura_console_url]/plugins/sicura-console/sicura-agent-[sicura_agent_version].msi"
The following are several examples of hieradata for different simp-agent configurations.
sicura-agent Package isn’t Available via Yum ReposAdd the following to /etc/puppetlabs/code/environments/production/data/linux.yaml:
sicura_agent::package_source: "[sicura_console_url]/plugins/sicura-console/sicura-agent-[sicura_agent_version].el7.x86_64.rpm"
These settings are specific to Linux systems, and should only be included in the hieradata for Linux systems.
classes:
- 'sicura_agent'
sicura_agent::collectors:
default:
url: [sicura_console_url]/collector/default
registration_token: [console_registration_token]
abilities:
- openscap
node-name: '%{facts.fqdn}'
sicura_agent::openscap_options:
openscap.content_directory: '/var/db/sicura/agent/state/benchmarks/scap/ssg'
openscap.filename: '/var/db/sicura/agent/state/benchmarks/scap/stig/Sicura-Default-Content_CentOS_7.xml'
openscap.profile: 'xccdf_org.ssgproject.content_profile_standard'
These settings are specific to Windows systems, and should only be included in the hieradata for Windows systems.
classes:
- 'sicura_agent'
sicura_agent::collectors:
default:
url: [sicura_console_url]/collector/default
registration_token: [console_registration_token]
abilities:
- complianceengine
- jscat
node-name: '%{facts.fqdn}'
sicura_agent::jscat_options:
jscat.content_directory: 'C:\ProgramData\Sicura\Agent\state\benchmarks\scap\stig'
jscat.filename: 'Sicura-STIG-Content_Windows-2016.xml'
jscat.install-path: 'C:\Program Files\Sicura\Sicura Agent\bin\jScat\s-cat.exe'
jscat.profile: 'xccdf_mil.disa.stig_profile_MAC-1_Classified'
sicura_agent::package_source: "[sicura_console_url]/plugins/sicura-console/sicura-agent-[sicura_agent_version].msi"
classes:
- 'sicura_agent'
simp_agent::collectors:
default:
url: [sicura_console_url]/collector/default
registration_token: [console_registration_token]
abilities:
- complianceengine
- openscap
- ciscat
node-name: '%{facts.fqdn}'
sicura_agent::openscap_options:
openscap.content_directory: '/var/db/sicura/agent/state/benchmarks/scap/stig'
openscap.filename: '/var/db/sicura/agent/state/benchmarks/scap/stig/Sicura-STIG-Content_CentOS_7.xml'
openscap.profile: 'xccdf_org.ssgproject.content_profile_standard'
sicura_agent::ciscat_options:
ciscat.content_directory: '/var/db/sicura/agent/state/benchmarks/scap/cis'
ciscat.filename: '/var/db/sicura/agent/state/benchmarks/scap/cis/Sicura-CIS-Content_CentOS_7.xml'
ciscat.install-path: '/etc/sicura/cis/Assessor-CLI/Assessor-CLI.jar'
ciscat.profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server'
sicura_agent::default_scanner: "openscap"
Sicura
© copyright 2022