Sicura Enterprise Edition
  1. Introduction
  2. Licensing
  3. Installing Sicura Enterprise
  4. Server install from RPM
  5. Server install from ISO
  6. Upgrade Sicura Enterprise
  7. Server Installation via Control Repo
  8. Enable SIMP Compliance Engine
  9. Configure SIMP Compliance Engine
  10. Included Compliance Profiles
  11. Console install via Puppet
  12. Agent Install via Puppet
  13. Simp-downloader script Reference
  14. Coverage - CIS, Windows
  15. Coverage - CIS, Linux
  16. Coverage - CMMC, Windows
  17. Coverage - CMMC, Linux
  18. Coverage - DISA, Windows
  19. Coverage - DISA, Linux
  20. Coverage - NIST 800-171 r2, Windows
  21. Linux DISA Module Usage
  22. Windows CIS module usage
  23. Linux CIS Module Usage
  24. Linux SSG Module Usage

Agent Install via Puppet

Setup

Setup Requirements

This module assumes that you already have a Sicura Console running and ready to register new hosts. You will need both the base url of the Console and the registration key for the Console you would like to send scan results to.

Beginning with sicura_agent

To install and configure Sicura Agents on systems, include the sicura_agent class in the classlist. You can provide a collectors hash containing the basic information to register the node to the console, but this is only necessary if you are not using automatic agent registration. This can be accomplished in hieradata:

classes:
  - 'sicura_agent'

sicura_agent::collectors:
  default:
    url: [sicura_console_url]/collector/default
    registration_token: [console_registration_token]
    abilities:
    - openscap
    node-name: '%{facts.fqdn}'

The console registration token is available in the Console, on the Client Installation page.

A Note on Windows Installation

When using the module to install sicura-agent on Windows systems, you must also add the package_source parameter with a valid msi file location to the hieradata.

Add the following to /etc/puppetlabs/code/environments/production/data/windows.yaml:

sicura_agent::package_source: "[sicura_console_url]/plugins/sicura-console/sicura-agent-[sicura_agent_version].msi"

Usage

The following are several examples of hieradata for different simp-agent configurations.

When the sicura-agent Package isn’t Available via Yum Repos

Add the following to /etc/puppetlabs/code/environments/production/data/linux.yaml:

sicura_agent::package_source: "[sicura_console_url]/plugins/sicura-console/sicura-agent-[sicura_agent_version].el7.x86_64.rpm"

Basic Linux OpenSCAP Configuration

These settings are specific to Linux systems, and should only be included in the hieradata for Linux systems.

classes:
  - 'sicura_agent'

sicura_agent::collectors:
  default:
    url: [sicura_console_url]/collector/default
    registration_token: [console_registration_token]
    abilities:
    - openscap
    node-name: '%{facts.fqdn}'

sicura_agent::openscap_options:
  openscap.content_directory: '/var/db/sicura/agent/state/benchmarks/scap/ssg'
  openscap.filename: '/var/db/sicura/agent/state/benchmarks/scap/stig/Sicura-Default-Content_CentOS_7.xml'
  openscap.profile: 'xccdf_org.ssgproject.content_profile_standard'

Basic Windows JsCat Configuration

These settings are specific to Windows systems, and should only be included in the hieradata for Windows systems.

classes:
  - 'sicura_agent'

sicura_agent::collectors:
  default:
    url: [sicura_console_url]/collector/default
    registration_token: [console_registration_token]
    abilities:
    - complianceengine
    - jscat
    node-name: '%{facts.fqdn}'

sicura_agent::jscat_options:
  jscat.content_directory: 'C:\ProgramData\Sicura\Agent\state\benchmarks\scap\stig'
  jscat.filename: 'Sicura-STIG-Content_Windows-2016.xml'
  jscat.install-path: 'C:\Program Files\Sicura\Sicura Agent\bin\jScat\s-cat.exe'
  jscat.profile: 'xccdf_mil.disa.stig_profile_MAC-1_Classified'

sicura_agent::package_source: "[sicura_console_url]/plugins/sicura-console/sicura-agent-[sicura_agent_version].msi"

Choose a Default Agent With Multiple Configured

classes:
  - 'sicura_agent'

simp_agent::collectors:
  default:
    url: [sicura_console_url]/collector/default
    registration_token: [console_registration_token]
    abilities:
    - complianceengine
    - openscap
    - ciscat
    node-name: '%{facts.fqdn}'

sicura_agent::openscap_options:
  openscap.content_directory: '/var/db/sicura/agent/state/benchmarks/scap/stig'
  openscap.filename: '/var/db/sicura/agent/state/benchmarks/scap/stig/Sicura-STIG-Content_CentOS_7.xml'
  openscap.profile: 'xccdf_org.ssgproject.content_profile_standard'

sicura_agent::ciscat_options:
  ciscat.content_directory: '/var/db/sicura/agent/state/benchmarks/scap/cis'
  ciscat.filename: '/var/db/sicura/agent/state/benchmarks/scap/cis/Sicura-CIS-Content_CentOS_7.xml'
  ciscat.install-path: '/etc/sicura/cis/Assessor-CLI/Assessor-CLI.jar'
  ciscat.profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server'

sicura_agent::default_scanner: "openscap"