Sicura Enterprise Edition
  1. Introduction
  2. Licensing
  3. Installing Sicura Enterprise
  4. Server install from RPM
  5. Server install from ISO
  6. Upgrade Sicura Enterprise
  7. Server Installation via Control Repo
  8. Enable SIMP Compliance Engine
  9. Configure SIMP Compliance Engine
  10. Included Compliance Profiles
  11. Console install via Puppet
  12. Agent Install via Puppet
  13. Simp-downloader script Reference
  14. Coverage - CIS, Windows
  15. Coverage - CIS, Linux
  16. Coverage - CMMC, Windows
  17. Coverage - CMMC, Linux
  18. Coverage - DISA, Windows
  19. Coverage - DISA, Linux
  20. Coverage - NIST 800-171 r2, Windows
  21. Linux DISA Module Usage
  22. Windows CIS module usage
  23. Linux CIS Module Usage
  24. Linux SSG Module Usage

Server Installation via Control Repo

Add SIMP Server Components

Sicura Enterprise is an extension of SIMP Server and requires those components be installed. Please follow the instructions here to add the SIMP Server components to your control repository.

There are several modules included in the SIMP Server Puppetfile (Puppetfile.simp) that are also included in the default Puppetfile. Use r10k deploy environment <environment name> -pv on the Puppet server to see a list of duplicates, if any, during deployment. If any are found, review the versions in each Puppetfile and keep only those relevant to your environment.

For more advanced options and features of r10k, see the official documentation here

Download Sicura Enterprise components

You can use our downloader or curl to download an installation tar file containing the Sicura Enterprise modules and assets. Downloads also require a valid, non-expired Sicura Enterprise license key saved to /etc/sicura/license.key to authenticate.

Get the tar Archive using simp-downloader

Our helper script, simp-downloader, will automatically download the latest installation tar file for Sicura Enterprise to your local machine.

curl | bash -s -- -t install-tarball

For more information and detailed usage information, see the simp-downloader documentation here.

Get the tar Archive using curl

You may also download the tar file using curl and passing /etc/sicura/license.key as the cacert, cert, and key:

curl -f -o sicura-enterprise-6.5.4-1.tgz --cacert /etc/sicura/license.key --cert /etc/sicura/license.key --key /etc/sicura/license.key

Once you have the tar archive downloaded, extract it to a convenient location. The Sicura Enterprise components will be located in a directory named sicura-enterprise-<version>.

Add components to the Control Repository

Inside the sicura-enterprise-<version> directory there will be a number of files and directories, but only SIMP/modules will be used in this process.

The contents of SIMP/modules will need to be deployed directly via the control-repo in one of three ways:

Method 1: Add modules into a directory into the control repo
Method 2: Add modules into a single git repository
Method 3. Add modules individually

Method 1: Via Control Repo

Adding modules directly into the control repo is the simplest option, and allows the most integration into a code workflow. However the downside is a large sized control repo.

The SIMP/modules directory can then inserted at the front of the modulepath in environment.conf. This will guarantee that SIMP modules take priority over existing modules (in the modules directory) with the same name.

modulepath = SIMP/modules:modules:$basemodulepath

Method 2: Via Single Git Repo

Another option is to create a SIMP repository on your Git server and commit the SIMP modules to that. Deploy it as a single module in the Puppetfile with an empty install_path to create a top-level SIMP directory in the control repo. This downsizes the control repo but increases maintenance of the branches of the SIMP repo containing the modules.

mod 'SIMP' ,
  :git            => 'git@<url>',
  :install_path   => '',
  :branch         => :control_branch,
  :default_branch => 'master'

The SIMP/modules directory can then inserted at the front of the modulepath in environment.conf. This will guarantee that SIMP modules take priority over existing modules (in the modules directory) with the same name.

modulepath = SIMP/modules:modules:$basemodulepath

Method 3: Add Individual Module Repos

Another option is to create a git repository for each module, and commit these changes and deploy them individually in the Puppetfile. This method allows pinning versions of specific modules per environment, but at the cost of much more complexity.

Each module in SIMP/modules will need its own git repo, and the contents of the directory should be committed directly to the root of each module’s git repository. Once committed, you have to add a mod specification for every git repository.

Modify Hiera settings

In order to use SIMP, you need to add some settings into a Hiera default layer. These settings are normally set by simp config, but because it needs to be part of a control-repo, it needs to be committed to the control-repo’s data directories.

Copy the following file contents into your default layer. Values enclosed in < > will need to be modified for your environment.

# used by SIMP modules to set default access control rules. Add your local ip address subnets.
- '<list of local networks>'

# As configured, this disables syslog redirection to an external syslog server.  **We recommend that this be set to a valid list of syslog server IPs in a production environment.**
simp_options::syslog::log_servers: []

# If you have failover syslog servers, uncomment the following line and add the failover syslog server IP addresses to the list.
#simp_options::syslog::failover_log_servers: []

# This disables the use of `stunnel` to wrap SIMP services.
simp_options::stunnel: false
simp::rsync_stunnel: false

# This disables scheduled `yum update` runs.
simp::yum::schedule::enable: false

# The following additional settings should be self-explanatory:

simp::runlevel: 3
- "%{::domain}"
- '<DNS server IP>'
- '<NTP server IP>'
simp_options::puppet::ca: '<MoM FQDN>'
simp_options::puppet::ca_port: 8140
simp_options::puppet::server: '<compile master FQDN>'

Enable and Configure SCE

To enable enforcement and reporting functionality, SIMP Compliance Engine will need to be enabled in Hiera and a compliance profile selected for systems.

See the SCE documentation here for additional details.

Classify Systems

Linux server and client nodes will also need to be classified with the simp and simp-options classes for enforcement to occur. Windows systems will need to be classified with the simp_windows class. This can be done in the Puppet Enterprise Console or by adding the following an appropriate manifest file.

# Linux nodes
  - 'simp'
  - 'simp_options'
# Windows nodes
  - 'simp_windows'