To apply a compliance profile to a node, add the following settings to the node’s Hiera data specifying the compliance profile(s) to apply and generate reports for:
---
# Linux nodes
classes:
- 'simp'
- 'simp_options'
# Setup catalog compliance reports
compliance_markup::report_types:
- 'full'
compliance_markup::validate_profiles:
- 'cis:level:1:server'
# Setup compliance engine enforcement
compliance_markup::enforcement:
- 'cis:level:1:server'
# Windows nodes
classes:
- 'simp_windows'
# Setup catalog compliance reports
compliance_markup::report_types:
- 'full'
compliance_markup::validate_profiles:
- 'cis:level:1:member:server'
# Setup compliance engine enforcement
compliance_markup::enforcement:
- 'cis:level:1:member:server'
You can specify a list of compliance profiles to apply ordered from highest to lowest priority. Each profile will be compiled separately and values in the highest priority profile will be enforced by SCE. This can allow you to create a small custom profile based on a built-in profile with changes only to settings you wish to customize.
For example, to apply CIS Level 1 Member Server and DISA STIG MAC-1 Classified compliance settings and to force the CIS settings to always override DISA settings, add the following to Hiera:
---
compliance_markup::enforcement:
- cis:level:1:member:server
- disa_stig:xccdf_mil.disa.stig_profile_mac-1_classified
For more information about SIMP Compliance Engine, see the official documentation here.
Sicura
© copyright 2022