Sicura Enterprise is an extension of SIMP Server and requires those components be installed. Please follow the instructions here to add the SIMP Server components to your control repository.
There are several modules included in the SIMP Server Puppetfile (Puppetfile.simp) that are also included in the default Puppetfile. Use r10k deploy environment <environment name> -pv on the Puppet server to see a list of duplicates, if any, during deployment. If any are found, review the versions in each Puppetfile and keep only those relevant to your environment.
For more advanced options and features of r10k, see the official documentation here
Download the tar file using the following link or curl command:
curl -f -o sicura-enterprise-6.5.6-1.tgz https://enterprise-download.simp-project.com/products/simp-enterprise/simp-enterprise/sicura-enterprise-6.5.6-1.tgz
Once you have the tar archive downloaded, extract it to a convenient location. The Sicura Enterprise components will be located in a directory named sicura-enterprise-<version>.
Inside the sicura-enterprise-<version> directory there will be a number of files and directories, but only SIMP/modules will be used in this process.
The contents of SIMP/modules will need to be deployed directly via the control-repo in one of three ways:
Method 1: Add modules into a directory into the control repo
Method 2: Add modules into a single git repository
Method 3. Add modules individually
Adding modules directly into the control repo is the simplest option, and allows the most integration into a code workflow. However the downside is a large sized control repo.
The SIMP/modules directory can then inserted at the front of the modulepath in environment.conf. This will guarantee that SIMP modules take priority over existing modules (in the modules directory) with the same name.
modulepath = SIMP/modules:modules:$basemodulepath
Another option is to create a SIMP repository on your Git server and commit the SIMP modules to that. Deploy it as a single module in the Puppetfile with an empty install_path to create a top-level SIMP directory in the control repo. This downsizes the control repo but increases maintenance of the branches of the SIMP repo containing the modules.
mod 'SIMP' ,
:git => 'git@<url>',
:install_path => '',
:branch => :control_branch,
:default_branch => 'master'
The SIMP/modules directory can then inserted at the front of the modulepath in environment.conf. This will guarantee that SIMP modules take priority over existing modules (in the modules directory) with the same name.
modulepath = SIMP/modules:modules:$basemodulepath
Another option is to create a git repository for each module, and commit these changes and deploy them individually in the Puppetfile. This method allows pinning versions of specific modules per environment, but at the cost of much more complexity.
Each module in SIMP/modules will need its own git repo, and the contents of the directory should be committed directly to the root of each module’s git repository. Once committed, you have to add a mod specification for every git repository.
In order to use SIMP, you need to add some settings into a Hiera default layer. These settings are normally set by simp config, but because it needs to be part of a control-repo, it needs to be committed to the control-repo’s data directories.
Copy the following file contents into your default layer. Values enclosed in < > will need to be modified for your environment.
# used by SIMP modules to set default access control rules. Add your local ip address subnets.
simp_options::trusted_nets:
- '<list of local networks>'
# As configured, this disables syslog redirection to an external syslog server. **We recommend that this be set to a valid list of syslog server IPs in a production environment.**
simp_options::syslog::log_servers: []
# If you have failover syslog servers, uncomment the following line and add the failover syslog server IP addresses to the list.
#simp_options::syslog::failover_log_servers: []
# This disables the use of `stunnel` to wrap SIMP services.
simp_options::stunnel: false
simp::rsync_stunnel: false
# This disables scheduled `yum update` runs.
simp::yum::schedule::enable: false
# The following additional settings should be self-explanatory:
simp::runlevel: 3
simp_options::dns::search:
- "%{::domain}"
simp_options::dns::servers:
- '<DNS server IP>'
simp_options::ntpd::servers:
- '<NTP server IP>'
simp_options::puppet::ca: '<MoM FQDN>'
simp_options::puppet::ca_port: 8140
simp_options::puppet::server: '<compile master FQDN>'
To enable enforcement and reporting functionality, SIMP Compliance Engine will need to be enabled in Hiera and a compliance profile selected for systems.
See the SCE documentation here for additional details.
Linux server and client nodes will also need to be classified with the simp and simp-options classes for enforcement to occur. Windows systems will need to be classified with the simp_windows class. This can be done in the Puppet Enterprise Console or by adding the following an appropriate manifest file.
---
# Linux nodes
classes:
- 'simp'
- 'simp_options'
---
# Windows nodes
classes:
- 'simp_windows'
Sicura
© copyright 2022