SIMP Compliance Engine
  1. SIMP Compliance Engine
  2. Compliance Profile customization
  3. SIMP Compliance Engine - Data examples
  4. SIMP Compliance Engine reference

Introduction to the SIMP Compliance Engine (SCE)

This guide is written to supplement the SIMP CE and EE documentation. It includes supplemental information for getting started with and using the SIMP Compliance Engine.

What is the SIMP Compliance Engine (SCE)?

SIMP Compliance Engine (SCE) uses existing compliance and security standards to generate configuration that is directly applicable to SIMP-managed systems. Utilizing Puppet, SCE becomes a data source that inspects applied module parameters and compares them to the values required by policy. SIMP then can optionally force Puppet to set those parameters. When used to its fullest potential, SCE can create a compliant Puppet environment where it is not possible to implement a change to a system that would fail compliance audits. SCE can also generate report data consumable by SIMP Console.

How Organizations Use SCE

Puppet Integration

SCE’s compliance data is stored in Puppet modules. SCE looks for data in the SIMP/compliance_profiles/ path, relative to each module and loads all yaml and json files that are present. Data found in the SCE data format will be merged together and used as the data source for reporting and enforcement.

Configuring Puppet to use SCE

In order to use SIMP Compliance Engine, you need to add it to your Puppet environment hierarchy in hiera.yaml.

When adding compliance_markup to an existing Puppet environment, we recommend adding SIMP Compliance Engine as the last entry in hiera.

SIMP Compliance Engine is implemented in the simp/compliance_markup module, so make sure it’s installed if you have an existing Puppet environment. The module is included in the SIMP Enterprise installation.

To enable SIMP Compliance Engine in your Puppet environment, add the name and lookup_key in the following example to be the last entry in /etc/puppetlabs/code/environments/production/hiera.yaml.

  - name: "SIMP Compliance Engine"
    lookup_key: "compliance_markup::enforcement"

SCE Reports

By default, SCE creates a set of reports, one per node, on your Puppet Server at /opt/puppetlabs/server/data/puppetserver/simp/compliance_reports/<node fqdn>. The default reports only contain statistics for non compliant settings, unknown parameters, and custom entries. Reporting types can be specified in hiera using the compliance-markup::report_types parameter. A complete list of available report types is available here. The Catalog Compliance reports in SIMP Console (included with SIMP Enterprise) require that the report_types include full, as shown below.

compliance_markup::report_types:
  - 'full'

You may optionally enable the creation of a File resource on each node if you wish to have changes in this data automatically exported into PuppetDB. Enable this by setting the report_on_client parameter to true at the desired level in hieradata.

compliance_markup::report_on_client: true

Enforcement with SCE

Adding profile names from the SCE compliance data to compliance_markup::enforcement will enable enforcement of all settings referenced by those profiles. We recommend that Catalog Compliance reports in the Console be reviewed before enabling enforcement.

Applying a Compliance Profile

To apply a compliance profile to a node, add the following settings to the node’s Hiera data specifying the compliance profile to apply and generate reports for:

---
# Linux nodes
classes:
  - 'simp'
  - 'simp_options'

# Setup catalog compliance reports
compliance_markup::report_types:
  - 'full'
compliance_markup::validate_profiles:
  - 'cis:level:1:server'

# Setup compliance engine enforcement
compliance_markup::enforcement:
  - 'cis:level:1:server'
# Windows nodes
classes:
  - 'simp_windows'

# Setup catalog compliance reports
compliance_markup::report_types:
  - 'full'
compliance_markup::validate_profiles:
  - 'cis:level:1:member:server'

# Setup compliance engine enforcement
compliance_markup::enforcement:
  - 'cis:level:1:member:server'

You can also specify a list of compliance profiles to apply, in order from highest priority to lowest. Each profile will be compiled separately and values in the highest priority profile will be enforced by SCE. This can allow you to create a small custom profile based on a built-in profile with changes only to settings you wish to customize.

For example, to apply CIS Level 1 Member Server and DISA STIG MAC-1 Classified compliance settings, and to force the CIS settings to always override DISA settings, add the following to Hiera:

---
compliance_markup::enforcement:
  - cis:level:1:member:server
  - disa_stig:xccdf_mil.disa.stig_profile_mac-1_classified