SIMP Compliance Engine
  1. SIMP Compliance Engine
  2. Compliance Profile customization
  3. SIMP Compliance Engine - Data examples
  4. SIMP Compliance Engine reference

SIMP Compliance Engine - Data examples

Basic example using Controls

In the simplest format, only Compliance Profiles, Controls, and Checks need to be defined. The Controls specified in the Profile are used as a reference for the Checks that need to be enforced.

For the following examples, assume a Puppet class widget_spinner exists and has a parameter audit_logging that can be set to true or false, indicating whether to enable or disable logging functionality.

The following sample compliance profile will enforce the Puppet class parameter widget_spinner::audit_logging to be set to true:

---
version: 2.0.0
profiles:
  custom_profile:
    controls:
      apply_my_custom_profile: true
checks:
  widget_spinner_audit_logging:
    type: 'puppet-class-parameter'
    controls:
       apply_my_custom_profile: true
    settings:
      parameter: 'widget_spinner::audit_logging'
      value: true

Use caution when adding Controls to custom profiles. We have added Controls to all of the configuration settings provided with SIMP Enterprise, referencing NIST, CIS, and other benchmark controls where appropriate. Adding these references to your custom profiles will enforce all settings with that Control defined.

Complete example with CEs

A complete example of the entire data format is shown in the following example. The same Puppet class parameter from the previous example is enforced. However, this setting is only applied to specific Operating Systems and versions via the confine tag in the ce definition. Also in this custom profile we are disabling the CIS rule 1.1.2 configuration for EL 7 that is provided with SIMP Enterprise. The title and description tags are optional in the CE definition. By adding the nist_800_53:rev4:AU-2 control to the CE definition, this setting will also be enforced by any profile referencing that control.

---
version: 2.0.0
profiles:
  custom_profile_1:
    ces:
      enable_widget_spinner_audit_logging: true
      oval:simp.cis.el7.1.1.2_Ensure_tmp_is_configured:def:1: false
ce:
  enable_widget_spinner_audit_logging:
    controls:
      nist_800_53:rev4:AU-2: true
    title: 'Ensure logging is enabled for Widget Spinner'
    description: 'This setting enables usage and security logging for the Widget Spinner application.'
    confine:
      os.release.major: 
        - 7
        - 8
      os.name:
        - CentOS
        - OracleLinux
        - RedHat
checks:
  widget_spinner_audit_logging:
    type: 'puppet-class-parameter'
    settings:
      parameter: 'widget_spinner::audit_logging'
      value: true
    ces:
      - enable_widget_spinner_audit_logging

Snippets with content from real modules:

CIS Recommendation 1.6.2 for RHEL 8

---
version: 2.0.0
checks:
  oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space:
    settings:
      parameter: simp::sysctl::kernel__randomize_va_space
      value: 2
    type: puppet-class-parameter
    ces:
      - oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
---
version: 2.0.0
profiles:
  cis:level:1:server:
    title: Level 1 - Server
    description: 'Items in this profile intend to: be practical and prudent; provide
      a clear security benefit; and not inhibit the utility of the technology beyond
      acceptable means. This profile is intended for servers.'
    ces:
      oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1: true
ce:
  oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1:
    controls:
      cis:el8:v1.0.0.1: true
    identifiers:
      cis: []
    oval-ids:
    - xccdf_org.cisecurity.benchmarks_rule_1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled
    title: Ensure address space layout randomization (ASLR) is enabled
    description: Address space layout randomization (ASLR) is an exploit mitigation
      technique which randomly arranges the address space of key data areas of a process.
    imported_data:
      fixtext: 'Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*
        file: kernel.randomize_va_space = 2 Run the following command to set the active
        kernel parameter: # sysctl -w kernel.randomize_va_space=2'
    confine:
      os.release.major:
      - '8'
      os.name:
      - RedHat

DISA STIG Rule V-92961 for Windows 2019

---
version: 2.0.0
checks:
  oval:com.puppet.forge.simp-windows.machine-inactivity-limit-15min-locking-with-screensaver:def:1:
    type: puppet-class-parameter
    settings:
      parameter: simp_windows::registry_values
      value:
        The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.:
          key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
          value: InactivityTimeoutSecs
          type: dword
          data: 900
    ces:
      - oval:simp.disa.V-92961:def:1

---
version: 2.0.0
profiles:
  disa_stig:xccdf_mil.disa.stig_profile_mac-1_classified:
    title: I - Mission Critical Classified
    ces:
      oval:simp.disa.V-92961:def:1: true
    confine:
      os.release.major:
      - '2019'
      kernel: windows
ce:
  oval:simp.disa.V-92961:def:1:
    controls:
      disa_stig: true
      disa_stig:Windows_2019: true
      SRG-OS-000028-GPOS-00009: true
      cci:CCI-000056: true
      cci:CCI-000057: true
      cci:CCI-000060: true
    identifiers:
      disa_stig:
      - V-92961
      - SRG-OS-000028-GPOS-00009
      - CCI-000056
      - CCI-000057
      - CCI-000060
    oval-ids:
    - xccdf_mil.disa.stig_rule_SV-103049r1_rule
    title: Windows Server 2019 machine inactivity limit must be set to 15 minutes
      or less, locking the system with the screen saver.
    description: |-
      Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.

      Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
    imported_data:
      fixtext: 'Configure the policy value for Computer Configuration >> Windows Settings
        >> Security Settings >> Local Policies >> Security Options >> "Interactive
        logon: Machine inactivity limit" to "900" seconds or less, excluding "0" which
        is effectively disabled.'
    confine:
      os.release.major:
      - '2019'
      kernel: windows