Once your copy of SIMP Scanner has been installed certain options can be set inside the simp-scanner.yaml file.
NOTE: This file is not generated during install time and requires you run the simp-scanner at least once to be generated.
The config file can be found here:
Linux: /etc/simp/simp-scanner.yaml
Windows: C:\Program Files\SIMP\SIMP Scanner\simp-scanner.yaml
The SIMP Scanner config file has four sections. Each section has a set of options which, by default, are disabled (commented out). To enable an option, remove the comment # and enter in the relavent information for that option.
NOTE: Options within this section control the scanner’s functionality system-wide.
log-level
By selecting log-level you will be able to control what information is output by the scanner to stdout and stderr. The levels can be lowered or raised seven values for troubleshooting: trace, debug, info, warn, error, fatal, and panic. The default is info.
log-to-file
This true/false option allows you to choose if you want output from the scanner to go to a file in addition to the terminal’s stdout/stderr. This is ideal for archiving situations.
The default destination for this file is STATE_DIRECTORY/simp-scanner.log
log-dest
This is a custom-defined path where the log file will be saved. This will allow you to override the default log location.
max-scans
(legacy, this option will be removed in the future and should be set from your console config) Defines what type of content will be retrieved from the collectors.
force-scan
The SIMP Scanner will error and fail when trying to pull SIMP_Default_Content*** from the console if you are using an unsupported platform. If force_scan is set to true, this error will become a warning and continue running.
NOTE: Use this option at your own risk! Using an unsupported platform may cause undesired results for both the scanner and the console.
collector-request-interval
When using simp-scanner run or running the SIMP Scanner as a service, the process will occasionally reconnect to its collector(s). The collector-request-interval option allows you to adjust the wait period between connections. The default is set to 30 seconds.
This section outlines the various collectors that have been registered to the SIMP Scanner. Collectors are defined in a list within the file and each collector has its own set of sub-options. These sub-options are collector, url, registration_token, scanners, and node-name.
Collector entries can be added manually or automatically appended using the simp-scanner register command.
An example collector configuration could look like this:
default:
url: https://my-simp-console:6468/collector/default
registration_token: XXXXXXXXXXXXXXXXXXXXXXX
scanners:
- SCANNER_TYPE-1
- SCANNER_TYPE-2
node-name: ""
Currently, all collectors use the name default, therefore expect each collector registered to start with ‘default’ before defining their own options.
The types of scanners supported are:
openscapciscatjscatcompliance-engineWhen simp-scanner executes a command, it runs it against every collector defined. For example, if you have three registered collectors, simp-scanner fetch will call out to each of them to fetch content.
url defines the location the collector needs to talk to. This URL can be copied directly from the Client Installation page on your SIMP Consoleregistration_token this token allows your scanner to securely communicate with the console during initial registration. Once registered, it’ll use the login token recieved which is stored in your STATE_DIRECTORY/state.json file.scanners defines a list of one or more scanner types to be used for scanning each time a scan is performed.node-name assigns a name to your node during initial registration to the console. This option can be left blank and your FQDN will be used instead.Any output from the scanner is considered a “Report”. By default, reports are sent to the SIMP Console collector for further evalution and displayed in the Console GUI, they can, however, be kept on the local system if desired.
Options for reports are as follows:
save-reports This true/false settings will allow you to save the reports for each scan. If true, reports save to STATE_DIRECTORY/reports by default.
report-path Allows you to override the default path for reports.
The following options allow for configuring options specific to the scanner type in use (openscap/ciscat/jscat)
Note: Use these options as a catch-all in case no other options are specified elsewhere (best used with the “Scan Now” button)
default.profile Predefines a profile to be used for scanning any time a scan is performed.default.filename Predefines a benchmark to be used for scanning any time a scan is performed.default.scanner-type Predefines a default scanner type to use in case of multiple scanners possibleciscat.install-path Points to the location of your Assessor-CLI.jar file. This option is required if you’d like to do CIS scanning.ciscat.profile Predefines a profile to be used for scanning any time a scan is performed.ciscat.content_directory Adds this directory to the lookup for benchmarks to be used for CIS scanning. This affects the simp-scanner list command as well as the interactive benchmark options returned when a scan is run with no benchmark defined.ciscat.filename Predefines a benchmark to be used for scanning any time a scan is performed.openscap.profile Predefines a profile to be used for scanning any time a scan is performed.openscap.content_directory Adds this directory to the lookup for benchmarks to be used for Linux STIG scanning. This affects the simp-scanner list command as well as the interactive benchmark options returned when a scan is run with no benchmark defined.openscap.filename Predefines a benchmark to be used for scanning any time a scan is performed.jscat.install-path If you wish to override the path for which jScat is loaded this option allows you to specify the path. SIMP Scanner comes with jScat pre-packaged so this option is not needed.jscat.profile Predefines a profile to be used for scanning any time a scan is performed.jscat.content_directory Adds this directory to the lookup for benchmarks to be used for Windows STIG scanning. This affects the simp-scanner list command as well as the interactive benchmark options returned when a scan is run with no benchmark defined.jscat.filename Predefines a benchmark to be used for scanning any time a scan is performed.
Sicura
© copyright 2022