The SIMP Agent can be executed from the command line with simp-agent
followed by sub-command. For a full list of sub-commands and their functions, run simp-agent help
.
register
Running simp-agent register
will walk you through an interactive registration process that gets your system to a scannable/enforcable state and connected to an instance of SIMP Console.
An example of the registration process is as follows:
? Enter the name this node will appear on the console as (default: FQDN) node.name
? Enter a URL for your collector https://my-simp-console:6468
? Enter the registration token for your collector XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
? Select abilities this node can use: [Use arrows to move, space to select, type to filter]
> [x] OpenSCAP -- Perform vulnerability assessment for Linux using the open source OpenSCAP tool.
[ ] jScat -- Perform vulnerability assessment for Windows using the jScat tool.
[ ] CIS-Cat -- Perform CIS assessment using proprietary CIS-Cat Assessor.
[ ] SCE Reporting -- Submit compliance reports generated by SIMP Compliance Engine to SIMP Console.
[x] Enforce Compliance -- Accept compliance enforcement from SIMP Console.
This will register the node of the SIMP Console running at https://my-simp-console:6468
to use the assessors OpenSCAP and CIS-Cat.
If at any point you need to change any of the information set during registration, you can edit your collector config.
list
Running simp-agent list
will search all content locations defined in your config and all benchmark files then display the profiles that can be used for scanning.
INFO[0000] Parsing benchmarks...
INFO[0002] /var/db/simp/agent/state/benchmarks/scap/(stig or cis)/SIMP_Default_Content-Example.xml
INFO[0002] disa-stig_example_profile_name
INFO[0002] xccdf_org.cisecurity.benchmarks_profile_Level_2
INFO[0002] /home/myUsername/benchmarks/MyCustomBenchmarks.xml
INFO[0002] disa-stig_example_profile_name
INFO[0002] nist_800_53_example_profile_name
scan
The four flags for simp-agent scan
are -A, -b, -p and -node.
Set profile to be used for scanning.
Specify the FQDN of the singular node you would like to run a compliance engine scan against.
To perform a scan on your local system, run simp-agent scan
-A API Version -b file.xml -p profile .
Note: If no benchmark or profile are specified the agent will prompt for a selection from the simp-agent list
results.
Note: If you have a benchmark located somewhere simp-agent list
does NOT already know about, you must specify the absolute path._
Example:
simp-agent scan -b /home/myUsername/benchmarks/MyCustomBenchmarks.xml -p disa-stig_example_profile_name
info
Running simp-agent info
will dump all system information being used by the SIMP Agent.
INFO[0000] os.release.major: 7
INFO[0000] scap_filename:
INFO[0000] platform: cpe:/o:centos:7
INFO[0000] cpe_list: {[cpe:/o:centos:7]}
INFO[0000] os.family: centos
INFO[0000] os.release.full: 7
INFO[0000] fqdn: computer-hostname
INFO[0000] kernel: linux
INFO[0000] os.name: centos
INFO[0000] simp-agent.statedir: /var/db/simp/agent/state
INFO[0000] simp-agent.default_scap_scanner: OpenSCAP
Note: Your output will vary from this example depending on your system.
fetch
To connect to each of the SIMP Console collectors (see simp-agent.yaml section for details) and download new/updated content, run simp-agent fetch
.
INFO[0000] [1] Registering collector on http://192.168.0.100:6468/collector/default
INFO[0000] Fetching Benchmark: scap/cis/SIMP_Default_Content-Example-CIS.xml
INFO[0000] Fetching Benchmark: scap/stig/SIMP_Default_Content-Example-STIG.xml
INFO[0000] [1] Benchmarks are up to date
run
Scans can be ran immediately or scheduled for specific times from the SIMP Console UI. From the command line, simp-agent run
will launch the SIMP Agent into a “waiting mode”. The agent will then open connections against each collector, waiting for a job to be requested.
install
To add the SIMP Agent as a service to your host OS, run simp-agent install
Service managers we support:
remove
To remove the service for the SIMP Agent run simp-agent remove
start
The SIMP Agent runs as a daemon/service. To start the service, run simp-agent start
. The SIMP Agent will then run a simp-agent run
process in the background.
stop
To stop the service for the SIMP Agent run simp-agent stop
status
To check the current status of the SIMP Agent service, run simp-agent status