Sicura Enterprise Edition
  1. Introduction
  2. Licensing
  3. Installing Sicura Enterprise
  4. Server install from RPM
  5. Server install from ISO
  6. Upgrade Sicura Enterprise
  7. Server Installation via Control Repo
  8. Enable SIMP Compliance Engine
  9. Configure SIMP Compliance Engine
  10. Included Compliance Profiles
  11. Console install via Puppet
  12. Agent Install via Puppet
  13. Coverage - CIS, Windows
  14. Coverage - CIS, Linux
  15. Coverage - CMMC, Windows
  16. Coverage - CMMC, Linux
  17. Coverage - DISA, Windows
  18. Coverage - DISA, Linux
  19. Coverage - NIST 800-171 r2, Windows
  20. Linux DISA Module Usage
  21. Windows CIS module usage
  22. Linux CIS Module Usage
  23. Linux SSG Module Usage

Configure SIMP Compliance Engine (SCE)

Applying a Compliance Profile

To apply a compliance profile to a node, add the following settings to the node’s Hiera data specifying the compliance profile(s) to apply and generate reports for:

---
# Linux nodes
classes:
  - 'simp'
  - 'simp_options'

# Setup catalog compliance reports
compliance_markup::report_types:
  - 'full'
compliance_markup::validate_profiles:
  - 'cis:level:1:server'

# Setup compliance engine enforcement
compliance_markup::enforcement:
  - 'cis:level:1:server'
# Windows nodes
classes:
  - 'simp_windows'

# Setup catalog compliance reports
compliance_markup::report_types:
  - 'full'
compliance_markup::validate_profiles:
  - 'cis:level:1:member:server'

# Setup compliance engine enforcement
compliance_markup::enforcement:
  - 'cis:level:1:member:server'

You can specify a list of compliance profiles to apply ordered from highest to lowest priority. Each profile will be compiled separately and values in the highest priority profile will be enforced by SCE. This can allow you to create a small custom profile based on a built-in profile with changes only to settings you wish to customize.

For example, to apply CIS Level 1 Member Server and DISA STIG MAC-1 Classified compliance settings and to force the CIS settings to always override DISA settings, add the following to Hiera:

---
compliance_markup::enforcement:
  - cis:level:1:member:server
  - disa_stig:xccdf_mil.disa.stig_profile_mac-1_classified

More information

For more information about SIMP Compliance Engine, see the official documentation here.