4.7.3. Integrating Applications¶
This section describes how to integrate external applications into the SIMP managed infrastructure.
For most applications, there are only three SIMP control components that must be addressed for successful product integration.
By default, the SIMP system drops all incoming connections to the server,
22 is allowed from all external sources since
there is no safe way to restrict this that will not lock users out of freshly
installed systems in many cases.
The default SIMP IPTables start-up sequence has been set to fail
safe. This means that if the IPTables rules cannot cleanly apply, the system
will only allow port
22 into the system for SSH troubleshooting and
There are many examples of how to use the
simp-iptables module in the source
simp-simp_apache module is a particularly good example. This
module can be found in your SIMP Puppet environment or, if SIMP is installed
via ISO or RPM, at
You can also reference the Defined Types in the
module, itself, to understand their purpose and choose the best option.
18.104.22.168. Local Access Controls¶
Following defense in depth best practice, SIMP does not trust a single system
to determine the access that someone has to a system. All system accesses are,
by default, restricted to users in the
If you have an application that needs to use a login shell for configuration, or to run the service, you will need to follow the guidance in PAM Access Restrictions to ensure that your local user accounts have appropriate system access.
This does affect
sudo accounts! If your application is using a
sudo account in a startup script, please consider switching to
runuser since it is not affected by PAM controls.
22.214.171.124. Service Kill¶
To ensure that the system does not run unnecessary services, the SIMP team
svckill.rb script to stop any service
(not process) that is not properly defined in the Puppet catalog.
To prevent services from stopping, refer to the instructions in the My Services Are Dying! Troubleshooting section.
As of SIMP 6.0.0, the
svckill Puppet Resource will now warn you that it
would kill items by default and you will explicitly need to enable