4.7.3. Integrating Applications

This section describes how to integrate external applications into the SIMP managed infrastructure.

For most applications, there are only three SIMP control components that must be addressed for successful product integration.

4.7.3.1. IPTables

By default, the SIMP system drops all incoming connections to the server, save port 22. Port 22 is allowed from all external sources since there is no safe way to restrict this that will not lock users out of freshly installed systems in many cases.

The default SIMP IPTables start-up sequence has been set to fail safe. This means that if the IPTables rules cannot cleanly apply, the system will only allow port 22 into the system for SSH troubleshooting and recovery.

There are many examples of how to use the simp-iptables module in the source code; the simp-simp_apache module is a particularly good example. This module can be found in your SIMP Puppet environment or, if SIMP is installed via ISO or RPM, at /usr/share/simp/modules/simp_apache.

You can also reference the Defined Types in the simp-iptables module, itself, to understand their purpose and choose the best option.

4.7.3.2. Local Access Controls

Following defense in depth best practice, SIMP does not trust a single system to determine the access that someone has to a system. All system accesses are, by default, restricted to users in the administrators group.

If you have an application that needs to use a login shell for configuration, or to run the service, you will need to follow the guidance in PAM Access Restrictions to ensure that your local user accounts have appropriate system access.

Note

This does affect sudo accounts! If your application is using a sudo account in a startup script, please consider switching to runuser since it is not affected by PAM controls.

4.7.3.3. Service Kill

To ensure that the system does not run unnecessary services, the SIMP team implemented a svckill.rb script to stop any service (not process) that is not properly defined in the Puppet catalog.

To prevent services from stopping, refer to the instructions in the My Services Are Dying! Troubleshooting section.

As of SIMP 6.0.0, the svckill Puppet Resource will now warn you that it would kill items by default and you will explicitly need to enable svckill enforcement.