4.7.3. Integrating Applications¶
This section describes how to integrate external applications into the SIMP managed infrastructure.
For most applications, there are only three SIMP control components that must be addressed for successful product integration.
4.7.3.1. IPTables¶
By default, the SIMP system drops all incoming connections to the server,
save port 22
. Port 22
is allowed from all external sources since
there is no safe way to restrict this that will not lock users out of freshly
installed systems in many cases.
The default SIMP IPTables start-up sequence has been set to fail
safe. This means that if the IPTables rules cannot cleanly apply, the system
will only allow port 22
into the system for SSH troubleshooting and
recovery.
There are many examples of how to use the simp-iptables
module in the source
code; the simp-simp_apache
module is a particularly good example. This
module can be found in your SIMP Puppet environment or, if SIMP is installed
via ISO or RPM, at /usr/share/simp/modules/simp_apache
.
You can also reference the Defined Types in the simp-iptables
module, itself, to understand their purpose and choose the best option.
4.7.3.2. Local Access Controls¶
Following defense in depth best practice, SIMP does not trust a single system
to determine the access that someone has to a system. All system accesses are,
by default, restricted to users in the administrators
group.
If you have an application that needs to use a login shell for configuration, or to run the service, you will need to follow the guidance in PAM Access Restrictions to ensure that your local user accounts have appropriate system access.
Note
This does affect sudo
accounts! If your application is using a
sudo
account in a startup script, please consider switching to
runuser
since it is not affected by PAM controls.
4.7.3.3. Service Kill¶
To ensure that the system does not run unnecessary services, the SIMP team
implemented a svckill.rb
script to stop any service
(not process) that is not properly defined in the Puppet catalog.
To prevent services from stopping, refer to the instructions in the My Services Are Dying! Troubleshooting section.
As of SIMP 6.0.0, the svckill
Puppet Resource will now warn you that it
would kill items by default and you will explicitly need to enable svckill
enforcement.