SIMP Documentation THE SIMP TEAM Dec 09, 2020 Contents 1 Level of Knowledge 3 1.1 Quick Start................................................4 1.2 Changelogs................................................4 1.3 SIMP Getting Started Guide....................................... 103 1.4 SIMP User Guide............................................ 119 1.5 SIMP HOWTO Guides.......................................... 208 1.6 Frequently Asked Questions....................................... 281 1.7 Contributing to SIMP.......................................... 290 1.8 SIMP Security Concepts......................................... 326 1.9 SIMP Security Control Mapping..................................... 344 1.10 Vulnerability Supplement........................................ 705 1.11 Help................................................... 707 1.12 License.................................................. 708 1.13 Contact.................................................. 709 1.14 Glossary of Terms............................................ 709 Index 725 i ii SIMP Documentation This is the documentation for the 6.5.0-1 release of SIMP, which is compatible with CentOS and Red Hat Enterprise Linux (RHEL). This guide will walk a user through the process of installing and managing a SIMP system. It also provides a mapping of security features to security requirements, which can be used to document a system’s security conformance. Warning: Be EXTREMELY CAREFUL when performing copy/paste operations from this document! Different web browsers and operating systems may substitute incompatible quotes and/or line endings in your files. The System Integrity Management Platform (SIMP) is an Open Source framework designed around the concept that individuals and organizations should not need to repeat the work of automating the basic components of their operating system infrastructure. Expanding upon this philosophy, SIMP also aims to take care of routine policy compliance to include NIST 800-53, FIPS 140-2, the DISA STIG, and the SCAP Security Guide. By using the Puppet automation stack, SIMP is working toward the concept of a self-healing infrastructure that, when used with a consistent configuration management process, will allow users to have confidence that their systems not only start in compliance but remain in compliance over time. Finally, SIMP has a goal of remaining flexible enough to properly maintain your operational infrastructure. To this end, where possible, the SIMP components are written to allow all security-related capabilities to be easily adjusted to meet the needs of individual applications. Contents 1 SIMP Documentation 2 Contents CHAPTER 1 Level of Knowledge SIMP is designed for use by system administrators/users with a strong background in Linux operating systems. The core technologies that require prerequisite knowledge are: • Puppet - 5.5 or later • Domain Name System (DNS) - BIND 9 • Dynamic Host Configuration Protocol (DHCP) - Internet Systems Consortium (ISC) DHCP • Lightweight Directory Access Protocol (LDAP) - OpenLDAP • RedHat Kickstart, including all technologies involved: Trivial File Transfer Protocol (TFTP), PXE, PXELinux, etc. • The Apache HTTP Server • The Yellowdog Updater, Modified (YUM) package manager • Rsyslog 8+ • IPTables (Internet Protocol Tables)/Firewalld, basic knowledge of the rules • Auditd, Basic knowledge of how the daemon works • Advanced Intrusion Detection Environment (AIDE), basic knowledge of the rules • Basic X.509-based PKI Key Management SIMP handles as much of the initial setup and management of these tools as possible However, you will need at least some understanding of them in order to tailor a SIMP system to fit the desired environment. You will also need a general understanding of how to control and manipulate these tools from the command line interface (CLI); SIMP does not provide a graphical user interface (GUI). Knowledge of scripting and Ruby programming will also help to further customize a SIMP install but is not required for routine use. Contents: 3 SIMP Documentation 1.1 Quick Start 1.1.1 What is SIMP? The System Integrity Management Platform (SIMP) is an Open Source framework designed around the concept that individuals and organizations should not need to repeat the work of automating the basic components of their operating system infrastructure. Expanding upon this philosophy, SIMP also aims to take care of routine policy compliance to include NIST 800-53, FIPS 140-2, the DISA STIG, and the SCAP Security Guide. By using the Puppet automation stack, SIMP is working toward the concept of a self-healing infrastructure that, when used with a consistent configuration management process, will allow users to have confidence that their systems not only start in compliance but remain in compliance over time. Finally, SIMP has a goal of remaining flexible enough to properly maintain your operational infrastructure. To this end, where possible, the SIMP components are written to allow all security-related capabilities to be easily adjusted to meet the needs of individual applications. 1.1.2 Diving Right In The fastest way to get started with SIMP is to use one of the following two guides: 1. You need an ISO for bare metal or VM installation • Installing SIMP from an ISO 2. You have an existing system • Installing SIMP From A Repository You should then follow the SIMP User Guide to start configuring the system. 1.2 Changelogs This contains all SIMP changelogs for reference. Important: Please read the intermediary changelogs if you are jumping versions during an upgrade! 1.2.1 SIMP 6.0.0-0 Contents • SIMP 6.0.0-0 – Breaking Changes – Significant Updates – Security Announcements – RPM Updates 4 Chapter 1. Level of Knowledge SIMP Documentation – Removed Modules – Fixed Bugs – New Features – Known Bugs This release is known to work with: • RHEL 6.8 x86_64 • RHEL 7.3 x86_64 • CentOS 6.8 x86_64 • CentOS 7.0 1611 x86_64 Breaking Changes Warning: This release of SIMP is NOT backwards compatible with previous releases. Direct updates will not work. At this point, do not expect any of our code moving forward to work with Puppet 3. If you find any issues, please file bugs! Note: If you are working to integrate SIMP into Puppet Enterprise, these are the modules that you need to use since they are Puppet 4 compatible. Breaking Changes Since RC1 Unfortunately, a few items were identified which necessitated additional breaking changes prior to the final release. These are specifically enumerated here to make sure that they are not missed. simp::yum Refactor The simp::yum class was confusing and, as we attempted to install systems via yum, we found out just how bad it was. Fundamentally, most installations of SIMP are going to have their own repos at some unknown location that they want to use. In ISO installations, which we can detect, there will be a local repo and we can set the parameters accordingly via simp config. All of the old parameters have been removed, and to get back to old functionality, all that has to be done is add the following classes to nodes and adjust previous hiera settings to use the new classes: --- classes: -'simp::yum::repo::local_os_updates' -'simp::yum::repo::local_simp' --- 1.2. Changelogs 5 SIMP Documentation RPM Installation If installing from RPM, you will want to take a look at the latest documentation. The most important thing to be aware of is that there is now something called simp-adapter that must be installed with, or before, the simp RPM. If you are using Puppet Enterprise, you’ll want to use the simp-adapter-pe RPM instead. Paths Puppet AIO Paths The system has been updated to use the Puppet AIO paths. Please see the Puppet Location Reference for full details. SIMP Installation Paths For better integration with r10k and Puppet Code Manager, SIMP now installs all materials in /usr/share/simp by default. A script simp_rpm_helper has been added to copy the environment and module data into place at /etc/ puppetlabs/code if configured to do so. On the ISO, this configuration is done by default and will be set to auto-update for all future RPM updates. If you wish to disable this behavior, you should edit the options in /etc/simp/adapter_config.yaml. Note: Anything that is in a Git or Subversion repository in the simp environment will NOT be overwritten by simp_rpm_helper. SIMP Dynamic Content Paths To ensure that SIMP dynamic content (ssh keys, generated passwords) are not mixed with Git-managed infrastructure, the SIMP dynamic content has been moved to simp_autofiles at the top level of the environment. This will be moved down into /var/simp/environments for consistency in the final 6.0.0 release. SIMP Rsync Paths The SIMP Rsync subsystem now fully supports multiple environments. All environment-relevant materials have been moved to /var/simp/environments/simp/rsync. Please copy the contents of that directory if you create another environment. SIMP Partitioning Scheme SIMP no longer creates a /srv partition on EL 6 or 7. /var has assumed the role of /srv. The root partition size has been increased from 4GB to 10GB. 6 Chapter 1. Level of Knowledge SIMP Documentation Significant Updates Root Login via Console Root is no longer allowed to log into clients or the SIMP server by default. SIMP Scenarios and simp_config_settings.yaml We have changed the way that SIMP includes classes. There is a new top-level variable, set in manifests/site. pp that controls the list of classes to be included. The goal of this change is to ease users with existing infrastructures into using full-bore
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages732 Page
-
File Size-