Puppet Labs is happy to welcome the newest member to the Puppet Labs community: the National Security Agency (NSA). The NSA has made System Integrity Management Platform (SIMP), a collection of tools built on Puppet Labs technologies, available to the open source community. The goal of this framework is to help users automatically enforce compliance with various Security Content Automation Program (SCAP) profiles through the consistent configuration of core infrastructure components such as PAM, SSH, iptables, and much more. These modules allow policies to be flexible, while making policy exceptions clear and auditable.
By releasing these modules for Puppet, they’re able to share this code with the largest open source community built around infrastructure as code. More than 25,000 organizations around the world use Puppet, and there are 3,200+ existing modules on the Puppet Forge.
We see Puppet as a natural fit for the NSA’s complex infrastructure. The Puppet resource graph understands every configuration on each system, each configuration's desired state, and the dependencies between configurations. Compliance policies, such as STIGs, can be documented in easy-to-read Puppet code, and then Puppet enforces these policies, automatically and immediately remediating where necessary. Confidence that systems are are in the desired, compliant state is assured, bolstered by Puppet immediately reporting when a remediation took place.
When infrastructure as code is declarative, like Puppet, an organization can focus completely on what it means to be compliant, rather than on the steps necessary to get to the compliant state. Puppet’s declarative and idempotent nature means Puppet will not only initially assure compliant configurations, but also continuously enforce them over time.
Puppet’s resource graph provides unique capabilities. Since a system’s configuration is expressed in its entirety using the resource graph, Puppet disallows the same configuration to be managed more than one way. This eliminates the possibility of a non-compliant state overriding a compliant one during configuration enforcement.
Each module manages an infrastructure component such as upstart, PAM, vsftpd, etc., and each module was designed to be authoritative, meaning other modules shouldn’t be used to manage the same infrastructure component. As you try the SIMP modules, ensure they work with your existing Puppet modules, Hiera data, and classification rules.
We're excited by the the responsible contribution from the NSA in developing and releasing these modules. Now, they can be used by other organizations that have similar challenges, so operations teams don't have to spend precious time trying to solve the same problem themselves. That's the power and beauty of open source software.
While Puppet Labs wasn’t involved in the development in these modules, in the coming days and weeks we’ll work to make sure they work for all of our customers and match our high quality and usability standards.