NSA releases Linux-based open source infosec tool (ITNews)

[Posted July 14, 2015 by ris]

ITNews reports that the US National Security Agency is in the process of releasing its systems integrity management platform - SIMP. "SIMP helps to keep networked systems compliant with security standards, the NSA said, and should form part of a layered, "defence-in-depth" approach to information security. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies." Currently only RHEL and CentOS versions 6.6 and 7.1 are supported.

NSA releases Linux-based open source infosec tool (ITNews)

Posted Jul 14, 2015 20:22 UTC (Tue) by sytoka (guest, #38525) [Link] (5 responses)

Who still believes what the NSA saying?

NSA releases Linux-based open source infosec tool (ITNews)

Posted Jul 14, 2015 20:47 UTC (Tue) by drag (guest, #31333) [Link] (1 responses)

NSA publishes guidelines for securing Linux systems (mostly Redhat) that are often supposed to be followed when companies contract with the government. The guidelines themselves are not terrible. Some questionable stuff, bust mostly it involves common sense stuff for securing a Linux server.

This sounds like it's just a compliance testing tool so that contractors can help prove to auditors that they are meeting the requirements neccessary for their contracts. Pretty boring stuff here.

NSA releases Linux-based open source infosec tool (ITNews)

Posted Jul 14, 2015 22:17 UTC (Tue) by sjj (guest, #2020) [Link]

Boring, yes, but stuff that can possibly save your bacon, and your company's. If you document and can show that you've secured your systems to a known public standard AT LEAST, lawsuits or certain HR discussions will be easier.

The NSA docs are decent, if partly aimed at 90's thinking. At a previous job we had a government client and they required us to remove all man pages and docs and run a virus scanner... (their checkbox got checked by a daily clamav cronjob - sigh).

NSA releases Linux-based open source infosec tool (ITNews)

Posted Jul 15, 2015 0:42 UTC (Wed) by liam (guest, #84133) [Link]

What's to believe, in this case?
Audit the code.

NSA releases Linux-based open source infosec tool (ITNews)

Posted Jul 15, 2015 12:53 UTC (Wed) by dsommers (subscriber, #55274) [Link]

NSA have done some really ugly and nasty things, yes indeed! And I despise them for doing that. However, NSA is also a large entity which also does good things, including in the Linux world. Many might not agree with me, but I do consider SELinux to be a good feature.

When they now get involved in improving SCAP management through SIMP (if I have understood it correctly), I think that can provide some really good and important tools. But we know what they have done and what they are capable of doing, so their code needs to be carefully reviewed; which is possible now that they open up this code base.

NSA releases Linux-based open source infosec tool (ITNews)

Posted Jul 18, 2015 4:18 UTC (Sat) by judas_iscariote (guest, #47386) [Link]

That's the good thing..I do not have to believe in anything when I have the source code.

NSA releases Linux-based open source infosec tool (ITNews)

Posted Jul 14, 2015 21:10 UTC (Tue) by rengolin (guest, #48414) [Link] (1 responses)

Isn't "compliance requirements set by US Defence and intelligence bodies" to allow for back-doors to the NSA?

NSA releases Linux-based open source infosec tool (ITNews)

Posted Jul 14, 2015 21:49 UTC (Tue) by xtifr (guest, #143) [Link]

Maybe. That's certainly what the *FBI* would like. But the NSA may be a little more schizophrenic about it. Their remit includes both intelligence gathering *and* counterintelligence, and, while it may be hard to remember of late, protecting our nation's data from spying is still part of their job. And I suspect there are some within the agency who are actually still smart enough to understand why back doors of any sort are inherently incompatible with that goal.

In any case, while I might be hesitant to use this to protect my *own* secrets, at least until it's been *thoroughly* audited and vetted by independent experts, if I were a government contractor, I'd have no hesitation to use this to protect the *government's* secrets! [evil_grin]