2. SIMP 4.3.1¶
Contents
This release is known to work with:
- RHEL 6.8 x86_64
- CentOS 6.8 x86_64
This update is backwards-compatible for the SIMP 4.3 releases.
2.1. SIMP 6 is Coming¶
Due to Puppet 3.X going EOL in December of 2016, the SIMP stack will be releasing SIMP 6 as the next major release. Among major changes:
- SIMP 6 will use Puppet 4, which is distributed as a single RPM by the Puppet all-in-one (AIO) installer.
- Starting with 6.0.0, the SIMP numbering scheme will follow Semantic Versioning 2.0.0.
- 6.0.0 and will support all operating systems under that numbering scheme henceforth.
2.2. Manual Changes Required for Pre-4.2.1 Upgrades¶
Note
This only affects you if you did not have a separate partition for /tmp
!
- There were issues in the
secure_mountpoints
class that caused/tmp
and/var/tmp
to be mounted against the root filesystem. While the new code addresses this, it cannot determine if your system has been modified incorrectly in the past. - To fix the issue, you need to do the following:
- Unmount
/var/tmp
(may take multiple unmounts) - Unmount
/tmp
(may take multiple unmounts) - Remove the
'bind'
entries for/tmp
and/var/tmp
from/etc/fstab
- Run
puppet
with the new code in place
- Unmount
2.2.1. SSSD¶
Warning
SSSD enforces password strength at login time! This means that, should you have old passwords that do not meet the present password policy on the host, you will not be able to authenticate with your old password!
2.3. Deprecations¶
- The
simp-sysctl
module will be deprecated in the6.0.0
release of SIMP. Current users should migrate to using theaugeasproviders_sysctl
module provided with SIMP going forward.
2.4. Breaking Changes¶
- There were no breaking changes in this release.
2.6. Upgrade Guidance¶
Detailed upgrade guidance can be found in the HOWTO Upgrade SIMP portion of the SIMP User Guide.
Warning
You must have at least 2.2GB of free RAM on your system to upgrade to this release.
Note
Upgrading from releases older than 4.0 is not supported.
2.7. Security Announcements¶
2.7.1. CVEs Addressed¶
- CVE-2016-5195
- Dirty COW - A privilege escalation vulnerability in the Linux Kernel
2.8. RPM Updates¶
Package | Old Version | New Version |
---|---|---|
pupmod-elasticsearch-logstash | 0.6.4-2016 | 0.6.5-2016 |
pupmod-simp-acpid | 0.0.2-2016 | 0.0.3-2016 |
pupmod-simp-activemq | 3.0.0-2016 | 3.0.1-2016 |
pupmod-simp-aide | 4.1.1-2016 | 4.1.2-2016 |
pupmod-simp-apache | 4.1.5-2016 | 4.1.7-2016 |
pupmod-simp-auditd | 5.0.4-2016 | 5.1.1-2016 |
pupmod-simp-autofs | 4.1.2-2016 | 4.1.4-2016 |
pupmod-simp-clamav | 4.1.1-2016 | 4.1.2-2016 |
pupmod-simp-compliance_markup | 1.0.0-0 | 1.0.2-2016 |
pupmod-simp-dhcp | 4.1.1-2016 | 4.1.2-2016 |
pupmod-simp-dirtycow | N/A | 1.0.1-2016 |
pupmod-simp-foreman | 0.2.0-2016 | 0.2.2-2016 |
pupmod-simp-freeradius | 5.0.2-2016 | 5.0.3-2016 |
pupmod-simp-ganglia | 5.0.0-2016 | 5.0.1-2016 |
pupmod-simp-haveged | 0.3.1-2016 | 0.3.2-2016 |
pupmod-simp-iptables | 4.1.4-2016 | 4.1.5-2016 |
pupmod-simp-jenkins | 4.1.0-2016 | 4.1.1-2016 |
pupmod-simp-krb5 | 5.0.6-2016 | 5.0.8-2016 |
pupmod-simp-libvirt | 4.1.1-2016 | 4.1.2-2016 |
pupmod-simp-logrotate | 4.1.0-2016 | 4.1.1-2016 |
pupmod-simp-mcafee | 4.1.1-2016 | 4.1.2-2016 |
pupmod-simp-mcollective | 2.3.2-2016 | 2.4.0-2016 |
pupmod-simp-mozilla | 4.1.1-2016 | 4.1.2-2016 |
pupmod-simp-named | 4.3.1-2016 | 4.3.3-2016 |
pupmod-simp-network | 4.1.1-2016 | 4.1.3-2016 |
pupmod-simp-nfs | 4.5.2-2016 | 4.5.3-2016 |
pupmod-simp-nscd | 5.0.1-2016 | 5.0.2-2016 |
pupmod-simp-ntpd | 4.1.0-2016 | 4.1.1-2016 |
pupmod-simp-oddjob | 1.0.0-2016 | 1.0.1-2016 |
pupmod-simp-openldap | 4.1.8-2016 | 4.1.9-2016 |
pupmod-simp-openscap | 4.2.1-2016 | 4.2.2-2016 |
pupmod-simp-pam | 4.2.5-2016 | 4.2.6-2016 |
pupmod-simp-pki | 4.2.3-2016 | 4.2.5-2016 |
pupmod-simp-polkit | 4.1.0-2016 | 4.1.1-2016 |
pupmod-simp-postfix | 4.1.3-2016 | 4.1.5-2016 |
pupmod-simp-postgresql | 4.1.0-2016 | 4.1.2-2016 |
pupmod-simp-pupmod | 6.0.5-2016 | 6.0.9-2016 |
pupmod-simp-rsync | 4.2.2-2016 | 4.2.3-2016 |
pupmod-simp-rsyslog | 5.1.0-2016 | 5.1.2-2016 |
pupmod-simp-selinux | 1.0.3-2016 | 1.0.4-2016 |
pupmod-simp-simp | 1.2.7-2016 | 1.2.10-2016 |
pupmod-simp-simp_elasticsearch | 3.0.1-2016 | 3.0.3-2016 |
pupmod-simp-simp_grafana | 0.1.0-2016 | 0.1.1-2016 |
pupmod-simp-simpcat | 5.0.1-2016 | 5.0.2-2016 |
pupmod-simp-simplib | 1.3.1-2016 | 1.3.4-2016 |
pupmod-simp-site | 2.0.1-2016 | 2.0.2-2016 |
pupmod-simp-snmpd | 4.1.0-2016 | 4.1.1-2016 |
pupmod-simp-ssh | 4.1.10-2016 | 4.1.13-2016 |
pupmod-simp-sssd | 4.1.3-2016 | 4.1.4-2016 |
pupmod-simp-stunnel | 4.2.7-2016 | 4.2.9-2016 |
pupmod-simp-sudo | 4.1.2-2016 | 4.1.3-2016 |
pupmod-simp-sudosh | 4.1.1-2016 | 4.1.2-2016 |
pupmod-simp-svckill | 1.1.3-2016 | 1.1.4-2016 |
pupmod-simp-sysctl | 4.2.0-2016 | 4.2.1-2016 |
pupmod-simp-tcpwrappers | 4.1.0-2016 | 4.1.1-2016 |
pupmod-simp-tftpboot | 4.1.2-2016 | 4.1.3-2016 |
pupmod-simp-tpm | 0.1.0-2016 | 0.2.0-2016 |
pupmod-simp-upstart | 4.1.2-2016 | 4.1.3-2016 |
pupmod-simp-vnc | 4.1.0-2016 | 4.1.1-2016 |
pupmod-simp-vsftpd | 5.0.4-2016 | 5.0.7-2016 |
pupmod-simp-windowmanager | 4.1.2-2016 | 4.1.3-2016 |
pupmod-simp-xinetd | 2.1.0-2016 | 2.1.1-2016 |
pupmod-simp-xwindows | 4.1.1-2016 | 4.1.2-2016 |
scap-security-guide | 0.1.21-3 | 0.1.28-2 |
simp | 4.3.0-0 | 4.3.1-0 |
simp-bootstrap | 4.3.2-0 | 4.3.4-0 |
simp-doc | 4.3.0-0 | N/A |
simp-utils | 4.1.1-1 | 4.1.1-2 |
2.10. Fixed Bugs¶
2.10.1. pupmod-simp-auditd¶
- Updated to use a specific configuration parameter instead of the presence of configured syslog servers to determine whether or not to enable log forwarding
2.10.2. pupmod-simp-autofs¶
- Updated the
::autofs::map::entry
and::autofs::map::master
code to work safely with thesimpcat
module as well as properly ensuring that theautofs
service is restarted when the content of one of the map files is changed.
2.10.3. pupmod-simp-ganglia¶
- Fixed an invalid
concat
dependency for the$auth_user_file
2.10.5. pupmod-simp-network¶
- Updated to fix issues with Puppet 4
2.10.6. pupmod-simp-nfs¶
- Changed the permissions on
/etc/exports
to644
which was validated to meet existing security requirements- Vagrant was dying if it could not read this file as a regular user
2.10.7. pupmod-simp-openldap¶
- Multiple URIs in Hiera entries were not written into
ldap.conf
- The
DEREF
configuration value inldap.conf
was not populated correctly
2.10.8. pupmod-simp-pupmod¶
- Properly redirect
STDERR
inpuppetagent_cron.erb
- Fully expanded the
pupmod::ssldir
parameter so that$vardir
no longer causes issues when showing up in anauditd
configuration file - Corrected an issue where the
gem-home
parameter inpuppetserver.conf
was malformed
2.10.9. pupmod-simp-rsyslog¶
- Enabled forwarding of
journald
messages to syslog since EL 7.2 disabled this by default - Fixed an issue where rules that were no longer managed by the module were not correctly purged
2.10.10. pupmod-simp-simp¶
- Ensure that the
netlabel_tools
package is installed for thenetlabel
service - Added the Elasticsearch and Grafana GPG keys to the YUM configuration
2.10.11. pupmod-simp-simplib¶
2.10.12. simp-bootstrap¶
- Changed an incorrect entry in our
hiera.yaml
file fromtrusted['clientcert']
totrusted['certname']
2.10.13. simp-cli¶
- Ensure that
STDERR
is properly discarded during shell redirects
2.10.14. simp-core¶
- Ensured that unpack_dvd and migrate_to_environments properly squashed STDERR
- Corrected the pupmod-simp-mcollective version that was being built
2.10.16. DVD¶
- Removed the first call to
fips=1
from the kickstart file since it was causing issues with some systems
2.11. New Features¶
2.11.1. pupmod-simp-auditd¶
- Added the syslog
priority
andfacility
options toauditd::config::audisp::syslog
2.11.2. pupmod-simp-dirtycow¶
- Adds a notification message if your system is affected by the Dirty COW CVE
- Will not attempt to automatically upgrade your kernel!
2.11.3. pupmod-simp-simplib¶
- Added a
puppet_settings
Fact that returns a Hash of all settings on the Puppet client system
2.11.4. pupmod-simp-tpm¶
2.11.5. simp-bootstrap¶
- Mapped NIST 800-171 and ISO/IEC 27001 into the SIMP compliance_map baseline
2.11.6. simp-doc¶
- Added TPM management documentation
- Updated the ELG stack documentation
- Another set of usability updates to the documentation, mostly around building the system from scratch
2.12. Known Bugs¶
- If you are running libvirtd, when
svckill
runs it will always attempt to kill dnsmasq unless you are deliberately trying to run the dnsmasq service. This does not actually kill the service but is, instead, an error of the startup script and causes no damage to your system.