2.7. SIMP Community Edition (CE) 6.2.0-0
Contents
This release is known to work with:
RHEL 6.9 x86_64
RHEL 7.4 x86_64
CentOS 6.9 x86_64
CentOS 7.0 1708 x86_64
Note
SIMP CE is expected to migrate to Puppet 5 on, or before, October 30 2018. We have not noticed any issues with the latest versions of Puppet 5 but it is taking time to get all of our tests updated to work with Puppet 5 for full coverage.
At this point, all vendor support for Puppet 4 will be discontinued as will SIMP CE support for Puppet prior to 4.10.4.
SIMP CE will no longer provide any support for Puppet 4 after June 30 2019.
2.7.1. Breaking Changes
Warning
This release of SIMP CE is NOT backwards compatible with the 4.X and 5.X releases. Direct upgrades will not work!
At this point, do not expect any of our code moving forward to work with Puppet 3.
If you find any issues, please file bugs!
2.7.2. Significant Updates
Warning
Due to various issues with earlier releases of Puppet, SIMP CE will now be shipping with, and supporting, puppet 4.10.4+.
It is strongly recommended that users upgrade their system as soon as they are able.
Note
SIMP will begin supporting Hiera v5 out of the box as of SIMP 6.3. This is mainly to facilitate compliance enforcement in the infrastructure since various versions of Puppet 4 do not work properly with Hiera v3 and enforcement.
No changes will be made to existing configurations but compliance
enforcement from the compliance_markup
module will not work until an
upgrade to Hiera v5 is complete.
UEFI systems should now be fully supported. Please note that you may need to adjust your
tftpboot
settings to handle your specific UEFI system since they are not as universal as the legacy BIOS entries.Many module updates simply added support for Puppet 5 and Oracle Enterprise Linux. These changes will not be listed individually below.
Likewise, many modules were updated simply to improve tests. These improvements will also not be noted below.
The
simp_gitlab
module no longer supports EL6. This is due to integration issues with GitLab that cannot be readily fixed by the module maintenance team, alone. The EL community had shown no interest in fixing minor issues with EL6 in the GitLab platform.
2.7.3. Security Announcements
2.7.4. RPM Updates
Added the
toml
rubygem as an RPM for use with theelasticsearch
modules.Updated to the latest
5.X
release of Elasticsearch and LogstashUpdated the ClamAV packages to 0.100.0-2
Removed clamav-data-empty which is no longer used
2.7.5. Removed Modules
2.7.5.1. pupmod-simp-mcollective and pupmod-simp-activemq
Puppetlabs no longer supports MCollective, so SIMP has removed the
pupmod-simp-mcollective
andpupmod-simp-activemq
modules that support MCollective.
2.7.5.2. pupmod-simp-jenkins
The
jenkins
module has not been updated in quite some time and it is unknown if it works with current versions of Jenkins since the team has moved to GitLab CI.
2.7.5.3. pupmod-simp-mcafee
This module has not been updated and probably does not work with the latest McAfee products so it has been removed from the distribution.
2.7.5.4. pupmod-puppetlabs-java_ks
This RPM has been removed, as it is no longer a dependency of any SIMP modules.
2.7.6. Security Updates
The PKI certificates in
/etc/pki/simp_apps
are now purged by default so that unmanaged certificates are not available if the system is repurposed.
2.7.7. Fixed Bugs
2.7.7.1. pupmod-simp-aide
Added /etc/logrotate.simp.d to default rules.
Ensure that the
package
install comes before dependentexec
statements.Allow the
cron
command to be customized.
2.7.7.2. pupmod-simp-compliance_markup
Fixed several incorrectly typed parameters
Consolidated several duplicate entries
Added missing
IPT:
message start tosimp_rsyslog::default_logs
Synchronized CentOS and RHEL STIG settings
2.7.7.3. pupmod-simp-incron
Fixed the permissions on the
incrond
service insystemd
to remove logged errors.Matched RPM permissions based on STIG requirements.
2.7.7.4. pupmod-simp-iptables
Updated to match the
ignore
parameter on input and output interfacesFixed
scanblock
rule ordering to properly ban all hosts that are blocked by the rules.Fixed some issues in the chain retention and optimization code that would cause
iptables
to fail to reload in some cases.Fixed compilation failures if
proto
was specified in thedefaults
section of the options Hash.Fixed an issue where a
jump
target went to an empty ruleset and the chain was dropped.Retained all native IPTables
jump
points by default.Added a deep rule comparison on rulesets that are identical based on simple checks.
Remediated potential memory leaks.
Fixed ordering issues when used with
firewalld
.Matched RPM permissions based on STIG requirements.
2.7.7.5. pupmod-simp-libvirt
Ensure idempotency by working around the fact that the modprobe changes - to _.
2.7.7.6. pupmod-simp-named
Properly override the
systemd
service file fornamed-chroot
instead of modifying the vendor provided service file.
2.7.7.7. pupmod-simp-ntpd
Fixed a bug where
ntpd::ntpd_options
was not applied tontpd::servers
whenntpd::servers
is anArray
2.7.7.8. pupmod-simp-pam
Change the minimum allowed UID to the one defined in
/etc/login.defs
by default, or1000
if nothing else is defined.Replace the removal of
authconfig
andauthconfig-tui
with the use of aauthconfig
no-op script, so that tools usingauthconfig
do not break.
2.7.7.9. pupmod-simp-postfix
Added changes to support the settings required by the STIGs.
Match the RPM supplied file permissions are required by the STIG.
2.7.7.10. pupmod-simp-pupmod
Allow modification of the
allow
anddeny
rules for supportedkeydist
auth rules.Removed obsolete
mcollective
auth rules.Changed
$pki_cacerts_all
’s auth rule from*
tocertname
.Modified the default
max_active_instances
configuration to be safer by default.Make the Puppet Server service name dynamic to work properly with both PE and FOSS Puppet.
Properly disable the
puppet
service if running in cron mode. This was not disabled before and could contribute to a “thundering herd” issue.Fixed the Java
tmpdir
path for thepuppetserver
which allows runs on systems that have been pre-hardened.
2.7.7.11. pupmod-simp-rsync
Force
concat
ordering to benumeric
due to a bug inpuppetlabs-concat
that reverses the order from the native type provided by the same module.
2.7.7.12. pupmod-simp-rsyslog
Use double quotes to allow evaluation of line returns in strings.
Added a
systemd
service override that fixes an ordering problem with older versions ofrsyslog
.Fixed bug that did not allow a TLS encrypted server to be configured to forward to a follow-on unencrypted rsyslog server.
Fixed a bug where removing
rsyslog::rule
statements from the catalog would not cause thersyslog
service to restart.Clarified documentation around adding files to
/etc/rsyslog.d
.
2.7.7.13. pupmod-simp-selinux
$selinux::ensure
now defaults toenforcing
and it used across the board instead of$simp_options::selinux
which never behaved as designed.
2.7.7.14. pupmod-simp-simp
Fixed a bug where if the
puppet_settings
fact did not exist, users in theadministrators
group couldrm -rf
any path.Fixed the certificate cleaning
sudo
rule to point to$facts['puppet_settings']['main']['ssldir']
.Ensure that
prelink
is fully disabled when the system is inFIPS
mode since the two are incompatible.Defined a
portreserve
service so that there would no longer be any service restart flapping.Fixed the permissions on the
ctrl-alt-del-capture
service file so that warnings would no longer be logged.Replace the deprecated
runpuppet
script with client Puppet bootstrap scripts which will not be inappropriately killed bysystemd
, when executed in highly-loaded environments. These scripts allow thesystemd
timeout to be specified and provide better error handling and logging.On systems with
systemd
, set the host name in client Puppet bootstrap scripts, to prevent issues that can arise when adhcp
lease expires. Not setting the hostname could cause the generated Puppet configuration for the client to uselocalhost
as the client’s hostname.Ensure that running on unsupported operating systems is completely safe.
No longer deviate from vendor RPM default permissions per the STIG.
Changed the permissions of
rc.local
to750
.Removed the explicit setting of the
host_list
on allsudo::user_specification
resources to let the updated module defaults handle settinghost_list
appropriately.
2.7.7.15. pupmod-simp-simp_apache
Fix the ownership of the configuration files to use the
owner
variable instead of thegroup
variable for user ownership.
2.7.7.16. pupmod-simp-simp_elasticsearch
Add a missing
simp/pam
module dependency.
2.7.7.17. pupmod-simp-simp_gitlab
Fixed the git
authorized_keys
lock problem.Dropped all support for CentOS 6 due to issues that kept cropping up during integration and the overall lack of support from EL upstream to fix minor bugs.
Automatically opt-out of the GitLab data collection service in accordance with NIST 800-53r4 AC-20(1) and SC-38.
2.7.7.18. pupmod-simp-simp_nfs
Ensure that users can fully disable
autofs
if they choose to.Fixed
systemd
dependencies.
2.7.7.19. pupmod-simp-simplib
Fixed the
puppet_settings
fact so that the different sections are appropriately filled out. If not updated, this has been shown to cause thepuppetserver
process to be unable to restart on package update.Fixed
runlevel
enforcement so that it activates properly when called. Previously, no action would be taken on the running system.Added logic to prevent respawn of systemctl isolate if already in progress.
Added a configurable timeout for changing runlevels based on issues discovered in the field with systemctl.
Fixed bugs in the EL6 runlevel persistence where, in some cases, the runlevel line might not be added to /etc/inittab.
2.7.7.20. pupmod-simp-stunnel
Fixed the
stunnel
startup scripts to ensure that they will always execute.Only display errors when errors occur during startup.
Removed the
init.d
script onsystemd
systems.Ensure that the
stunnel
service name is set correctly in all instances, so thattcpwrappers
functions properly.
2.7.7.21. pupmod-simp-svckill
Add simp_client_bootstrap service to the ignore list; otherwise, svckill will kill the bootstrap process of SIMP clients.
2.7.7.22. pupmod-simp-vnc
Fixed issues with the
xinetd
spawnedVNC
sessions where'IPv4
needed to be set as a flag and the banner needed to be eliminated from the connection.
2.7.7.23. simp-cli
Move to the updated OS facts for less fragility.
Update several messages to be more clear to the user.
Fix setting GRUB passwords on EL6.
Fix ownership and permission issues on created files.
Validate all puppet code present prior to bootstrapping.
Fixed various logging issues.
Improved validation and error handling.
Fix
simp passgen
processing of all password files and improved password generation.Properly detect Puppet Enterprise on a system and avoid conflicting operations.
Fixed some tests that were not safe to run on real operating systems.
2.7.7.24. simp-core
Enabled GPG checking for the ISO-configured local filesystem repository by default
Fixed errors in the
kickstart
scriptletsImproved detection of SSD devices using the
diskdetect.sh
scriptRemoved obsolete
simp-big
andsimp-big-disk-crypt
kickstart options in EL7No longer install
prelink
at kickstart timeFixed EFI support on the ISO releases
Removed EL7 references to function keys which no longer are honored
Fixed the boot directory when
fips
is enabled on the ISO
2.7.7.25. simp-doc
Remove OBE MCollective references
Fixed issues in the sample
tftpboot
puppet codeFixed several broken links
Made the installation guide more user friendly by rearranging the content
2.7.7.26. simp-environment
Added the
dist
macro to the package namePre-populate
/var/simp/environments/simp/site_files/pki_files
and set the permissions appropriately. This fixes the failure ofsimp bootstrap
on systems where theroot
user’sumask
has already been set to077
.FakeCA config files were marked as such in the RPM so that they will not be overwritten on RPM upgrade.
Fixed a bug where the
cacertkey
file was not being generated in the correct location at install time.Removed
simp_options::selinux
from the scenario hieradata.Force a run of
fixfiles
in the%post
section ofsimp-environment
.
2.7.7.27. simp-rsync
Fully support UEFI booting.
2.7.8. New Features
2.7.8.1. pupmod-simp-compliance_markup
More closely aligned with the latest SSG STIG content.
2.7.8.2. pupmod-simp-dconf
Added a module for managing
dconf
settings.
2.7.8.3. pupmod-simp-incron
Allow users to define entries for
incron
system tables from Hiera.Added a native type
incron_system_table
to allow for client side path glob expansion.
2.7.8.4. pupmod-simp-libvirt
Use
kmod::load
instead of a Ruby script to load the kernel moduleAdded a
libvirt_br_netfilter_loaded
fact to determine if thebr_netfilter
kernel module is loaded
2.7.8.5. pupmod-simp-logrotate
Moved SIMP-specific logrotate rules to a SIMP-managed configuration directory,
/etc/logrotate.simp.d
, and ensuredlogrotate
processes that directory first. This ensures that SIMP rules take priority, when duplicate rules are specified (e.g., OS and SIMP rules for/var/log/boot.log
).
2.7.8.6. pupmod-simp-nfs
Change all
stunnel
connections to usestunnel::instance
to that they are not interrupted due to issues with the globalstunnel
configuration.Added the ability to tweak
stunnel
parameters for all NFS connections.Ensure that all
stunnel
services used with NFS are now dependencies of the remote filesystem servers actually being active.Added the ability to set
nfs::client::mount::autodetect_remote
to override all autodetection of whether or not the remote system is the local NFS server.Added
nfs::client::mount::stunnel
to allow users to dictate thestunnel
state for individual connections.
2.7.8.7. pupmod-simp-ntpd
Added optional management of the
/etc/ntp/step-tickers
file.Added a
$package_ensure
parameter to control thentp
package version.Added management of
/etc/sysconfig/ntpdate
2.7.8.8. pupmod-simp-openldap
Ensure that
concat
resource ordering is set innumeric
order.
2.7.8.9. pupmod-simp-openscap
Added an
oscap
fact to collect the following: * OpenSCAP Version * OpenSCAP Supported Specifications * OpenSCAP Profiles from/usr/share/xml/scap/*/content/*-ds.xml
2.7.8.10. pupmod-simp-pam
Added the ability to set
unlock_time
tonever
forpam_faillock.so
.Set the default
cracklib_maxclassrepeat
to3
.Allow users to change the password hashing algorithm.
Allow users to toggle password enforcement for the
root
user.
2.7.8.11. pupmod-simp-pki
Purge
/etc/pki/simp_apps
by default to clean up old certificates and allow users to move this directory target.Added a new
$pki::certname
parameter that controls the name of the certificates inkeydist
that will be copied to the client. This is, by default, set to$trusted['certname']
but can be changed so that users can pull other certificates by default.Changed the CA certificate source to be a
String
so thatNSS
databases orhttps
endpoints can be specified.
2.7.8.12. pupmod-simp-pupmod
Added
pupmod::master::generate_types
which addsincron
hooks that will automatically runpuppet generate types
on your server when environments or native types are updated in any environment.
2.7.8.13. pupmod-simp-resolv
Prevent invalid
resolv.conf
files from being written.
2.7.8.14. pupmod-simp-simp
Remove
prelink
if it is not enabled.Added support for connecting to
IPA
servers.Removed
simp::mcollective
class due to global deprecation.Removed group management for the
root
user based on feedback.Set the ownership and permissions of
/etc/puppet/puppetdb.conf
so that systems that already have theroot
umask
set to077
work properly.Added a
simp::netconsole
class to allow users to configure thenetconsole
kernel parameter for boot time logging.Split out the
runpuppet
logic into abootstrap_simp_client
script to be separate from the startup scripts and work around issues withsystemd
timeouts.Added an exponential backoff to the
bootstrap_simp_client
script to handle cases where a lot of servers are being built at the same time.Added Microsoft Windows support to the module that changes where the
simp.version
file is placed on that platform.
2.7.8.15. pupmod-simp-simp_docker
Multiple minor updates mostly surrounding the updates to
simp/iptables
to make it better work withdocker
.
2.7.8.16. pupmod-simp-simp_gitlab
Added support for the new GitLab 10+ LDAP options, specifically for TLS.
2.7.8.17. pupmod-simp-simp_grafana
Added documentation regarding
rubygem-puppetserver-toml
for use with thesimp_grafana
module.
2.7.8.18. pupmod-simp-simp_ipa
Initial release of a module for managing
IPA
connectivity settings.Does not currently manage
IPA
server installation.
2.7.8.19. pupmod-simp-simp_nfs
Added the ability to force mounts to point to a remote host.
2.7.8.20. pupmod-simp-simp_openldap
Allow users to set the
users
andadministrators
GID
values in thedefault.ldif
file.Use concat numeric ordering to allow placement of new modifications in a predictable and reliable order.
2.7.8.21. pupmod-simp-simp_options
Added
simp_options::uid
andsimp_options::gid
since several modules required a consistent parameter set for enforcing these items globally.Removed
$simp_options::selinux
since it never worked as designed and was not required by more than one module. This is not considered a breaking change since it effectively never had any effect on the system anyway.
2.7.8.22. pupmod-simp-simplib
Added a
Simplib::Domain
data type that validates DNS domains against theTLD
restrictions from RFC 3968, Section 2.Added a
login_defs
custom fact that returns a structured fact for the entire contents of/etc/login.defs
Added an
ipa
fact that returns information about connectivity to anIPA
server.Added a
prelink
fact to determine whether or notprelink
is installed on the system.Updated the
simplib::ldap::domain_to_dn
function to allow users to decide whether or not they want to upcase the returned LDAP attribute strings.Added a
simplib::reboot_notify
class to allow users to easily toggle globalreboot_notify
settings.Improved
reboot_notify
error handling.Allow users to set the log level on
reboot_notify
.Added a
Simplib::PuppetLogLevel
data type.Updated
init_ulimit
to allow it to work properly withpuppet generate types
.Added a
simplib::hash_to_opts
function which turns aHash
into aString
that mirrors a usual shell command.Added a
simplib::install
defined type that allows package management based on a suppliedHash
.Added a
simplib::module_exist
function to detect the existence of a module.Ensure that
systemctl
is never spawned more than once when attempting to change the systemrunlevel
.Fixed an issue in EL6
runlevel
persistence where the line may not be written to/etc/inittab
.
2.7.8.23. pupmod-simp-ssh
Ensure that
GSSAPIAuthentication
is disabled if the host is on anIPA
domain.Moved all management of the
/etc/ssh/ssh_config
file to use thessh_config
augeasprovider. Management of all SSH configuration files is now done consistently.Removed the no longer required
sshd.aug
augeas lens.Added parameter management to the
sshd_config
to align with the STIG requirements.Default to not configure RhostsRSAAuthentication in sshd_config for versions of openssh that no longer allow that option.
2.7.8.24. pupmod-simp-sssd
Updated to use the
login_defs
fact to determine the defaultuid_min
anduid_max
values.Added a defined type for connecting to an
IPA
server.Added tests for connecting to Active Directory and updated the configuration settings appropriately.
Allow passing
ldap_tls_cacert
to thesssd::provider::ldap
defined type.Align
sssd
permissions with the RPM defaults.
2.7.8.25. pupmod-simp-stunnel
Isolated the
instance
logic away from the globalconnection
logic completely.Added a native type that cleans up all instances that may have been abandoned by
stunnel::instance
.Added parameters to allow controlling
systemd
requirement chains.
2.7.8.26. pupmod-simp-sudo
Added both the short
hostname
and longfqdn
to the user access control by default.Update user_specification define to not accept an empty hostlist.
2.7.8.27. pupmod-simp-tftpboot
Added support for UEFI PXEboot
Moved the
tftpboot
root directory from/tftpboot
to/var/lib/tftpboot
to match the expectations of SELinux and the STIG.Added a
tftpboot::tftpboot_root_dir
parameter to all users to override the root directory location.
2.7.8.28. pupmod-simp-tpm
Moved the policy
systemd
unit files to/etc/systemd
Ensure that the
IMA
service only starts on reboot instead of during a puppet run.Disabled many
IMA
checks by default to make the impact lighter on a standard system.
2.7.8.29. pupmod-simp-useradd
Set the min and max
UID
andGID
based on what is inlogin.defs
, and default to something sensible for the platform.
2.7.8.30. simp-core
Added logic to auto.cfg to use OS-specific GPG keys in simp_filesystem.repo.
Client kickstart files were updated to use the latest
simp::server::kickstart
API and to provide support for UEFI PXE bootEL6 kickstart files were updated to more closely match the EL7 kickstart files
2.7.8.31. simp-doc
Added SIMP 6.1.0 to 6.2.0 upgrade guide
Added SIMP on AWS documentation
Added a HOWTO for IPA client enrollment
Added a HOWTO for customizing settings for SSH
Added documentation on how to disconnect from
puppetDB
Updated the documentation for UEFI PXE booting.
Clarified certificate management
Restructured pages for better navigation
Updated contributors guide to description more details about the development workflow
2.7.8.32. simp-vendored-r10k
Added a SIMP vendored version of
r10k
that lives at/usr/share/simp/bin/r10k
to ensure that a known version ofr10k
is present on the system at all times. UserPATH
environment variables are not updated so that command must be called directly.
2.7.9. Known Bugs
There is a bug in
Facter 3
that causes it to segfault when printing large unsigned integers - FACT-1732This may cause your run to crash if you run
puppet agent -t --debug
The
krb5
module may have issues in some cases, validation pendingThe graphical
switch user
functionality appears to work randomly. We are working with the vendor to discover a solution