2.1. SIMP Community Edition (CE) 6.6.0
Contents
2.1.1. OS compatibility
This release is known to work with:
CentOS 7.0 2009 x86_64
CentOS 8.5 2111 x86_64
CentOS 8 Stream 20220423 x86_64
OEL 7.9 x86_64
OEL 8.5 x86_64
RHEL 7.9 x86_64
RHEL 8.5 x86_64
2.1.1.1. Full support for EL8
This release introduces full EL8 support for the SIMP Puppet server and agents across the entire SIMP framework.
EL8 support was previously limited to managing Puppet agents with the core SIMP Puppet modules.
2.1.1.2. EL6 support has been removed
EL6 is EOL and is no longer supported by SIMP CE.
All logic and testing in support of EL6 has been completely removed from the entire SIMP framework.
If you require further support for EL6 systems, consider purchasing commercial support.
2.1.2. Breaking Changes
2.1.2.1. ISOs Unpack into Unique Repository Paths
The directory structure of yum repositories unpacked from SIMP ISOs has changed.
Previously, all SIMP RPMs were placed into a single yum repository on the SIMP
server, under /var/www/yum/SIMP/
. This directory structure wasn’t
flexible enough to serve multiple operating systems/releases simultaneously
without significant customization.
Starting from this release, repositories will be placed under the directory
structure /var/www/yum/SIMP/<os name>/<os version>/<arch>/
, which
mirrors the layout of the base operating system repositories.
The unpack_dvd script has been updated to ensure that only compatible items are unpacked into the underlying repository. If the script detects incompatibilities, it will fail and provide guidance.
2.1.2.2. Rsyslog < 8.24.0 is no Longer Supported
Due to vendor recommendations, simp/rsyslog no longer supports rsyslog versions under 8.24.0
If you need to support older versions of rsyslog, please use simp/rsyslog 7.6.4 in an alternate Puppet environment.
2.1.2.3. SSSD < 1.16.0 is no Longer Supported
There are multiple issues in versions of sssd prior to 1.16.0. Users should upgrade to the latest release.
2.1.3. Significant Updates
2.1.3.1. SIMP Server Support on EL8
This release provides full support for managing SIMP Puppet servers on EL8.
2.1.3.2. Puppet 7 Support
All SIMP Puppet modules now work with both Puppet 6 and Puppet 7.
2.1.3.3. Puppet 5 Support Removed
Puppet 5 is EOL and support for it has been removed from all modules.
2.1.3.4. PuppetDB no Longer Configured by Default
A review of the newer puppetserver defaults as well as the concept of “only run what you require” led to the removal of puppetdb as a default installed/configured application.
This change should make it easier to run in resource-limited environments.
Existing systems will not be affected, but new systems will need to enable puppetdb per HOWTO Enable PuppetDB.
2.1.3.5. 389 DS replaces OpenLDAP on EL8
On EL8, 389 Directory Server replaces the (deprecated) OpenLDAP server as the default LDAP service.
Existing infrastructures will not be affected on upgrade, but new environments will need to configure correctly for their environment’s LDAP server.
LDAP Clients are still able to connect to either OpenLDAP server or 389 DS as necessary. Please read the upgrade guide if you are switching from OpenLDAP to 389 DS. New systems will require no additional configuration.
2.1.3.6. Switch from Cron to Systemd
With the deprecation of EL6, all supported OSes use systemd. The framework is now in a position to take advantage of systemd-specific features that improve system maintenance and administration.
Where possible, all SIMP puppet modules have been updated to replace old cron jobs with systemd timers. This enhances execution control and reporting for the scheduled jobs.
This practice may eventually enable systems to opt out of installing cron altogether, to the benefit of certain compliance profiles. It also has the benefit of being easier to manage.
2.1.3.7. Switch from Iptables to Firewalld
All SIMP modules now use firewalld by default instead of directly managing iptables. In general, the transition should be seamless for users unless advanced iptables rulesets were being managed (NAT, etc…).
Users still have the ability to directly manage iptables rules, but should be aware that there will be no further development on simp/iptables outside of maintaining the shims that hook it into firewalld.
2.1.4. Security Announcements
2.1.5. RPM Updates
2.1.5.1. Puppet RPMs
The following Puppet RPMs are packaged with the SIMP 6.6.0 ISOs:
Package |
Version |
---|---|
puppet-agent |
6.27.1-1 or 7.16.0-1 |
puppet-bolt |
3.22.1-1 |
puppetdb |
6.21.0-1 or 7.10.1-1 |
puppetdb-termini |
6.21.0-1 or 7.10.1-1 |
puppetserver |
6.19.0-1 or 7.7.0-1 |
2.1.6. Removed Puppet Modules
The following modules were removed from the release:
simp_pki_service
simp_bolt
2.1.7. Replaced Puppet Modules
Original |
Replacement |
---|---|
2.1.8. Fixed Bugs
2.1.8.1. pupmod-simp-auditd
Aligned the EL8 STIG settings
Always add the
head
rules since they are required for proper functionality of the systemUse
-F key=
instead of-k
to match the STIG recommendationsSwitched the audit rules to
always,exit
instead ofexit,always
to match the man pages
2.1.8.2. pupmod-simp-aide
Changed to using
--check
instead of-C
by default to match the expectation of most security scannersRandomized the scheduling
minute
field so that I/O load is reduced on hosting platforms
2.1.8.3. pupmod-simp-cron
Manage the cron packages by default
2.1.8.4. pupmod-simp-fips
Use the simplib__crypto_policy_state fact instead of crypto_policy__state
Ensure that dracut_rebuild is called when the
fips
kernel parameter is changed
2.1.8.5. pupmod-simp-gdm
Fixed minor errors in the
compliance_markup
dataProperly handle integration of systemd-logind with the
hidepid
flag on/proc
Added a
pam_access
entry for the gdm user so that the greeter session can start
2.1.8.6. pupmod-simp-haveged
Mask the haveged service when disabling it so that it is not restarted on reboot
Ensure that haveged does not start if rngd is running
2.1.8.7. pupmod-simp-incron
No longer pin the version of incron since the upstream versions have been fixed
2.1.8.8. pupmod-simp-libreswan
Removed obsolete configuration items that prevented functionality on EL8:
libreswan::ikeport
libreswan::nat_ikeport
libreswan::klipsdebug
libreswan::perpeerlog
libreswan::perpeerlogdir
2.1.8.9. pupmod-simp-libvirt
Removed ipxe-roms from the OEL package lists since they are now optional
2.1.8.10. pupmod-simp-network
Ensure that the
network::eth
defined type honors thenetwork::auto_restart
parameter
2.1.8.11. pupmod-simp-nfs
Added
_netdev
to the default mount optionsEnsure that
remote-fs.target
is enabled
2.1.8.12. pupmod-simp-ntpd
Fixed a bug where
ntp::allow::rules
was not being honoredAdded
simp_options::ntp::servers
to the default lookup list forntpd::servers
2.1.8.13. pupmod-simp-openscap
Fixed the default data stream name in EL7
2.1.8.14. pupmod-simp-pam
Silenced unnecessary TTY messages
Added default Hiera deep merges for
pam::access::users
andpam::limits::rules
Fixed a bug in
system-auth
where pam_tty_audit was not skipped if the login did not have a TTY. This prevented the GDM service login from succeeding.Set quiet on pam_listfile so that warnings do not get logged that look like authentication failures
2.1.8.15. pupmod-simp-pupmod
Changed all instances of setting items in the
master
section to useserver
insteadUpdated
pupmod::conf
to automcatically switchmaster
toserver
Automatically remove items from the puppet config in the
master
section that are set in theserver
sectionAdded
pupmod::master::sysconfig::use_code_cache_flushing
to reduce excessive memory usageRemoved SHA1 ciphers from the server cipher list
Disconnected the puppetserver from the system FIPS libraries since it causes conflicts with the vendor provided settings
Allow
pupmod::puppet_server
to accept ArraysProperly configure the server list when multiple puppet servers are specified
Converted all cron settings to systemd timers
Converted the ‘cleanup’ jobs to systemd.tmpfile jobs
Fixed a bug where the
pupmod::master::sysconfig
class was not being appliedGet certname from trusted facts only for authenticated remote requests
Fix bolt compatibility
2.1.8.16. pupmod-simp-resolv
Fixed bugs in the Augeas template
Use configuration files to manage the global NetworkManager configuration
2.1.8.17. pupmod-simp-rkhunter
Changed the
minute
parameter on scheduled tasks to a random number to reduce I/O load on hosting platformsUpdated to use systemd timers instead of cron by default
Added default
user_fileprop_files_dirs
to covert he puppet applicationsEnsure that the initial propupd command runs after the puppet run is complete
Added a
rkhunter::propupd
class to ensure that the first cut of properties is updated after all packages have competed in the puppet run
2.1.8.18. pupmod-simp-rsync
Fixed the documentation
Noted that sebool_use_nfs and sebool_cifs will be deprecated in the future
2.1.8.19. pupmod-simp-rsyslog
Fixed a bug where the rsyslog service would start without errors but fail to log when
rsyslog::config::default_template
was set totraditional
2.1.8.20. pupmod-simp-selinux
Fixed a dependency cycle when using
vox_selinux::boolean
Fixed a bug where the module would attempt to create
selinux_login
resources whenselinux::login_resources
was set but selinux was disabled
2.1.8.21. pupmod-simp-simp
Updated
simp::yum::repo::local_os_updates
to use the gpg keys installed into<yum directory>/SIMP/GPGKEYS
to work around changes in EL8Corrected the
HeapDumpOnOutOfMemoryError
setting for puppetdbEnsure that nsswitch SSSD options for
sudoers
do not stop on filesDo not include the
auditors
sudo user specification if the aliases have not been includedAdded the following to the
sudoers
defaults:!visiblepw
always_set_home
match_group_by_gid
always_query_group_plugin
Now use relative paths for the location for the SIMP GPG keys on YUM servers by default
Support all valid values for
simp::pam_limits::max_logins::value
Added additional parameters to
simp::admin
to allow for more fine-grained control of globaladmin
andauditor
sudo rules
2.1.8.22. pupmod-simp-simp_apache
Ensure that all
file
resources that manage more than permissions have anensure
attributeMoved the
magic
file into an EPP template to work better with boltUse systemd to reload/restart the httpd service
2.1.8.23. pupmod-simp-simp_gitlab
Fixed a bug where the change_gitlab_root_password script did not work with GitLab after 13.6.0
2.1.8.24. pupmod-simp-simp_grub
Updated the documentation to better reflect GRUB2
2.1.8.25. pupmod-simp-simp_nfs
Fixed a bug in create_home_directories.rb where EL8 systems could not talk to EL7 LDAP servers when the servers were in FIPS mode
2.1.8.26. pupmod-simp-simp_openldap
Fixed
pki::copy
since the ldap group is no longer created by the OpenLDAP client packagesFixed
Float
toString
comparison error insimp_openldap::server::conf::tls_protocol_min
Deprecated parameters only applicable to EL6:
simp_openldap::client::strip_128_bit_ciphers
simp_openldap::client::nss_pam_ldapd_ensure
2.1.8.27. pupmod-simp-simplib
Fixed the call to klist to properly handle cache issues
Increased randomization in
simplib::gen_random_password
simplib::cron::hour_entry
now supports comma separated listssimplib::cron::minute_entry
now supports comma separated listsFixed the simplib__networkmanager fact
Fixed a bug where the ipa fact did not detect when an EL8 client was joined to an IPA domain
Ensure that the puppet_settings fact supports both the
server
andmaster
sections for backwards compatibilityAdded a tertiary check to the grub_version fact
2.1.8.28. pupmod-simp-ssh
Fixed a bug where some changes to the sshd configuration did not cause a service restart
Fixed a bug that caused a compilation error when
ssh::conf::ensure_sshd_packages
was set totrue
Ensure that
vox_selinux
is included prior to callingselinux_port
Ensure that parameters that do not apply to EL8+ systems are not set on the target system
No longer set
HostKeyAlgorithms
on the client configuration by default
2.1.8.29. pupmod-simp-sssd
Added an option to
sssd::install
to prevent installation of the sssd client to increase compatibility with other operating systemsFixed multiple compatibility issues with non-OpenLDAP LDAP servers
No longer use
concat
but instead drop configuration items into the/etc/sssd/conf.d
directoryEnsure that systems bound to FreeIPA, but not connected, do not cause compilation issues
2.1.8.30. pupmod-simp-stunnel
Worked around a bug in EL7 where a connection denied by tcpwrappers would cause stunnel to hang and spike to 100% CPU usage indefinitely. All connections are still blocked by the firewall but now are always allowed in tcpwrappers.
2.1.8.31. pupmod-simp-svckill
Added rngd to the default list of services to never be killed
Removed obsolete documentation
2.1.8.32. pupmod-simp-swap
Disable
dynamic_swappiness
by defaultSet static system swappiness to 60 by default
2.1.8.33. pupmod-simp-tlog
Add a
file
resource if the file writer is specifiedCorrected the login in
tlog.sh.epp
in the case where a user does not have a login shell
2.1.8.34. pupmod-simp-tpm2
Overrode the systemd unit file for tpm2-abrmd for TCTI compatibility
2.1.8.35. pupmod-simp-vsftpd
Fixed sysctl updates on service restart
2.1.8.36. simp-doc
Added HOWTO for managing PuppetDB
Added HOWTO for enabling client reports
Corrected SSL recovery documentation
Corrected documentation relating to using sudo in STIG mode
Added documentation for using EYAML in SIMP environments
2.1.8.37. simp-environment
Add the EYAML hierarchy to the default
hiera.yaml
2.1.8.38. simp-gpgkeys
Fixed the target location for copying the GPG keys into the YUM repository
Removed EL6 keys
Updated the Red Hat release key
2.1.8.39. simp-rsync
Removed dynamic BIND files from the list of files to rsync
2.1.8.40. simp-utils
Fixed the puppetlast script and enabled it to read from filesystem reports
You will need to follow the instructions in HOWTO Enable Client Reporting
2.1.8.41. rubygem-simp-cli
Changed set/get from master to server when updating the puppet configuration
Use the status endpoint instead of a CRL query to validate the puppetserver status
Use puppet to set the GRUB password
Ensure that updating entries in
/etc/hosts
is idempotentRemoved the LOCAL domain from the default sssd configuration
No longer use the deprecated
simp_options::ntpd::servers
settingSimplified the instructions for the ‘local user lockout’ warning
2.1.9. New Features
The following items are common to most module updates and do not warrant
specific inclusion below. For full details, see the CHANGELOG
of all
delivered packages.
Removal of old Puppet version support
Removal of EL6 support
Addition of EL8 support
Puppet module dependency updates
2.1.9.1. pupmod-simp-ds389
New module for managing 389 DS
2.1.9.2. pupmod-simp-simp_firewalld
Added the simp/simp_firewalld module and set it to the default on EL8+
2.1.9.3. pupmod-simp-gnome
Removed support for GNOME2 since EL6 is no longer supported
Also removed all gconf parameters and settings since they no longer have any use
2.1.9.4. pupmod-simp-logrotate
Allow all log size configuration parameters to be specified in bytes, kilobytes, megabytes, or gigabytes
2.1.9.5. pupmod-simp-pam
Added dictcheck and faillock_log_file parameter support
Added Amazon Linux 2 support
Added a pre section for setting auth file content to work with third party plugins
Added the ability to set extra content in the su configuration
2.1.9.6. pupmod-simp-resolv
Added the ability to precisely update the
resolv.conf
contentsAdded the ability to specify the entire contents of
resolv.conf
Added the ability to remove
resolv.conf
completely
2.1.9.7. pupmod-simp-rsyslog
Please read the module documentation and CHANGELOG
since there were
numerous changes!
Dropped support for rsyslog < 8.24.0
Added the ability to set the default template used for forwarding via
rsyslog::config::default_forward_template
Added parameters to allow additional configuration of the modules and main queue
Added
Direct
andDisk
to the allowed main message queue typesRemoved parameters only relevant to rsyslog < 8.6.0
rsyslog::config::host_list
rsyslog::config::domain_list
Replaced obsolete parameters with modern replacements:
rsyslog::config::action_send_stream_driver_mode
=>rsyslog::config::imtcp_stream_driver_mode
rsyslog::config::action_send_stream_driver_auth_mode
=>rsyslog::config::imtcp_stream_driver_auth_mode
rsyslog::config::disable_remote_dns
=>rsyslog::config::net_enable_dns
rsyslog::config::suppress_noauth_warn
=>rsyslog::config::net_permit_acl_warning
Deprecated
rsyslog::config::default_template
forrsyslog::config::default_file_template
Updated various parts of the configuration from legacy to RainerScript format
2.1.9.8. pupmod-simp-simp
Added EL8 support
Added
simp::puppetdb::disable_update_checking
to disable default analytics in accordance with NIST guidancepuppetdb now sets
UseCodeCacheFlushing
by defaultThe sssd client configuration now sets the LDAP schema based on the
simp::sssd:;client::ldap_server_type
The
simp::sssd::client
no longer creates aLOCAL
provider
2.1.9.9. pupmod-simp-simp_ds389
New module providing SIMP-specific settings for 389 DS for providing a suitable replacement for OpenLDAP
2.1.9.10. pupmod-simp-simp_gitlab
Now default
simp_gitlab::allow_fips
totrue
which works with GitLab 14.0.0+
2.1.9.11. pupmod-simp-simp_nfs
Provide host PKI information to upstream LDAP servers
2.1.9.12. pupmod-simp-simp_options
Added
simp_options::ntp
for more generalized configuration of both ntpd and chronyd
2.1.9.13. pupmod-simp-simpkv
Added an LDAP backend plugin
2.1.9.14. pupmod-simp-simplib
Added
simplib::cron::to_systemd()
to convert cron resource parameters to systemd timespec formatAdded
simplib::cron::expand_range()
to expand ranges into comma separated stringsAdded
simplib::params2hash()
to return all of the calling scope’s parameters as a HashAdded net.ipv6.conf.all.disable_ipv6 to the simplib_sysctl fact
Added a simplib__cryhpto_policy_state fact
2.1.9.15. pupmod-simp-ssh
Added an option to turn off managing the
AuthorizedKeysFile
parameter in/etc/ssh/sshd_config
2.1.9.16. pupmod-simp-sssd
Made installing the sssd client optional (enabled by default)
No longer support sssd < 1.16.0
Users can now set
sssd::custom_config
to a string that will be placed into/etc/sssd/conf.d/zz_puppet_custom.conf
Users can optionally purge the
/etc/sssd/conf.d
directory if they want puppet to be authoritative
2.1.9.17. pupmod-simp-sudo
Added the ability for users to create
include
clauses in/etc/sudoers
2.1.9.18. pupmod-simp-tpm2
Updated
tpm2::ownership
and the tpm2 fact to support tpm2_tools version 4Added a provider for the tpm2_changeauth functionality to provide ownership update capabilities
2.1.9.19. simp-environment
No longer configure puppetdb by default
2.1.9.20. simp-gpgkeys
Added the EL8 GPG keys
Added the new Puppet signing key
2.1.9.21. simp-utils
Updated the unpack_dvd scripts to work with EL8 ISOs
Added transition scripts for upgrading from 6.5.0 to 6.6.0
2.1.9.22. rubygem-simp-cli
Removed management of puppetdb components since it is no longer enabled by default
Removed support for EL6
Use OpenLDAP by default on EL7 and 389 DS otherwise
Set the defaults for both ntpd and chronyd
2.1.10. Known Bugs and Limitations
Below are bugs and limitations known to affect this release. If you discover additional problems, please submit an issue to let use know.
sssd does not always start the ds389 LDAP server immediately after kickstarting an EL8 system. An additional puppet run clears the problem. The error in the log is
sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured