2.5. SIMP Community Edition (CE) 6.2.0-0

This release is known to work with:

  • RHEL 6.9 x86_64
  • RHEL 7.4 x86_64
  • CentOS 6.9 x86_64
  • CentOS 7.0 1708 x86_64

Note

SIMP CE is expected to migrate to Puppet 5 on, or before, October 30 2018. We have not noticed any issues with the latest versions of Puppet 5 but it is taking time to get all of our tests updated to work with Puppet 5 for full coverage.

At this point, all vendor support for Puppet 4 will be discontinued as will SIMP CE support for Puppet prior to 4.10.4.

SIMP CE will no longer provide any support for Puppet 4 after June 30 2019.

2.5.1. Breaking Changes

Warning

This release of SIMP CE is NOT backwards compatible with the 4.X and 5.X releases. Direct upgrades will not work!

At this point, do not expect any of our code moving forward to work with Puppet 3.

If you find any issues, please file bugs!

2.5.2. Significant Updates

Warning

Due to various issues with earlier releases of Puppet, SIMP CE will now be shipping with, and supporting, puppet 4.10.4+.

It is strongly recommended that users upgrade their system as soon as they are able.

Note

SIMP will begin supporting Hiera v5 out of the box as of SIMP 6.3. This is mainly to facilitate compliance enforcement in the infrastructure since various versions of Puppet 4 do not work properly with Hiera v3 and enforcement.

No changes will be made to existing configurations but compliance enforcement from the compliance_markup module will not work until an upgrade to Hiera v5 is complete.

  • UEFI systems should now be fully supported. Please note that you may need to adjust your tftpboot settings to handle your specific UEFI system since they are not as universal as the legacy BIOS entries.
  • Many module updates simply added support for Puppet 5 and Oracle Enterprise Linux. These changes will not be listed individually below.
  • Likewise, many modules were updated simply to improve tests. These improvements will also not be noted below.
  • The simp_gitlab module no longer supports EL6. This is due to integration issues with GitLab that cannot be readily fixed by the module maintenance team, alone. The EL community had shown no interest in fixing minor issues with EL6 in the GitLab platform.

2.5.4. RPM Updates

  • Added the toml rubygem as an RPM for use with the elasticsearch modules.
  • Updated to the latest 5.X release of Elasticsearch and Logstash
  • Updated the ClamAV packages to 0.100.0-2
  • Removed clamav-data-empty which is no longer used

2.5.5. Removed Modules

2.5.5.1. pupmod-simp-mcollective and pupmod-simp-activemq

  • Puppetlabs no longer supports MCollective, so SIMP has removed the pupmod-simp-mcollective and pupmod-simp-activemq modules that support MCollective.

2.5.5.2. pupmod-simp-jenkins

  • The jenkins module has not been updated in quite some time and it is unknown if it works with current versions of Jenkins since the team has moved to GitLab CI.

2.5.5.3. pupmod-simp-mcafee

  • This module has not been updated and probably does not work with the latest McAfee products so it has been removed from the distribution.

2.5.5.4. pupmod-puppetlabs-java_ks

  • This RPM has been removed, as it is no longer a dependency of any SIMP modules.

2.5.6. Security Updates

  • The PKI certificates in /etc/pki/simp_apps are now purged by default so that unmanaged certificates are not available if the system is repurposed.

2.5.7. Fixed Bugs

2.5.7.1. pupmod-simp-aide

  • Added /etc/logrotate.simp.d to default rules.
  • Ensure that the package install comes before dependent exec statements.
  • Allow the cron command to be customized.

2.5.7.2. pupmod-simp-compliance_markup

  • Fixed several incorrectly typed parameters
  • Consolidated several duplicate entries
  • Added missing IPT: message start to simp_rsyslog::default_logs
  • Synchronized CentOS and RHEL STIG settings

2.5.7.3. pupmod-simp-incron

  • Fixed the permissions on the incrond service in systemd to remove logged errors.
  • Matched RPM permissions based on STIG requirements.

2.5.7.4. pupmod-simp-iptables

  • Updated to match the ignore parameter on input and output interfaces
  • Fixed scanblock rule ordering to properly ban all hosts that are blocked by the rules.
  • Fixed some issues in the chain retention and optimization code that would cause iptables to fail to reload in some cases.
  • Fixed compilation failures if proto was specified in the defaults section of the options Hash.
  • Fixed an issue where a jump target went to an empty ruleset and the chain was dropped.
  • Retained all native IPTables jump points by default.
  • Added a deep rule comparison on rulesets that are identical based on simple checks.
  • Remediated potential memory leaks.
  • Fixed ordering issues when used with firewalld.
  • Matched RPM permissions based on STIG requirements.

2.5.7.5. pupmod-simp-libvirt

  • Ensure idempotency by working around the fact that the modprobe changes - to _.

2.5.7.6. pupmod-simp-named

  • Properly override the systemd service file for named-chroot instead of modifying the vendor provided service file.

2.5.7.7. pupmod-simp-ntpd

  • Fixed a bug where ntpd::ntpd_options was not applied to ntpd::servers when ntpd::servers is an Array

2.5.7.8. pupmod-simp-pam

  • Change the minimum allowed UID to the one defined in /etc/login.defs by default, or 1000 if nothing else is defined.
  • Replace the removal of authconfig and authconfig-tui with the use of a authconfig no-op script, so that tools using authconfig do not break.

2.5.7.9. pupmod-simp-postfix

  • Added changes to support the settings required by the STIGs.
  • Match the RPM supplied file permissions are required by the STIG.

2.5.7.10. pupmod-simp-pupmod

  • Allow modification of the allow and deny rules for supported keydist auth rules.
  • Removed obsolete mcollective auth rules.
  • Changed $pki_cacerts_all’s auth rule from * to certname.
  • Modified the default max_active_instances configuration to be safer by default.
  • Make the Puppet Server service name dynamic to work properly with both PE and FOSS Puppet.
  • Properly disable the puppet service if running in cron mode. This was not disabled before and could contribute to a “thundering herd” issue.
  • Fixed the Java tmpdir path for the puppetserver which allows runs on systems that have been pre-hardened.

2.5.7.11. pupmod-simp-rsync

  • Force concat ordering to be numeric due to a bug in puppetlabs-concat that reverses the order from the native type provided by the same module.

2.5.7.12. pupmod-simp-rsyslog

  • Use double quotes to allow evaluation of line returns in strings.
  • Added a systemd service override that fixes an ordering problem with older versions of rsyslog.
  • Fixed bug that did not allow a TLS encrypted server to be configured to forward to a follow-on unencrypted rsyslog server.
  • Fixed a bug where removing rsyslog::rule statements from the catalog would not cause the rsyslog service to restart.
  • Clarified documentation around adding files to /etc/rsyslog.d.

2.5.7.13. pupmod-simp-selinux

  • $selinux::ensure now defaults to enforcing and it used across the board instead of $simp_options::selinux which never behaved as designed.

2.5.7.14. pupmod-simp-simp

  • Fixed a bug where if the puppet_settings fact did not exist, users in the administrators group could rm -rf any path.
  • Fixed the certificate cleaning sudo rule to point to $facts['puppet_settings']['main']['ssldir'].
  • Ensure that prelink is fully disabled when the system is in FIPS mode since the two are incompatible.
  • Defined a portreserve service so that there would no longer be any service restart flapping.
  • Fixed the permissions on the ctrl-alt-del-capture service file so that warnings would no longer be logged.
  • Replace the deprecated runpuppet script with client Puppet bootstrap scripts which will not be inappropriately killed by systemd, when executed in highly-loaded environments. These scripts allow the systemd timeout to be specified and provide better error handling and logging.
  • On systems with systemd, set the host name in client Puppet bootstrap scripts, to prevent issues that can arise when a dhcp lease expires. Not setting the hostname could cause the generated Puppet configuration for the client to use localhost as the client’s hostname.
  • Ensure that running on unsupported operating systems is completely safe.
  • No longer deviate from vendor RPM default permissions per the STIG.
  • Changed the permissions of rc.local to 750.
  • Removed the explicit setting of the host_list on all sudo::user_specification resources to let the updated module defaults handle setting host_list appropriately.

2.5.7.15. pupmod-simp-simp_apache

  • Fix the ownership of the configuration files to use the owner variable instead of the group variable for user ownership.

2.5.7.16. pupmod-simp-simp_elasticsearch

  • Add a missing simp/pam module dependency.

2.5.7.17. pupmod-simp-simp_gitlab

  • Fixed the git authorized_keys lock problem.
  • Dropped all support for CentOS 6 due to issues that kept cropping up during integration and the overall lack of support from EL upstream to fix minor bugs.
  • Automatically opt-out of the GitLab data collection service in accordance with NIST 800-53r4 AC-20(1) and SC-38.

2.5.7.18. pupmod-simp-simp_nfs

  • Ensure that users can fully disable autofs if they choose to.
  • Fixed systemd dependencies.

2.5.7.19. pupmod-simp-simplib

  • Fixed the puppet_settings fact so that the different sections are appropriately filled out. If not updated, this has been shown to cause the puppetserver process to be unable to restart on package update.
  • Fixed runlevel enforcement so that it activates properly when called. Previously, no action would be taken on the running system.
  • Added logic to prevent respawn of systemctl isolate if already in progress.
  • Added a configurable timeout for changing runlevels based on issues discovered in the field with systemctl.
  • Fixed bugs in the EL6 runlevel persistence where, in some cases, the runlevel line might not be added to /etc/inittab.

2.5.7.20. pupmod-simp-stunnel

  • Fixed the stunnel startup scripts to ensure that they will always execute.
  • Only display errors when errors occur during startup.
  • Removed the init.d script on systemd systems.
  • Ensure that the stunnel service name is set correctly in all instances, so that tcpwrappers functions properly.

2.5.7.21. pupmod-simp-svckill

  • Add simp_client_bootstrap service to the ignore list; otherwise, svckill will kill the bootstrap process of SIMP clients.

2.5.7.22. pupmod-simp-vnc

  • Fixed issues with the xinetd spawned VNC sessions where 'IPv4 needed to be set as a flag and the banner needed to be eliminated from the connection.

2.5.7.23. simp-cli

  • Move to the updated OS facts for less fragility.
  • Update several messages to be more clear to the user.
  • Fix setting GRUB passwords on EL6.
  • Fix ownership and permission issues on created files.
  • Validate all puppet code present prior to bootstrapping.
  • Fixed various logging issues.
  • Improved validation and error handling.
  • Fix simp passgen processing of all password files and improved password generation.
  • Properly detect Puppet Enterprise on a system and avoid conflicting operations.
  • Fixed some tests that were not safe to run on real operating systems.

2.5.7.24. simp-core

  • Enabled GPG checking for the ISO-configured local filesystem repository by default
  • Fixed errors in the kickstart scriptlets
  • Improved detection of SSD devices using the diskdetect.sh script
  • Removed obsolete simp-big and simp-big-disk-crypt kickstart options in EL7
  • No longer install prelink at kickstart time
  • Fixed EFI support on the ISO releases
  • Removed EL7 references to function keys which no longer are honored
  • Fixed the boot directory when fips is enabled on the ISO

2.5.7.25. simp-doc

  • Remove OBE MCollective references
  • Fixed issues in the sample tftpboot puppet code
  • Fixed several broken links
  • Made the installation guide more user friendly by rearranging the content

2.5.7.26. simp-environment

  • Added the dist macro to the package name
  • Pre-populate /var/simp/environments/simp/site_files/pki_files and set the permissions appropriately. This fixes the failure of simp bootstrap on systems where the root user’s umask has already been set to 077.
  • FakeCA config files were marked as such in the RPM so that they will not be overwritten on RPM upgrade.
  • Fixed a bug where the cacertkey file was not being generated in the correct location at install time.
  • Removed simp_options::selinux from the scenario hieradata.
  • Force a run of fixfiles in the %post section of simp-environment.

2.5.7.27. simp-rsync

  • Fully support UEFI booting.

2.5.8. New Features

2.5.8.1. pupmod-simp-compliance_markup

  • More closely aligned with the latest SSG STIG content.

2.5.8.2. pupmod-simp-dconf

  • Added a module for managing dconf settings.

2.5.8.3. pupmod-simp-incron

  • Allow users to define entries for incron system tables from Hiera.
  • Added a native type incron_system_table to allow for client side path glob expansion.

2.5.8.4. pupmod-simp-libvirt

  • Use kmod::load instead of a Ruby script to load the kernel module
  • Added a libvirt_br_netfilter_loaded fact to determine if the br_netfilter kernel module is loaded

2.5.8.5. pupmod-simp-logrotate

  • Moved SIMP-specific logrotate rules to a SIMP-managed configuration directory, /etc/logrotate.simp.d, and ensured logrotate processes that directory first. This ensures that SIMP rules take priority, when duplicate rules are specified (e.g., OS and SIMP rules for /var/log/boot.log).

2.5.8.6. pupmod-simp-nfs

  • Change all stunnel connections to use stunnel::instance to that they are not interrupted due to issues with the global stunnel configuration.
  • Added the ability to tweak stunnel parameters for all NFS connections.
  • Ensure that all stunnel services used with NFS are now dependencies of the remote filesystem servers actually being active.
  • Added the ability to set nfs::client::mount::autodetect_remote to override all autodetection of whether or not the remote system is the local NFS server.
  • Added nfs::client::mount::stunnel to allow users to dictate the stunnel state for individual connections.

2.5.8.7. pupmod-simp-ntpd

  • Added optional management of the /etc/ntp/step-tickers file.
  • Added a $package_ensure parameter to control the ntp package version.
  • Added management of /etc/sysconfig/ntpdate

2.5.8.8. pupmod-simp-openldap

  • Ensure that concat resource ordering is set in numeric order.

2.5.8.9. pupmod-simp-openscap

  • Added an oscap fact to collect the following: * OpenSCAP Version * OpenSCAP Supported Specifications * OpenSCAP Profiles from /usr/share/xml/scap/*/content/*-ds.xml

2.5.8.10. pupmod-simp-pam

  • Added the ability to set unlock_time to never for pam_faillock.so.
  • Set the default cracklib_maxclassrepeat to 3.
  • Allow users to change the password hashing algorithm.
  • Allow users to toggle password enforcement for the root user.

2.5.8.11. pupmod-simp-pki

  • Purge /etc/pki/simp_apps by default to clean up old certificates and allow users to move this directory target.
  • Added a new $pki::certname parameter that controls the name of the certificates in keydist that will be copied to the client. This is, by default, set to $trusted['certname'] but can be changed so that users can pull other certificates by default.
  • Changed the CA certificate source to be a String so that NSS databases or https endpoints can be specified.

2.5.8.12. pupmod-simp-pupmod

  • Added pupmod::master::generate_types which adds incron hooks that will automatically run puppet generate types on your server when environments or native types are updated in any environment.

2.5.8.13. pupmod-simp-resolv

  • Prevent invalid resolv.conf files from being written.

2.5.8.14. pupmod-simp-simp

  • Remove prelink if it is not enabled.
  • Added support for connecting to IPA servers.
  • Removed simp::mcollective class due to global deprecation.
  • Removed group management for the root user based on feedback.
  • Set the ownership and permissions of /etc/puppet/puppetdb.conf so that systems that already have the root umask set to 077 work properly.
  • Added a simp::netconsole class to allow users to configure the netconsole kernel parameter for boot time logging.
  • Split out the runpuppet logic into a bootstrap_simp_client script to be separate from the startup scripts and work around issues with systemd timeouts.
  • Added an exponential backoff to the bootstrap_simp_client script to handle cases where a lot of servers are being built at the same time.
  • Added Microsoft Windows support to the module that changes where the simp.version file is placed on that platform.

2.5.8.15. pupmod-simp-simp_docker

  • Multiple minor updates mostly surrounding the updates to simp/iptables to make it better work with docker.

2.5.8.16. pupmod-simp-simp_gitlab

  • Added support for the new GitLab 10+ LDAP options, specifically for TLS.

2.5.8.17. pupmod-simp-simp_grafana

  • Added documentation regarding rubygem-puppetserver-toml for use with the simp_grafana module.

2.5.8.18. pupmod-simp-simp_ipa

  • Initial release of a module for managing IPA connectivity settings.
  • Does not currently manage IPA server installation.

2.5.8.19. pupmod-simp-simp_nfs

  • Added the ability to force mounts to point to a remote host.

2.5.8.20. pupmod-simp-simp_openldap

  • Allow users to set the users and administrators GID values in the default.ldif file.
  • Use concat numeric ordering to allow placement of new modifications in a predictable and reliable order.

2.5.8.21. pupmod-simp-simp_options

  • Added simp_options::uid and simp_options::gid since several modules required a consistent parameter set for enforcing these items globally.
  • Removed $simp_options::selinux since it never worked as designed and was not required by more than one module. This is not considered a breaking change since it effectively never had any effect on the system anyway.

2.5.8.22. pupmod-simp-simplib

  • Added a Simplib::Domain data type that validates DNS domains against the TLD restrictions from RFC 3968, Section 2.
  • Added a login_defs custom fact that returns a structured fact for the entire contents of /etc/login.defs
  • Added an ipa fact that returns information about connectivity to an IPA server.
  • Added a prelink fact to determine whether or not prelink is installed on the system.
  • Updated the simplib::ldap::domain_to_dn function to allow users to decide whether or not they want to upcase the returned LDAP attribute strings.
  • Added a simplib::reboot_notify class to allow users to easily toggle global reboot_notify settings.
  • Improved reboot_notify error handling.
  • Allow users to set the log level on reboot_notify.
  • Added a Simplib::PuppetLogLevel data type.
  • Updated init_ulimit to allow it to work properly with puppet generate types.
  • Added a simplib::hash_to_opts function which turns a Hash into a String that mirrors a usual shell command.
  • Added a simplib::install defined type that allows package management based on a supplied Hash.
  • Added a simplib::module_exist function to detect the existence of a module.
  • Ensure that systemctl is never spawned more than once when attempting to change the system runlevel.
  • Fixed an issue in EL6 runlevel persistence where the line may not be written to /etc/inittab.

2.5.8.23. pupmod-simp-ssh

  • Ensure that GSSAPIAuthentication is disabled if the host is on an IPA domain.
  • Moved all management of the /etc/ssh/ssh_config file to use the ssh_config augeasprovider. Management of all SSH configuration files is now done consistently.
  • Removed the no longer required sshd.aug augeas lens.
  • Added parameter management to the sshd_config to align with the STIG requirements.
  • Default to not configure RhostsRSAAuthentication in sshd_config for versions of openssh that no longer allow that option.

2.5.8.24. pupmod-simp-sssd

  • Updated to use the login_defs fact to determine the default uid_min and uid_max values.
  • Added a defined type for connecting to an IPA server.
  • Added tests for connecting to Active Directory and updated the configuration settings appropriately.
  • Allow passing ldap_tls_cacert to the sssd::provider::ldap defined type.
  • Align sssd permissions with the RPM defaults.

2.5.8.25. pupmod-simp-stunnel

  • Isolated the instance logic away from the global connection logic completely.
  • Added a native type that cleans up all instances that may have been abandoned by stunnel::instance.
  • Added parameters to allow controlling systemd requirement chains.

2.5.8.26. pupmod-simp-sudo

  • Added both the short hostname and long fqdn to the user access control by default.
  • Update user_specification define to not accept an empty hostlist.

2.5.8.27. pupmod-simp-tftpboot

  • Added support for UEFI PXEboot
  • Moved the tftpboot root directory from /tftpboot to /var/lib/tftpboot to match the expectations of SELinux and the STIG.
  • Added a tftpboot::tftpboot_root_dir parameter to all users to override the root directory location.

2.5.8.28. pupmod-simp-tpm

  • Moved the policy systemd unit files to /etc/systemd
  • Ensure that the IMA service only starts on reboot instead of during a puppet run.
  • Disabled many IMA checks by default to make the impact lighter on a standard system.

2.5.8.29. pupmod-simp-useradd

  • Set the min and max UID and GID based on what is in login.defs, and default to something sensible for the platform.

2.5.8.30. simp-core

  • Added logic to auto.cfg to use OS-specific GPG keys in simp_filesystem.repo.
  • Client kickstart files were updated to use the latest simp::server::kickstart API and to provide support for UEFI PXE boot
  • EL6 kickstart files were updated to more closely match the EL7 kickstart files

2.5.8.31. simp-doc

  • Added SIMP 6.1.0 to 6.2.0 upgrade guide
  • Added SIMP on AWS documentation
  • Added a HOWTO for IPA client enrollment
  • Added a HOWTO for customizing settings for SSH
  • Added documentation on how to disconnect from puppetDB
  • Updated the documentation for UEFI PXE booting.
  • Clarified certificate management
  • Restructured pages for better navigation
  • Updated contributors guide to description more details about the development workflow

2.5.8.32. simp-vendored-r10k

  • Added a SIMP vendored version of r10k that lives at /usr/share/simp/bin/r10k to ensure that a known version of r10k is present on the system at all times. User PATH environment variables are not updated so that command must be called directly.

2.5.9. Known Bugs

  • There is a bug in Facter 3 that causes it to segfault when printing large unsigned integers - FACT-1732
    • This may cause your run to crash if you run puppet agent -t --debug
  • The krb5 module may have issues in some cases, validation pending
  • The graphical switch user functionality appears to work randomly. We are working with the vendor to discover a solution