Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-simp', '4.23.0'Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Overview
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with simp
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Overview
This module is the overarching profile of SIMP managed systems. It should be the entry point for all supported SIMP configurations.
This is a SIMP module
This module is a component of the System Integrity Management Platform
If you find any issues, please submit them via JIRA.
Please read our Contribution Guide.
This module should be used within the SIMP ecosystem and will be of limited independent use
Module Description
This module provides a convenient entry point for setting up systems to meet the goals of the SIMP Project.
It is effectively a highly malleable Puppet profile that provides mechanisms for direct overall system modification and management.
Setup
What SIMP affects
The simp module is meant to be the central controller of all node
configurations. The suggested usage is to place the following in your
environment's site.pp:
include 'simp_options'
include 'simp'
NOTE: If using Puppet Enterprise, you can add the simp_options and
simp classes to nodes via the classification interface. Do be sure to
include simp_options before simp so that the simp module has
appropriate access to the parameters in simp_options.
Reference
See the REFERENCE.md for a comprehensive overview of the module components.
Usage
Basic Usage
It is recommended that you start with one of the SIMP scenarios described below.
These may be set via the simp::scenario parameter via Hiera.
| NOTE |
|---|
simp::scenario always affects SIMP client systems, no matter how it was set.However: SIMP servers will default to the simp scenario unless simp:scenario is set in Hiera. |
You may want to tweak individual module settings and should reference the module documentation for full details.
SIMP Scenarios
The SIMP module has the following scenarios defined for getting started with different configurations easily:
-
simp- The default scenario. Enables all modules to support the default SIMP
infrastructure configured around security best practices and compatibility
with supported security policies as defined in the
compliance_markupmodule.
- The default scenario. Enables all modules to support the default SIMP
infrastructure configured around security best practices and compatibility
with supported security policies as defined in the
-
simp_lite- The
simpprofile with some of the more aggressive security support modules disabled. These include, but are not limited to,iptables,fips, andsvckill.
- The
-
standalone- Applies all of the settings in the
simpprofile and, after a successful run, either disablespuppetfrom running again or removes it from the system completely. Has options to ensure that there is a way to get back into the system afterwards.
- Applies all of the settings in the
-
poss- The Puppet Open Source Software (POSS) configuration simply attaches your node to the Puppet server and performs no additional configuration. This can be used as a starting point for building your own configuration without needing to worry about how to configure your Puppet agents.
-
remote_access- Adds the common remote access capabilities of SIMP to the system on top of
the
possscenario.
- Adds the common remote access capabilities of SIMP to the system on top of
the
-
none- Does nothing at all. All configuration is in your control.
Development
Please read our Contribution Guide.
Unit tests
Unit tests, written in rspec-puppet can be run by calling:
bundle exec rake spec
Acceptance tests
To run the system tests, you need Vagrant installed. Then, run:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug: show the commands being run on the STU and their output.BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from thespec/fixtures/modulesdirectory, based on the contents of.fixtures.yml. The contents of this directory are usually populated bybundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
Reference
Table of Contents
Classes
simp: This class provides an entry point to configuring your systems tosimp::admin: Set up a host of common administrative functions includingsimp::base_apps: This is a set of applications that you will want on most systemssimp::base_services: Deprecated - This class will be removed in a future version of SIMP.simp::ctrl_alt_del: Manage the state of pressingctrl-alt-delsimp::kmod_blacklist: This class provides a default set of blacklist entries per the SCAPsimp::kmod_blacklist::lock_modules: This class toggles the ability to load any further kernel modulessimp::mountpoints: Add security settings to several mounts on the system.simp::mountpoints::proc: Mount/procsimp::mountpoints::tmp: Manages the various tmp mounts with optional security features.simp::netconsole: Configure/etc/sysconfig/netconsoleand the netconsole servicesimp::nsswitch: A SIMP profile for using the nsswitch module to manage /etc/nsswitchsimp::one_shot: Configure the system to disconnect from the Puppet server once itsimp::one_shot::finalize: A 'last effort' script to clean up all of the SIMP material on thesimp::one_shot::user: Configure a 'stand alone' system usersimp::pam_limits::max_logins: Restrict the max logins on a system via PAMsimp::prelink: Manage prelinkingsimp::puppetdb: This class enables a PuppetDB server with defaults set for SIMPsimp::rc_local: Manage the content of/etc/rc.d/rc.localsimp::root_user: Manage resources related to therootusersimp::scenario::base: This class provides the basis of what a native SIMP system shouldsimp::scenario::poss: The 'Puppet Open Source Software' Scenariosimp::server: Set up a SIMP server in such a way that it will be ready to servesimp::server::kickstart: This class provides a working framework for providing a kickstartsimp::server::kickstart::simp_client_bootstrap: This class manages simp_client_bootstrap scripts, which are scriptssimp::server::ldap: Sets up either a primary LDAP server or a consumer LDAP server.simp::server::rsync_shares: Set up various rsync services that are needed by the SIMP clientssimp::server::yum: This class sets up a YUM site at${data_dir}/yumand is used bysimp::sssd::client: Set up an SSSD client based on the normal SIMP parameterssimp::sudoers: Provide useful aliases that many people have wanted to use oversimp::sudoers::aliases: A set of default sudoers aliasessimp::sysctl: Sets sysctl settings that are useful from a general 'modern system'simp::version: Places SIMP version related information on the filesystemsimp::yum::repo::internet_simp: Configure yum to use the internet public repository for SIMPsimp::yum::repo::internet_simp_dependencies: DEPRECATED Configure yum to use the internet public repositories for SIMP dependenciessimp::yum::repo::internet_simp_server: DEPRECATED Configure yum to use the internet public repository for SIMP serverssimp::yum::repo::local_os_updates: Configure yum to use a (SIMP-managed) OS Updates repository for network-isolated environments.simp::yum::repo::local_simp: Set up the local SIMP repositiories for network-isolated environments.simp::yum::schedule: Set up a YUM update schedule.
Functions
simp::knockout: Deprecated knockout function, see simplib::knockoutsimp::yum::repo::baseurl_stringsimp::yum::repo::gpgkey_string: A function to return a proper set of SIMP YUM repositories for the default build. Of limited use outside of an ISO install.simp::yum::repo::gpgkeys::os_updates: Build a list of GPG keys needed by a os_updates reposimp::yum::repo::gpgkeys::simp: Build a list of GPG keys needed by a simp reposimp::yum::repo::sanitize_simp_release_slug: DEPRECATED Sanitize the release slug in the SIMP repo URLs The packagecloud repositories to which this release slug generated by this functisimp::yum::repo::simp_release_version: Returns the SIMP release version for use in SIMP internet yum repositories. When$simp_release_versionis specified, this value is simply
Data types
Simp::HostOrURL: Shortcut for either hosts or URLsSimp::PackageEnsure: Valid package resource 'ensure' settingsSimp::Puppetdb::Ciphersuites: Valid SSL Cipher Suites for puppetdbSimp::Runlevel: Valid system runlevel settingsSimp::Scenario: Valid SIMP scenarios See the documentation for details on 'SIMP scenarios'Simp::Urls: URL shortcut for SIMP classesSimp::Version: Version of the form 'X', 'X.Y', 'X.Y.Z' or 'X.Y.Z-N'
Classes
simp
take full advantage of SIMP capabilities.
This is primarily done through the simp::scenario classes that provide
specifically supported configurations of core SIMP systems and clients.
If you're planning to use SIMP capabilities, you should always include this class.
Parameters
The following parameters are available in the simp class:
scenario_mapscenarioenable_data_includesclassesmail_serverrsync_stunneluse_ssh_global_known_hostsversion_infopuppet_server_hosts_entryenable_filebucketingfilebucket_namefilebucket_serverfilebucket_pathuse_sudoers_aliasesrunlevelrestrict_max_loginsmanage_ctrl_alt_delmanage_root_metadatamanage_root_permsmanage_rc_localpamsssdldapstock_sssdclassification_warningvardir_ownervardir_groupvardir_mode
scenario_map
Data type: Hash
An internal use parameter for configuring pre-defined maps
scenario
Data type: String
The SIMP 'scenario' that you wish to apply to your system
- The class list for each scenario is defined by the
scenario_mapwhich is pulled from the module data. - Please see the README for the list of scenarios
- Please see the module data for the exact class list that is included in each scenario
Default value: 'simp'
enable_data_includes
Data type: Boolean
Deprecated - Has no effect
- Will be removed in the next major release
Default value: true
classes
Data type: Array
A list of classes that you wish to include in your SIMP stack in addition
to the scenario selected above.
-
For a completely stock Puppet experience on your clients, select the
poss(Puppet Open Source Software) scenario configuration. This also works on Puppet Enterprise -
This Array has been enabled with the
knockout_prefixof-- -
Any Array item in the lookup hierarchy that you prefix with
--will be removed from the Array
@example The following list would include the apache class and exclude
the ntpd class:
---
simp::classes:
- 'apache'
- '--ntpd'
Default value: []
mail_server
Data type: Variant[Boolean,Enum['remote']]
Install a local mail service on the system
- If
truewill install only a locally usable MTA - If
remotewill install a full mail server capable of processing remote connections- If you use a remote server, you'll need to set the appropriate
parameters for the
postfixclass
- If you use a remote server, you'll need to set the appropriate
parameters for the
Default value: true
rsync_stunnel
Data type: Variant[Boolean,Simplib::Host]
The rsync server from which files should be retrieved
- May be set to
falseto disable the rsync stunnel connection - If unset, will default to the Puppet server itself
Default value: simplib::lookup('simp_options::stunnel', { 'default_value' => true })
use_ssh_global_known_hosts
Data type: Boolean
Boolean If true, use the ssh_global_known_hosts function to gather the various host SSH public keys and populate the /etc/ssh/known_hosts file.
Default value: false
version_info
Data type: Boolean
Add SIMP version information onto the client in /etc/simp
Default value: true
puppet_server_hosts_entry
Data type: Boolean
Add a host entry for the Puppet server to the catalog
- This has no effect if the
$server_factsHash is not populated
Default value: true
enable_filebucketing
Data type: Boolean
Enable the filebucket for all managed files
Default value: false
filebucket_name
Data type: String[1]
The name of the filebucket that should be used
Default value: 'simp'
filebucket_server
Data type: Optional[Simplib::Host]
Sets up a remote filebucket target if set
Default value: undef
filebucket_path
Data type: Stdlib::Absolutepath
The local system path to use as the filebucket
- Has no effect if
$filebucket_serveris set
Default value: "${facts['puppet_vardir']}/simp/filebucket"
use_sudoers_aliases
Data type: Boolean
If true, enable simp site sudoers aliases
Default value: true
runlevel
Data type: Simp::Runlevel
The default runlevel to which the system should be set
Default value: 3
restrict_max_logins
Data type: Boolean
Enable restrictions of the number of simultaneous logins a user may have
- Has no effect if
$pamisfalse
Default value: true
manage_ctrl_alt_del
Data type: Boolean
Include the simp::ctrl_alt_del class, which, by default, disables the
use of ctrl_alt_del and logs all instances of the event.
Default value: true
manage_root_metadata
Data type: Boolean
Include the simp::root_user class, which manages resources related to
the root user
Default value: true
manage_root_perms
Data type: Boolean
Ensure that /root has restricted permissions and proper SELinux
contexts
Default value: true
manage_rc_local
Data type: Boolean
Include the simp::rc_local class
- This disables rc.local by default but you may also use it to set custom content
Default value: true
pam
Data type: Boolean
Enable management of PAM resources via SIMP modules
Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })
sssd
Data type: Boolean
Enable management of SSSD resources via SIMP modules
Default value: simplib::lookup('simp_options::sssd', { 'default_value' => true })
ldap
Data type: Boolean
Enable management of LDAP resources via SIMP modules
Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })
stock_sssd
Data type: Boolean
Add a default setup that will successfully connect to the SIMP LDAP server, if enabled, and will otherwise provide a functional SSSD stack for the system
- Has no effect if
$sssdisfalse
Default value: true
classification_warning
Data type: Boolean
Create a warning notification if 'include simp' will not auto-classify a node.
Default value: true
vardir_owner
Data type: String[1]
Owner for ${facts['puppet_vardir']}/simp directory Defaults to 'root' if a platform doesn't specify
vardir_group
Data type: String[1]
Group for ${facts['puppet_vardir]}/simp diorectory Defaults to 'root' if a platform doesn't specify
vardir_mode
Data type: Stdlib::Filemode
Mode for ${facts['puppet_vardir])/simp directory Defaults to '0750' if a platform doesn't specify
simp::admin
administrator group system access, auditor access, and default sudo rules
Examples
The following is generally needed for transitions to root
Additional rules should be added for non-root users
simp::admin::admin_sudo_options:
role: 'unconfined_r'
simp::admin::auditor_sudo_options:
role: 'unconfined_r'
Parameters
The following parameters are available in the simp::admin class:
admin_grouppasswordless_admin_sudoauditor_grouppasswordless_auditor_sudoadmins_allowed_fromauditors_allowed_fromforce_logged_shelllogged_shelldefault_admin_sudo_cmndsadmin_sudo_optionsauditor_sudo_optionsadmin_runasauditor_runaspamset_polkit_admin_groupset_selinux_loginselinux_user_contextselinux_user_mls_range
admin_group
Data type: String
The group name of the Administrators for the system
- This group will be provided with the ability to
sudotorooton the system
Default value: 'administrators'
passwordless_admin_sudo
Data type: Boolean
Allow administrators to use sudo without a password
- This is on by default due to the expected use of SSH keys without local passwords
Default value: true
auditor_group
Data type: String
The group name of the system auditors group
- This group is provided with the ability to perform selected safe commands
as
rooton the system for auditing purposes
Default value: 'security'
passwordless_auditor_sudo
Data type: Boolean
Allow auditors to use sudo without a password
- This is on by default due to the expected use of SSH keys without local passwords
Default value: true
admins_allowed_from
Data type: Simplib::Netlist
The locations from which administrators are allowed to access the system
Default value: ['ALL']
auditors_allowed_from
Data type: Simplib::Netlist
The locations from which auditors are allowed to access the system
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
force_logged_shell
Data type: Boolean
Only allow sudo to a shell via a logging shell
Default value: true
logged_shell
Data type: Enum['sudosh','tlog']
The name of the logged shell to use
Default value: 'tlog'
default_admin_sudo_cmnds
Data type: Array[String[2]]
The set of commands that $admin_group should be able to run by default
Default value: ['/bin/su - root']
admin_sudo_options
Data type: Hash
A hash of sudo options to give to all admin sudo root transition and puppet commands
Default value: { 'role' => 'unconfined_r' }
auditor_sudo_options
Data type: Hash
A hash of sudo options to give to all specified auditor sudo commands
Default value: {}
admin_runas
Data type: String
What to set the runas user for all admin sudo root transition and puppet commands
Default value: 'root'
auditor_runas
Data type: String
What to set the runas user for all specified auditor sudo commands
Default value: 'root'
pam
Data type: Boolean
Allow SIMP management of the PAM stack
- Without this, it is quite likely that your system is not going to respond as expected with the rules in this class
Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })
set_polkit_admin_group
Data type: Boolean
If the system has PolicyKit support, will register $admin_group as a
valid administrative group on the system
Default value: true
set_selinux_login
Data type: Boolean
Ensure that the SELinux login for $admin_group is set
- This is recommended if you set the
__default__seusers mapping touser_u
@see seusers(5)
Default value: false
selinux_user_context
Data type: String[1]
The selinux user context to assign to $admin_group
- Has no effect if
$set_selinux_loginis not set
Default value: 'staff_u'
selinux_user_mls_range
Data type: String[1]
The selinux MLS range to assign to $admin_group
- Has no effect if
$set_selinux_loginis not set
Default value: 's0-s0:c0.c1023'
simp::base_apps
Services this class manages:
- irqbalance (enabled by default by vendor)
- netlabel (not installed by vendor)
Parameters
The following parameters are available in the simp::base_apps class:
ensure
Data type: Simp::PackageEnsure
The $ensure status of all of the included packages
- Version pinning is not supported
- If you need version pinning, do not include this class
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
extra_apps
Data type: Optional[Array[String,1]]
A list of other applications that you wish to install
Default value: undef
manage_elinks_config
Data type: Optional[Boolean]
DEPRECATED: This functionality is not required for normal operation of the system and should be moved to external management.
Default value: undef
simp::base_services
Deprecated - This class will be removed in a future version of SIMP.
simp::ctrl_alt_del
Manage the state of pressing ctrl-alt-del
Parameters
The following parameters are available in the simp::ctrl_alt_del class:
enable
Data type: Boolean
Allow ctrl-alt-del to restart the system
Default value: false
log
Data type: Boolean
Instead of just disabling the command, set the system up to write a log entry when the key combination is pressed
Default value: true
log_users
Data type: Boolean
Record all logged in users in the log message
Default value: true
facility
Data type: Simplib::Syslog::Facility
The syslog facility to use for the log message
Default value: 'local6'
severity
Data type: Simplib::Syslog::Severity
The syslog severity to use for the log message
Default value: 'warning'
simp::kmod_blacklist
Security Guide
Parameters
The following parameters are available in the simp::kmod_blacklist class:
enable_defaultsblacklistproduce_errorcustom_blacklistallow_overrideslock_modulesnotify_if_reboot_required
enable_defaults
Data type: Boolean
Enable to use the default blacklist, otherwise just the
$custom_blacklist will be used
Default value: true
blacklist
Data type: Array[String,1]
List of kernel modules to be blacklisted by default
Default value:
[
'bluetooth',
'cramfs',
'dccp',
'dccp_ipv4',
'dccp_ipv6',
'freevxfs',
'hfs',
'hfsplus',
'ieee1394',
'jffs2',
'net-pf-31',
'rds',
'sctp',
'squashfs',
'tipc',
'udf',
'usb-storage'
]
produce_error
Data type: Boolean
If set to true, any disabled modules will point to '/bin/false', which will produce an error when anyone attempts to load the module. Default is false, which will point to '/bin/true', which will not produce any error.
Default value: false
custom_blacklist
Data type: Array[String]
Additional kernel modules to be blacklisted
Default value: []
allow_overrides
Data type: Boolean
Allow the addition of kernel module rules that come before the disabling of the module blacklist and disabling so that optional override autoloading can work properly
- If this is not set, you will be unable to optionally override the disabling of the modules
Default value: true
lock_modules
Data type: Boolean
Disallow all further modification to modules without a reboot
- Requires that the
kernel.modules_disabledsysctl option is available
Default value: false
notify_if_reboot_required
Data type: Boolean
Trigger a 'reboot_notify' resource that will warn at every puppet run that a reboot is required if necessary.
Default value: true
simp::kmod_blacklist::lock_modules
into the system until the system has been rebooted.
This will only take effect if the system has the kernel.modules_disabled
sysctl feature.
- WARNING: It is highly likely that you will prevent important modules from loading (such as networking) if you enable this. Test thoroughly before enabling.
Parameters
The following parameters are available in the simp::kmod_blacklist::lock_modules class:
enable
Data type: Any
Lock all module loading abilities
Default value: true
notify_if_reboot_required
Data type: Any
If the change requires the system to be rebooted to take effect, a notification will be printed during puppet runs until the system has been rebooted.
Default value: true
persist
Data type: Any
Lock all modules at boot time.
Default value: false
simp::mountpoints
Add security settings to several mounts on the system.
Parameters
The following parameters are available in the simp::mountpoints class:
manage_tmp_perms
Data type: Boolean
Ensure that /tmp, /var/tmp, and /usr/tmp, all have the proper
permissions and SELinux contexts.
Default value: true
manage_proc
Data type: Boolean
Manage the /proc mount on the system
Default value: true
manage_sys
Data type: Boolean
Manage the /sys mount on the system
Default value: true
sys_options
Data type: Array[String]
The mountpoint options for /sys
Default value: ['rw','nodev','noexec']
manage_dev_pts
Data type: Boolean
Manage the /dev/pts mount on the system
Default value: true
simp::mountpoints::proc
Mount /proc
Parameters
The following parameters are available in the simp::mountpoints::proc class:
proc_hidepid
Data type: Integer[0,2]
-
0: This is the system default setting and provides no access restrictions on /proc
-
1: With this option an normal user would not see other processes but their own about
ps,top, etc..., but they are still able to see process IDs in/proc -
2 (default): Users are only able to see their own processes (like with
hidepid=1), and process IDs are also hidden in/proc!
Default value: 2
manage_proc_group
Data type: Boolean
Enable management of the group that allows access to /proc
- This was added, and enabled by default, to fix issue with updates to
polkitper the vendor recommended guidance
Default value: true
proc_group
Data type: String[1]
The group name to be associated with $proc_gid
Default value: pick($facts.dig('simplib__mountpoints', '/proc', 'options_hash', '_gid__group'), 'simp_proc_read')
proc_gid
Data type: Integer[0]
This group will be able to see all processes on the system regardless of
the $proc_hidepid setting
- If this is set to
0then thegidoption will be removed from the option string
Default value: pick($facts.dig('simplib__mountpoints', '/proc', 'options_hash', 'gid'), 231)
simp::mountpoints::tmp
Manages the various tmp mounts with optional security features.
- See also
- mount(8)
Parameters
The following parameters are available in the simp::mountpoints::tmp class:
secure
Data type: Boolean
-
Set
noexec,nosuid,nodevon temp directories as appropriate and bind mount/var/tmpto/tmp -
If
/tmpis not a separate partition, then it will be bind mounted to itself with the modified settings -
NOTE: If you have previously secured these directories, setting this to
falsewill not set them to any particular other mode. This is because there is no way to know why you are changing these settings or what, exactly, you want them to be.
Default value: true
tmp_opts
Data type: Array[String]
If $secure is true, add these mount options to the /tmp
directory
- If set to an empty Array, it will simply preserve the options that are currently in place
- Any
no*options will override their more permissive counterparts that are currently set on the system
Default value: ['noexec','nodev','nosuid']
var_tmp_opts
Data type: Array[String]
Works the same way as $tmp_opts
Default value: ['noexec','nodev','nosuid']
dev_shm_opts
Data type: Array[String]
Works the same way as $tmp_opts
Default value: ['noexec','nodev','nosuid']
tmp_service
Data type: Boolean
If on systemd system, enable and activate the tmp.mount service
- Note: If you set this to
trueon a system that does not already have thetmp.mountsservice running, you may find that the service cannot start due to processes locking files in the existing/tmpdirectory. If this occurs, you can runlsof /tmpto determine what is locking. You will probably need to reboot your system to start with a properly clean/tmpmount.
Default value: (fact('tmp_mount_fstype_tmp') == 'tmpfs') ? { true => true, default => false
simp::netconsole
Configure /etc/sysconfig/netconsole and the netconsole service
- See also
Parameters
The following parameters are available in the simp::netconsole class:
ensure
Data type: Enum['present','absent']
Ensure 'present' or 'absent' on the kernel parameter
target_ip
Data type: Optional[Simplib::IP]
UDP syslog receiver IP address
Default value: undef
target_macaddr
Data type: Optional[Simplib::MacAddress]
UDP syslog receiver MAC address
Default value: undef
target_port
Data type: Optional[Simplib::Port]
UDP syslog receiver port
Default value: undef
source_port
Data type: Optional[Simplib::Port]
Port of the send logs from
Default value: undef
source_device
Data type: Optional[String]
Network interface to broadcast logs from
Default value: undef
package_ensure
Data type: String[1]
The ensure parameter for the netconsole package when applicable
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
simp::nsswitch
A SIMP profile for using the nsswitch module to manage /etc/nsswitch
- Note This class uses trinklin/nsswitch module.
Parameters
The following parameters are available in the simp::nsswitch class:
ldap
Data type: Boolean
SIMP global catalyst to enable LDAP
Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })
sssd
Data type: Boolean
SIMP global catalyst to enable sssd
Default value: simplib::lookup('simp_options::sssd', { 'default_value' => false })
defaults
Data type: Hash
sssd_options
Data type: Hash
ldap_options
Data type: Hash
overrides
Data type: Hash
Default value: {}
simp::one_shot
has successfully run
This should not be used as part of the standard SIMP runpuppet configuration
Parameters
The following parameters are available in the simp::one_shot class:
enable_useruser_nameuser_passworduser_uiduser_giduser_homeuser_ssh_authorized_keyuser_ssh_authorized_key_typeuser_sudo_usersuser_sudo_commandsuser_passwordless_sudouser_allowed_fromfinalize_dry_runfinalize_remove_pkifinalize_remove_puppetfinalize_remove_scriptfinalize_debug
enable_user
Data type: Boolean
Add a one_shot user account that will be able to login to the system
Default value: true
user_name
Data type: String
The username to use for remote access
Default value: 'simp_one_shot'
user_password
Data type: Optional[String[8]]
The password for the user in passwd-compatible salted hash form
- NOTE: Either
user_passwordoruser_ssh_public_keymust be specified
Default value: undef
user_uid
Data type: Integer
The UID of the user
Default value: 1777
user_gid
Data type: Integer
The GID of the user
Default value: $user_uid
user_home
Data type: Pattern['^/']
The full path to the user's home directory
Default value: "/var/local/${user_name}"
user_ssh_authorized_key
Data type: Optional[String[1]]
The SSH authorized key for the user
- See the native
ssh_authorized_keyresource definition for details
Default value: undef
user_ssh_authorized_key_type
Data type: String[1]
The type of the SSH authorized key for the user
- See the native
ssh_authorized_keyresource definition for details
Default value: 'ssh-rsa'
user_sudo_users
Data type: String
The users that the username user may escalate to
Default value: 'root'
user_sudo_commands
Data type: Array[String[1]]
The commands that the username user is allowed to execute via sudo as one
of the allowed users
Default value: ['ALL']
user_passwordless_sudo
Data type: Boolean
Allow the user to use passwordless sudo
- If not set, the
user_passwordmust be specified
Default value: false
user_allowed_from
Data type: Array[String[1]]
The pam_access compatible locations that the user will be logging in
from
- Set to
['ALL']to allow from any location
Default value: ['ALL']
finalize_dry_run
Data type: Boolean
Run the finalization script in 'dry run' mode and only print what would have been done
Default value: false
finalize_remove_pki
Data type: Boolean
Remove the SIMP installed host PKI certificates
Default value: false
finalize_remove_puppet
Data type: Boolean
Remove the puppet packages from the system during finalization
Default value: true
finalize_remove_script
Data type: Boolean
Remove the finalization script itself from the system
Default value: true
finalize_debug
Data type: Boolean
Enable syslog output debugging on the one_shot finalization script
Default value: false
simp::one_shot::finalize
NOTE: THIS IS A PRIVATE CLASS**
system that may cause issues
Parameters
The following parameters are available in the simp::one_shot::finalize class:
dry_run
Data type: Boolean
Run the finalization script in 'dry_run' mode and output all commands
Default value: $simp::one_shot::finalize_dry_run
remove_pki
Data type: Boolean
Remove the SIMP installed host PKI certificates
Default value: $simp::one_shot::finalize_remove_pki
remove_puppet
Data type: Boolean
Remove the 'puppet' package from the system
Default value: $simp::one_shot::finalize_remove_puppet
remove_script
Data type: Boolean
Remove the finalization script itself from the system
Default value: $simp::one_shot::finalize_remove_script
enable_debug
Data type: Boolean
Default value: $simp::one_shot::finalize_debug
simp::one_shot::user
NOTE: THIS IS A PRIVATE CLASS**
Parameters
The following parameters are available in the simp::one_shot::user class:
enableusernamepasswordhomeuidgidssh_authorized_keyssh_authorized_key_typesudo_userspasswordless_sudosudo_commandsallowed_from
enable
Data type: Boolean
Enable the one_shot capabilities
Default value: $simp::one_shot::enable_user
username
Data type: String
The username to use for remote access
Default value: $simp::one_shot::user_name
password
Data type: Optional[String]
The password for the user in passwd-compatible salted hash form
Default value: $simp::one_shot::user_password
home
Data type: Pattern['^/']
The full path to the user's home directory
Default value: $simp::one_shot::user_home
uid
Data type: Integer
The UID of the user
Default value: $simp::one_shot::user_uid
gid
Data type: Integer
The GID of the user
Default value: $simp::one_shot::user_gid
ssh_authorized_key
Data type: Optional[String[1]]
The SSH public key for the user
- See the native
ssh_authorized_keyresource definition for details
Default value: $simp::one_shot::user_ssh_authorized_key
ssh_authorized_key_type
Data type: String[1]
The SSH public key type
- See the native
ssh_authorized_keyresource definition for details
Default value: $simp::one_shot::user_ssh_authorized_key_type
sudo_users
Data type: String
The users that the username user may escalate to
Default value: $simp::one_shot::user_sudo_users
passwordless_sudo
Data type: Boolean
Enable passwordless sudo for the user
Default value: $simp::one_shot::user_passwordless_sudo
sudo_commands
Data type: Array[String]
The commands that the username user is allowed to execute via sudo as one
of the allowed users
Default value: $simp::one_shot::user_sudo_commands
allowed_from
Data type: Array[String]
The pam_access compatible locations that the user will be logging in
from
- Set to
['ALL']to allow from any location
Default value: $simp::one_shot::user_allowed_from
simp::pam_limits::max_logins
Restrict the max logins on a system via PAM
Parameters
The following parameters are available in the simp::pam_limits::max_logins class:
value
Data type: Pam::Limits::Value
The maximum number of logins that a user may have simultaneously
- The default meets
CCE-27457-1
Default value: 10
simp::prelink
Manage prelinking
Parameters
The following parameters are available in the simp::prelink class:
enable
Data type: Boolean
Whether to enable prelinking. Prelinking can only be enabled if the server is NOT in FIPS mode.
-
When
$enableistrueand$facts['fips_enabled']isfalse, ensures the prelink package is installed and prelinking has been enabled. -
When
$enableisfalseor$facts['fips_enabled']istrue, ensures the prelink package is not installed, undoing any existing prelinking, if needed. This satisfies the SCAP Security Guide's OVAL check xccdf_org.ssgproject.content_rule_disable_prelink.
Default value: false
ensure
Data type: String
The $ensure status of the prelink package, when $enable
is true and $facts['fips_enabled'] is false.
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
simp::puppetdb
compatibility.
NOTE: Hiera variables must be set appropriately under the puppetdb namespace
All other parameters are taken directly from puppetdb::server
Parameters
The following parameters are available in the simp::puppetdb class:
trusted_netslisten_addresslisten_portopen_listen_portssl_deploy_certsssl_set_cert_pathsssl_listen_addressssl_listen_portcipher_suitesuse_puppet_ssl_certsdisable_sslmanage_package_repodatabase_passwordread_database_usernameread_database_passwordread_database_nameread_database_sslread_database_jdbc_ssl_propertiesmanage_firewallmanage_puppetserverjava_max_memoryjava_start_memoryjava_tmpdirjava_heapdump_on_oomjava_prefer_ipv4java_use_code_cache_flushingautomatic_dlo_cleanupdlo_max_agedisable_update_checkingfirewall
trusted_nets
Data type: Simplib::Netlist
This is used to allow specific hosts access to PuppetDB
-
This should be restricted to only those hosts that need to talk to PuppetDB, primarly Puppet Masters.
-
Unfortunately, this cannot be set via exported resources since PuppetDB needs to be running prior to exported resources functioning properly. Once PuppetDB is up, then you can switch this to exported resources mode using the use_exported_resources variable.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
listen_address
Data type: Simplib::IP
Default value: '127.0.0.1'
listen_port
Data type: Simplib::Port
Default value: 8138
open_listen_port
Data type: Boolean
Default value: false
ssl_deploy_certs
Data type: Boolean
Default value: true
ssl_set_cert_paths
Data type: Boolean
Default value: true
ssl_listen_address
Data type: Simplib::IP
Default value: '0.0.0.0'
ssl_listen_port
Data type: Simplib::Port
Default value: 8139
cipher_suites
Data type: Array[Simp::Puppetdb::Ciphersuites]
Cipher suites supported by PuppetDB's HTTP interface (jetty).
Used to set puppetdb::cipher_suites.
use_puppet_ssl_certs
Data type: Boolean
Default value: true
disable_ssl
Data type: Boolean
Default value: false
manage_package_repo
Data type: Boolean
Default value: false
database_password
Data type: String
Default value: simplib::passgen('simp_puppetdb')
read_database_username
Data type: String
Default value: 'simp_puppetdb'
read_database_password
Data type: String
Default value: simplib::passgen('simp_read_puppetdb')
read_database_name
Data type: String
Default value: 'simp_puppetdb'
read_database_ssl
Data type: Optional[Boolean]
This parameter has been deprecated, because its corresponding
puppetdb::server parameter has been replaced with
puppetdb::server::read_database_jdbc_ssl_properties.
Use $read_database_jdbc_ssl_properties = '?ssl=true' instead.
Default value: undef
read_database_jdbc_ssl_properties
Data type: String
Default value: '?ssl=true'
manage_firewall
Data type: Boolean
Default value: true
manage_puppetserver
Data type: Boolean
Default value: true
java_max_memory
Data type: String
Default value: '40%'
java_start_memory
Data type: Optional[String]
Default value: undef
java_tmpdir
Data type: Stdlib::Absolutepath
Default value: '/opt/puppetlabs/puppet/cache/pdb_tmp'
java_heapdump_on_oom
Data type: Boolean
Default value: false
java_prefer_ipv4
Data type: Boolean
Default value: true
java_use_code_cache_flushing
Data type: Boolean
Default value: true
automatic_dlo_cleanup
Data type: Boolean
Default value: true
dlo_max_age
Data type: Integer
Default value: 90
disable_update_checking
Data type: Boolean
Default value: true
firewall
Data type: Boolean
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
simp::rc_local
By default, this class will disable the file altogether
Parameters
The following parameters are available in the simp::rc_local class:
content
Data type: String
Set to disable to disable the file completely
- Any other value will be written to the file after an optional management banner
Default value: 'disable'
shell
Data type: Stdlib::Absolutepath
The shell to use to execute the rc.local file
Default value: '/bin/bash'
management_comment
Data type: Boolean
Adds a 'managed by Puppet' comment to the top of the file
Default value: true
simp::root_user
Manage resources related to the root user
Parameters
The following parameters are available in the simp::root_user class:
manage_perms
Data type: Boolean
Ensure that $home has restricted permissions and proper SELinux contexts.
Default value: true
manage_user
Data type: Boolean
Ensure the root user has appropriate UIDs and groups, etc
Default value: true
manage_group
Data type: Boolean
Ensure the root group has appropriate UIDs, etc
Default value: true
hashed_password
Data type: Optional[Simplib::ShadowPass]
Validate the correctness of the password hash and then pass it through to
the User resource for root
Default value: undef
password
Data type: Optional[String[1]]
Pass this through untouched to the User resource for root
- Please use
$hashed_passwordif possible
Default value: undef
username
Data type: String[1]
The username of the root user
Default value: 'root'
uid
Data type: Integer[0]
The UID of the root user
Default value: 0
gid
Data type: Integer[0]
The GID of the root user
Default value: 0
shell
Data type: Stdlib::Absolutepath
The shell to use for the root user
Default value: '/bin/bash'
home
Data type: Stdlib::Absolutepath
The home directory of the root user
Default value: "/${username}"
simp::scenario::base
NOTE: THIS IS A PRIVATE CLASS
be. It is expected that users may deviate from this configuration over time, but this should be an effective starting place.
Parameters
The following parameters are available in the simp::scenario::base class:
mail_serverrsync_stunneluse_ssh_global_known_hostspuppet_server_hosts_entryuse_sudoers_aliasesrunlevelrestrict_max_loginsmanage_ctrl_alt_delmanage_root_metadatamanage_root_permsmanage_rc_localpamsssdldapstock_sssd
mail_server
Data type: Variant[Boolean,Enum['remote']]
Install a local mail service on the system
- If
truewill install only a locally usable MTA - If
remotewill install a full mail server capable of processing remote connections- If you use a remote server, you'll need to set the appropriate
parameters for the
postfixclass
- If you use a remote server, you'll need to set the appropriate
parameters for the
Default value: $::simp::mail_server
rsync_stunnel
Data type: Variant[Boolean,Simplib::Host]
The rsync server from which files should be retrieved
- May be set to
falseto disable the rsync stunnel connection - If unset, will default to the Puppet server itself
Default value: $::simp::rsync_stunnel
use_ssh_global_known_hosts
Data type: Boolean
If true, use the ssh_global_known_hosts function to gather the various host SSH public keys and populate the /etc/ssh/known_hosts file.
Default value: $::simp::use_ssh_global_known_hosts
puppet_server_hosts_entry
Data type: Boolean
Add a host entry for the Puppet server to the catalog
- This has no effect if the
$server_factsHash is not populated
Default value: $::simp::puppet_server_hosts_entry
use_sudoers_aliases
Data type: Boolean
If true, enable simp site sudoers aliases
Default value: $::simp::use_sudoers_aliases
runlevel
Data type: Simp::Runlevel
The default runlevel to which the system should be set
Default value: $::simp::runlevel
restrict_max_logins
Data type: Boolean
Enable restrictions of the number of simultaneous logins a user may have
- Has no effect if
$pamisfalse
Default value: $::simp::restrict_max_logins
manage_ctrl_alt_del
Data type: Boolean
Include the simp::ctrl_alt_del class, which, by default, disables the
use of ctrl_alt_del and logs all instances of the event.
Default value: $::simp::manage_ctrl_alt_del
manage_root_metadata
Data type: Boolean
Include the simp::root_user class, which manages resources related to
the root user
Default value: $::simp::manage_root_metadata
manage_root_perms
Data type: Boolean
Ensure that /root has restricted permissions and proper SELinux
contexts
Default value: $::simp::manage_root_perms
manage_rc_local
Data type: Boolean
Include the simp::rc_local class
- This disables rc.local by default but you may also use it to set custom content
Default value: $::simp::manage_rc_local
pam
Data type: Boolean
Enable management of PAM resources via SIMP modules
Default value: $::simp::pam
sssd
Data type: Boolean
Enable management of SSSD resources via SIMP modules
Default value: $::simp::sssd
ldap
Data type: Boolean
Enable management of LDAP resources via SIMP modules
Default value: $::simp::ldap
stock_sssd
Data type: Boolean
Add a default setup that will successfully connect to the SIMP LDAP server, if enabled, and will otherwise provide a functional SSSD stack for the system
- Has no effect if
$sssdisfalse
Default value: $::simp::stock_sssd
simp::scenario::poss
NOTE: THIS IS A PRIVATE CLASS
This provides a minimal system that connects to a SIMP Puppet server.
This class does not provide security for a system but it designed to simply allow you to connect to the Puppet server and run puppet as a client.
This class requires no additional configuration to function.
Parameters
The following parameters are available in the simp::scenario::poss class:
puppet_server_hosts_entry
Data type: Boolean
Add a host entry for the Puppet server to the catalog
- This has no effect if the
$server_factsHash is not populated
Default value: $::simp::puppet_server_hosts_entry
simp::server
configuration data appropriately to your clients.
Parameters
The following parameters are available in the simp::server class:
allow_simp_user
Data type: Boolean
Ensure that the simp user can login to the system
Default value: false
pam
Data type: Boolean
Enable SIMP management of the PAM stack
Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })
clamav
Data type: Boolean
Deprecated. Enable SIMP management of Antivirus
This parameter and the simp_options::clamav catalyst are deprecated and
both will be removed in a future SIMP release. Once removed, if you want
to manage ClamAV, you will have to manually include the clamav class
from the simp-clamav module in the server's class list.
Default value: simplib::lookup('simp_options::clamav', { 'default_value' => false })
auditd
Data type: Boolean
Enable SIMP management of auditing
Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false })
scenario
Data type: String
The SIMP scenario to apply to the server
- It is not advised to change this from
simp
Default value: simplib::lookup('simp::scenario', { 'default_value' => 'simp' })
classes
Data type: Array[String]
Additional classes to include on the server in addition to those included
in the scenario
Default value: []
scenario_map
Data type: Hash[String, Array]
An internal parameter used for determining the correct classes to apply
for the scenario
simp::server::kickstart
server for your client hosts.
- Note You need both a DHCP and TFTP server for unattended Kickstart to work but you can use your own if you already have them.
Parameters
The following parameters are available in the simp::server::kickstart class:
data_dirtrusted_netsmanage_dhcpmanage_tftpbootmanage_runpuppetmanage_simp_client_bootstrapsslverifyclient
data_dir
Data type: Stdlib::Absolutepath
The location of the web root in which the kickstart directory, 'ks', will reside.
Default value: '/var/www'
trusted_nets
Data type: Simplib::Netlist
The networks to allow into the Kickstart server.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] })
manage_dhcp
Data type: Boolean
If true, have this node act as a DHCP server.
Default value: true
manage_tftpboot
Data type: Boolean
If true, have this node act as a TFTP server.
Default value: true
manage_runpuppet
Data type: Boolean
Deprecated The runpuppet script has been replaced by the simp_client_bootstrap script. The runpuppet script did not work well on CentOS 7 and will not work on CentOS 8. Remember to update your kickstart scripts to call the correct script. See the bootstrap scripts in simp-core under build/distributions for examples. This parameter will be removed in later versions.
Default value: false
manage_simp_client_bootstrap
Data type: Boolean
If true, generate the simp_client_bootstrap sysv init script and simp_client_bootstrap.service systemd service unit file in $data_dir/ks.
Default value: true
sslverifyclient
Data type: Enum['require','none']
Verify the certificate of the kickstart client. One of optional, require, none, optional_no_ca.
Default value: 'none'
simp::server::kickstart::simp_client_bootstrap
that can be run to bootstrap SIMP clients via Puppet, in a fashion similar to
simp bootstrap, the bootstrap script for the SIMP server.
The three scripts managed by this class are as follows:
-
bootstrap_simp_client: a Ruby script that configures system services primarily using Puppet and logs the results of all configuration actions to file -
$service_root_name: sysv init script that callsbootstrap_simp_clientto bootstrap the server and then reboots the client to complete the bootstrap operation -
<$service_root_name>.service: systemd service unit file that usesbootstrap_simp_clientto bootstrap the server and then reboots the client to complete the bootstrap operation
Parameters
The following parameters are available in the simp::server::kickstart::simp_client_bootstrap class:
data_dirdirectoryservice_root_namentp_serversset_static_hostnamepuppet_serverpuppet_capuppet_ca_portpuppet_digest_algorithmpuppet_keylengthpuppet_print_statspuppet_wait_for_certnum_puppet_runsinitial_retry_intervalretry_factormax_secondsreboot_on_failurefips
data_dir
Data type: Stdlib::Absolutepath
The location of the web root in which the kickstart directory
will reside. Only used to compute the default for directory.
Default value: simplib::lookup('simp::server::kickstart::data_dir', { 'default_value' => '/var/www'})
directory
Data type: Stdlib::Absolutepath
The directory containing the three managed scripts. By default
is a subdirectory within data_dir.
Default value: "${data_dir}/ks"
service_root_name
Data type: String
The root name of the sysv/systemd service scripts.
Default value: 'simp_client_bootstrap'
ntp_servers
Data type: Variant[Array, Hash]
An array of ntp servers or hash of server/value pairs that should be used during client kickstarts to slew the local time correctly prior to PKI key distribution.
NOTE: Failure to set the system clock will not cause the simp_client_bootstrap scripts to fail to execute.
Default value: simplib::lookup('simp_options::ntpd::servers', { 'default_value' => [] })
set_static_hostname
Data type: Boolean
Whether to persist the hostname retrieved by DHCP as a static hostname. This prevents problems that can arise when the DHCP lease expires in the middle of bootstrap puppet runs. Is not applicable for RedHat/CentOS 6.
Default value: true
puppet_server
Data type: Optional[Simplib::Host]
The FQDN of your Puppet server
- If not set, will use
$server_facts['servername'], or the puppet server set in puppet.conf if trusted_server_facts isn't set or found.
Default value: simplib::lookup('simp_options::puppet::server', { 'default_value' => undef })
puppet_ca
Data type: Optional[Simplib::Host]
The FQDN of your Puppet CA
- If not set, will use
$server_facts['servername'], or the puppet server set in puppet.conf if trusted_server_facts isn't set or found.
Default value: simplib::lookup('simp_options::puppet::ca', { 'default_value' => undef })
puppet_ca_port
Data type: Simplib::Port
The port upon which the Puppet CA is listening.
Default value: simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 })
puppet_digest_algorithm
Data type: String
The digest algorithm Puppet uses for file resources and the filebucket (e.g. sha256, sha384, sha512).
Default value: 'sha256'
puppet_keylength
Data type: Optional[Integer[2048]]
Puppet certificate keylength. When unset, value is determined based
on $fips, to work around Puppet bugs in FIPS mode. (See $fips.)
Default value: undef
puppet_print_stats
Data type: Boolean
If true, print statistics for each client puppet run during bootstrap.
Default value: true
puppet_wait_for_cert
Data type: Variant[Integer[0],Boolean]
If set to an integer, the bootstrap_simp_client script will wait for this many seconds between checking into the puppet master for a signed certificate. This will go on until a signed certificate is presented.
If set to false or 0, the client will immediately timeout if a signed certificate is not presented.
Default value: 10
num_puppet_runs
Data type: Integer[1]
Number of puppet agent runs (after the initial tagged run) to execute, in order to converge to a stable system configuration.
Default value: 2
initial_retry_interval
Data type: Integer[1]
Initial retry interval in seconds for reattempting a failed puppet agent run.
Default value: 10
retry_factor
Data type: Float[0.1]
The factor to be applied to the retry interval for a puppet run.
The retry interval is multiplied by this factor for each retry.
For example, if $initial_retry_interval is 10 and the retry factor
is 1.5, the first retry would occur 10 seconds after the initial
attempt, the second retry would occur 101.5 seconds after that,
the third retry would occur 101.5*1.5 seconds after that, etc.
Default value: 1.5
max_seconds
Data type: Integer[1]
Maximum number of seconds this bootstrap script is allowed to run. Script will abort if it does not complete within this allotted time.
Default value: 1800
reboot_on_failure
Data type: Boolean
Whether to reboot the server if the SIMP client bootstrap service fails to bootstrap the client. This allows the client to attempt fix its bootstrap problem without manual intervention. However, for sites containing a large number of clients, the repeated cycle of <multiple puppet agent attempts + reboot> may overtax the Puppet server. In this case, disabling this feature may be most appropriate.
Default value: true
fips
Data type: Boolean
If true, set puppet keylength to 2048, else 4096. This non-compliant setting is to work around problems with older versions of Ruby. It will be fixed, when Puppet fully supports FIPS mode.
Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })
simp::server::ldap
If you are setting up a consumer LDAP server, remember that the three digit RID must be unique or each consumer server that you attach to the same master.
Parameters
The following parameters are available in the simp::server::ldap class:
is_slave
Data type: Boolean
Deprecated in favor of vendor-aligned update: is_consumer
Default value: false
is_consumer
Data type: Boolean
If true, set this node up as an LDAP consumer. The Hiera parameter ldap::master will be used as the master server.
If you want to use values other than the defaults as provided with simp_openldap::server::syncrepl. Leave this as 'false', include this class and call simp_openldap::server::syncrepl with your values as appropriate.
Default value: $is_slave
rid
Data type: Integer[0]
The RID of the system. See simp_openldap::server::syncrepl for additional information.
Default value: 111
bind_dn
Data type: String
Used for setting up sync limits for the bind user.
Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => '' })
sync_dn
Data type: String
Used for setting up sync limits for consumer nodes.
Default value: simplib::lookup('simp_options::ldap::sync_dn', { 'default_value' => '' })
enable_lastbind
Data type: Boolean
If true, enable the 'lastbind' plugin for OpenLDAP. This records the last time a user logs into a system within LDAP itself. Note, if you have auditing enabled, this will cause an LDAP audit record every time someone logs into any system connected to the LDAP server.
Default value: false
simp::server::rsync_shares
If you don't have these provided somewhere, many of the modules will not function properly.
If you want additional BIND DNS spaces to be served out from rsync,
you'll need to enable them separately.
This module is directly dependent on the output of the
simp_rsync_environments fact which discovers the location, and layout, of
the facts on the hosting system. The shares will not be activated if the
directory structure is not properly discovered.
- See also
- https://docs.puppet.com/facter/latest/custom_facts.html
- Custom Fact Walkthrough
- https://docs.puppet.com/facter/latest/custom_facts.html
Parameters
The following parameters are available in the simp::server::rsync_shares class:
rsync_base
Data type: Stdlib::Absolutepath
The path to the beginning of the rsync space for this system. There must be a directory per environment that you want to serve to clients.
- NOTE If you change this, you MUST create a custom fact for
simp_rsync_environmentswith a Factweighthigher than1.
Default value: '/var/simp/environments'
rsync_environments
Data type: Optional[Hash]
The environments that are present under $rsync_base on the RSync server.
Be VERY careful if you change this from the fact that it references by default.
Default value: $facts['simp_rsync_environments']
stunnel
Data type: Boolean
If set, trusted_nets will be set to 127.0.0.1 so that
the stunnel'd rsync will be used.
Default value: simplib::lookup('simp_options::stunnel', { 'default_value' => false })
trusted_nets
Data type: Simplib::Netlist
The hosts from which to allow access to the rsync shares. This option has
no effect if $use_stunnel is true.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
simp::server::yum
the default SIMP server.
Parameters
The following parameters are available in the simp::server::yum class:
data_dir
Data type: Stdlib::Absolutepath
Default value: '/var/www'
trusted_nets
Data type: Simplib::Netlist
The networks to allow into the YUM server.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] })
createrepo_ensure
Data type: String
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
simp::sssd::client
This should work for most out-of-the-box installations. Otherwise, it serves as an example of what you can do to make it work for your environment.
Parameters
The following parameters are available in the simp::sssd::client class:
local_domainlocal_domain_optionsldap_domainldap_domain_optionsldap_server_typeldap_provider_optionsenumerate_userscache_credentialsmin_idautofssudosshenable_domain_warn
local_domain
Data type: Boolean
DEPRECATED: This param does nothing. It will be removed in the next version
Default value: false
local_domain_options
Data type: Hash
DEPRECATED: This param does nothing. It will be removed in the next version
Default value: {}
ldap_domain
Data type: Boolean
Configure the LDAP domain
To Enable the LDAP domain you must include 'LDAP' sssd::domains via hiera
Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })
ldap_domain_options
Data type: Hash
A Hash of options to pass directly into the sssd::domain defined type
Default value: {}
ldap_server_type
Data type: Variant[Boolean[false], Enum['plain','389ds']]
The type of LDAP server that the system is communicating with
-
This mainly matters for password policy details but may increase in scope in the future
-
Use
389dsfor servers that are 'Netscape compatible'. This includes FreeIPA, Red Hat Directory Server, and other Netscape DS-derived systems -
Use
plainfor servers that are 'regular LDAP' like OpenLDAP
Default value: $ldap_domain ? { false => false, default => undef
ldap_provider_options
Data type: Hash
A Hash of options to pass directly into the sssd::provider::ldap defined type
Default value: {}
enumerate_users
Data type: Boolean
Have SSSD list and cache all the users that it can find on the remote system
- Take care that you don't overwhelm your LDAP server if you enable this
Default value: false
cache_credentials
Data type: Boolean
Have SSSD cache the credentials of users that login to the system
Default value: true
min_id
Data type: Integer
The lowest user ID that SSSD should recognize from the remote server
Default value: 500
autofs
Data type: Boolean
Deprecated
Default value: true
sudo
Data type: Boolean
Deprecated
Default value: true
ssh
Data type: Boolean
Deprecated
Default value: true
enable_domain_warn
Data type: Boolean
Set to true to enable local domain warning
Default value: true
simp::sudoers
time.
None of this is mandatory and all can be changed via the different parameters.
Each section simply adds the entry to the sudoers file by joining the array together appropriately.
Parameters
The following parameters are available in the simp::sudoers class:
common_aliases
Data type: Boolean
Enable the 'common' aliases from simp::suoders::aliases
Default value: false
default_entry
Data type: Array
The global default entry that should apply to all users
Default value:
[
'!visiblepw',
'always_set_home',
'match_group_by_gid',
'always_query_group_plugin',
'listpw=all',
'requiretty',
'syslog=authpriv',
'!root_sudo',
'!umask',
'secure_path = /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin',
'env_reset',
'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"'
]
simp::sudoers::aliases
Take care not to add anything that can access a root shell
Parameters
The following parameters are available in the simp::sudoers::aliases class:
audit_aliasdelegating_aliasdrivers_aliaslocate_aliasnetworking_aliasprocesses_aliasservices_aliasselinux_aliassoftware_aliasstorage_aliassu_alias
audit_alias
Data type: Array[Stdlib::AbsolutePath]
Commands useful for auditing the system
Default value:
[
'/bin/cat',
'/bin/ls',
'/usr/bin/rvim',
'/usr/bin/lsattr',
'/sbin/aureport',
'/sbin/ausearch',
'/sbin/lspci',
'/sbin/lsusb',
'/sbin/lsmod',
'/usr/sbin/lsof',
'/bin/netstat',
'/sbin/ifconfig -a',
'/sbin/route ""',
'/sbin/route -[venC]',
'/usr/bin/getent',
'/usr/bin/tail'
]
delegating_alias
Data type: Array[Stdlib::AbsolutePath]
Common system delegation activities
Default value:
[
'/usr/sbin/visudo',
'/bin/chown',
'/bin/chmod',
'/bin/chgrp'
]
drivers_alias
Data type: Array[Stdlib::AbsolutePath]
Provides the ability to load and unload kernel modules
Default value:
[
'/sbin/modprobe'
]
locate_alias
Data type: Array[Stdlib::AbsolutePath]
Allow a user to update the mlocate database
Default value:
[
'/usr/sbin/updatedb'
]
networking_alias
Data type: Array[Stdlib::AbsolutePath]
Allow a user to perform common network control activities
Default value:
[
'/sbin/route',
'/sbin/ifconfig',
'/bin/ping',
'/sbin/dhclient',
'/usr/bin/net',
'/sbin/iptables',
'/usr/bin/rfcomm',
'/usr/bin/wvdial',
'/sbin/iwconfig',
'/sbin/mii-tool'
]
processes_alias
Data type: Array[Stdlib::AbsolutePath]
Allow a user to manage system processes
Default value:
[
'/bin/nice',
'/bin/kill',
'/usr/bin/kill',
'/usr/bin/killall'
]
services_alias
Data type: Array[Stdlib::AbsolutePath]
Allow a user to manage system services
Default value:
[
'/sbin/service',
'/sbin/chkconfig'
]
selinux_alias
Data type: Array[Stdlib::AbsolutePath]
Allow a user to modify and debug SELinux
Default value:
[
'/sbin/restorecon',
'/usr/bin/audit2why',
'/usr/bin/audit2allow',
'/usr/sbin/getenforce',
'/usr/sbin/setenforce',
'/usr/sbin/setsebool'
]
software_alias
Data type: Array[Stdlib::AbsolutePath]
Allow for system software management
Default value:
[
'/bin/rpm',
'/usr/bin/up2date',
'/usr/bin/yum'
]
storage_alias
Data type: Array[Stdlib::AbsolutePath]
Allow for storage management
Default value:
[
'/sbin/fdisk',
'/sbin/sfdisk',
'/sbin/parted',
'/sbin/partprobe',
'/bin/mount',
'/bin/umount'
]
su_alias
Data type: Array[Stdlib::AbsolutePath]
Allow unfettered access to su
Default value: [ '/bin/su' ]
simp::sysctl
point of view.
There are also items in this list that are particularly useful for general system security.
See the kernel documentation for the functionality of each variable.
Performance Related Settings Security Related Settings:
Parameters
The following parameters are available in the simp::sysctl class:
net__netfilter__nf_conntrack_maxnet__unix__max_dgram_qlennet__ipv4__neigh__default__gc_thresh3net__ipv4__neigh__default__gc_thresh2net__ipv4__neigh__default__gc_thresh1net__ipv4__neigh__default__proxy_qlennet__ipv4__neigh__default__unres_qlennet__ipv4__tcp_rmemnet__ipv4__tcp_wmemnet__ipv4__tcp_fin_timeoutnet__ipv4__tcp_rfc1337net__ipv4__tcp_keepalive_timenet__ipv4__tcp_mtu_probingnet__ipv4__tcp_no_metrics_savenet__core__rmem_maxnet__core__wmem_maxnet__core__optmem_maxnet__core__netdev_max_backlognet__core__somaxconnnet__ipv4__tcp_tw_reusefs__inotify__max_user_watchesfs__suid_dumpablekernel__core_patternkernel__core_pipe_limitkernel__core_uses_pidkernel__dmesg_restrictkernel__exec_shieldkernel__panickernel__randomize_va_spacekernel__sysrqnet__ipv4__conf__all__accept_redirectsnet__ipv4__conf__all__accept_source_routenet__ipv4__conf__all__log_martiansnet__ipv4__conf__all__rp_filternet__ipv4__conf__all__secure_redirectsnet__ipv4__conf__all__send_redirectsnet__ipv4__conf__default__accept_redirectsnet__ipv4__conf__default__accept_source_routenet__ipv4__conf__default__log_martiansnet__ipv4__conf__default__rp_filternet__ipv4__conf__default__secure_redirectsnet__ipv4__conf__default__send_redirectsnet__ipv4__icmp_echo_ignore_broadcastsnet__ipv4__icmp_ignore_bogus_error_responsesnet__ipv4__tcp_challenge_ack_limitnet__ipv4__tcp_max_syn_backlognet__ipv4__tcp_syncookiesnet__ipv6__conf__all__accept_redirectsnet__ipv6__conf__all__accept_source_routenet__ipv6__conf__all__autoconfnet__ipv6__conf__all__forwardingnet__ipv6__conf__all__accept_ranet__ipv6__conf__default__accept_ranet__ipv6__conf__default__accept_ra_defrtrnet__ipv6__conf__default__accept_ra_pinfonet__ipv6__conf__default__accept_ra_rtr_prefnet__ipv6__conf__default__accept_redirectsnet__ipv6__conf__default__accept_source_routenet__ipv6__conf__default__autoconfnet__ipv6__conf__default__dad_transmitsnet__ipv6__conf__default__max_addressesnet__ipv6__conf__default__router_solicitationscore_dumpscore_dump_dirpamipv6
net__netfilter__nf_conntrack_max
Data type: Integer[0]
Default value: 655360
net__unix__max_dgram_qlen
Data type: Integer[0]
Default value: 50
net__ipv4__neigh__default__gc_thresh3
Data type: Integer[0]
Default value: 2048
net__ipv4__neigh__default__gc_thresh2
Data type: Integer[0]
Default value: 1024
net__ipv4__neigh__default__gc_thresh1
Data type: Integer[0]
Default value: 32
net__ipv4__neigh__default__proxy_qlen
Data type: Integer[0]
Default value: 92
net__ipv4__neigh__default__unres_qlen
Data type: Integer[0]
Default value: 6
net__ipv4__tcp_rmem
Data type: Array[Integer,3,3]
Default value: [4096,98304,16777216]
net__ipv4__tcp_wmem
Data type: Array[Integer,3,3]
Default value: [4096,65535,16777216]
- Wed Sep 11 2024 Steven Pritchard steve@sicura.us - 4.23.0
- [puppetsync] Update module dependencies to support simp-iptables 7.x
- Tue Jul 09 2024 Mike Riddle mike@sicura.us - 4.22.0
- Added ability for users to switch between '/bin/true' and '/bin/false' when disabling kernel modules via the kmod_blacklist class
- Tue Jul 02 2024 Steven Pritchard steve@sicura.us - 4.21.0
- Clean up use of legacy facts to better support Puppet 8
- Thu Jan 25 2024 Steven Pritchard steve@sicura.us - 4.20.0
- Switch from
trlinkin-nsswitchtopuppet-nsswitch
- Wed Jan 17 2024 Richard Gardner rick@sicura.us - 4.19.1
- Updated hiera.yaml facts to support puppet 8
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 4.19.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Tue Oct 03 2023 Steven Pritchard steve@sicura.us - 4.18.0
- Add AlmaLinux 8 support
- Add support for stdlib 9
- Update other Puppet module dependencies
- Add support for Puppet 8
- Drop support for Puppet 6
- Mon Jul 31 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 4.17.0
- Add RockyLinux 8 support
- Wed May 31 2023 Mike Riddle mike@sicura.us - 4.16.8
- Fixed a bug in the authselect nsswitch logic
- Thu May 18 2023 Mike Riddle mike@sicura.us - 4.16.7
- Stopped managing nsswitch when authselect is being used
- Thu Apr 20 2023 Mike Riddle mike@sicura.us - 4.16.6
- Removed missing gpgkeys from the list of simp gpgkeys
- Mon Apr 17 2023 Mike Riddle mike@sicura.us - 4.16.5
- Removed the epel-modular repo from the list of client repos
- Fri Jun 03 2022 Trevor Vaughan trevor@sicura.us - 4.16.4
- Allow
puppet/chrony<3.0.0 - Allow
puppetlabs/stdlib<9.0.0
- Fri May 13 2022 Trevor Vaughan trevor@sicura.us - 4.16.3
- Remove upstart as a dependency since it is not used on any of our supported operating systems
- Mon Oct 18 2021 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.16.2
- Updated simp::yum::repo::local_os_updates to use the GPGKEYS installed by simp-gpgkeys and the iso install into /SIMP/GPGKEYS. This change was made because EL8 distribution ISO no longer contains the GPG keys at the top level like previous releases. SIMP will put the keys into SIMP/GPGKEYS no matter what the release is so this was the best fix.
- Tue Sep 28 2021 Trevor Vaughan tvaughan@onyxpoint.com - 4.16.1
- Fixed
- Updated simp::yum::repo::local_simp to adjust for the EL8 ISO build
- Updated simp::yum::repo::local_os_updates to adjust for the EL8 repo
set up. It has 2 OS repos, BaseOS and AppStream.
- When using the param 'baseurl' for EL8 it will create 2 repos by appending AppStream and BaseOS to the url.
- The use of 'baseurl' for EL7 and earlier has not changed. It will use the url as presented.
- Tue Aug 24 2021 Trevor Vaughan tvaughan@onyxpoint.com - 4.16.0
- Added
- simp::puppetdb::disable_update_checking to disable default analytics in accordance with NIST guidance
- PuppetDB now sets UseCodeCacheFlushing by default
- Changed
- Migrated from camptocamp/kmod to puppet/kmod
- Fixed
- Corrected the HeapDumpOnOutOfMemoryError setting for PuppetDB
- Ensure that nsswitch SSSD options for sudoers do not stop on files
- Do not include the auditors sudo user specification if the aliases have not been included
- Add the following to sudoers defaults
- !visiblepw
- always_set_home
- match_group_by_gid
- always_query_group_plugin
- Tue Aug 17 2021 Jeanne Greulich jeannegreulich@onyxpoint.com - 4.16.0
- Update the sssd client configuration to set the ldap_schema
for ldap providers based on the setting simp::sssd::client::ldap_server_type,
which uses "plain" for openldap servers and "389ds" for 389-DS servers.
SIMP configuration and documentation for each of those servers is:
- In openldap group members are added using the attribute "memberUid" and the cn of the user entry as defined in the rfc2307 schema.
- In 389-DS group members are added using the "member" attribute and dn of the user as defined in the rfc2307bis schema.
- Add relative_gpgkey_path parameter to simp::yum::repo::simp_local and default it to SIMP/GPGKEYS, the location that the simp-gpgkeys rpm installs the gpgkeys. The above fix is needed because SIMP local repos were split up to be OS version specific but the GPGkeys are placed in one location by simp-gpgkeys. This works because simp::yum::repo::simp_local takes care to add only the OS specific gpgkeys to the repo definition.
- Changed:
- sssd::client no longer creates a local provider.
- The version of pupmod-simp-sssd required by this module was updated to 7.0 because the version of sssd installed does not require a provider. If you require a local provider use the sssd module to create one.
- NOTES FOR UPGRADE: The local domain was configured by default in earlier versions of SIMP because sssd would not start without a domain. A "LOCAL" entry was added to the list of sssd domains to create in hiera. You will need to remove this domain from the list of domains in hiera unless you are configuring a "LOCAL" domain somewhere else in your puppet code. The hiera variable is sssd::domains. If you do not remove this domain from the list of domains in hiera and are not configuring it yourself sssd will fail to start because it will not find a provider for the "LOCAL" domain.
- Added warning if LOCAL domain was found in sssd::domains. Also added ability to disable the warning.
- sssd::client no longer creates a local provider.
- Added the latest GPG key for Puppet RPMs (RPM-GPG-KEY-20250406) to the list
of GPG keys for the local
simprepo.
- Wed Jul 14 2021 Steven Pritchard steven.pritchard@onyxpoint.com - 4.16.0
- Support all valid values for simp::pam_limits::max_logins::value
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 4.16.0
- Ensured support for Puppet 7 in requirements and stdlib
- Tue Jun 08 2021 Liz Nemsick lnemsick.simp@gmail.com - 4.15.0
- Removed
- Drop support for Puppet 5
- Changed
- Use puppet/chrony in lieu of aboe/chrony, as VoxPupuli has now assumed ownership of this module.
- Allow puppetlabs/concat < 8.0.0
- Allow saz/timezone < 7.0.0
- Wed May 12 2021 Trevor Vaughan tvaughan@onyxpoint.com - 4.15.0
- Removed
- Drop support for EL 6 due to EOL
- Fixed
- Ensure that netconsole-service is installed on EL8+
- Added
- Add support for Puppet 7
- Added a JSON formatted profiling formatter for rspec
- Allow users to modify the defined type options in
simp::sssd::client
- Wed Apr 28 2021 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.15.0
- As of SIMP 6.6 the SIMP yum repo is expected to OS version specific allowing the yum server to hosts SIMP RPMs and it dependencies for more than one OS. The SIMP repo will now be under /var/www/yum/SIMP/// instead of /var/www/yum/SIMP/. This updates the creation of the yum config files to point to the correct directories.
- Fix bootstrap_simp_client to use fully qualified path on call to puppet.
- Mon Mar 29 2021 Michael Riddle michael.riddle@onyxpoint.com - 4.15.0
- Added additional parameters to simp::admin to allow for more fine-grained control of global admin and auditor sudo rules
- Tue Jan 19 2021 Kendall Moore kendall.moore@onyxpoint.com 4.15.0
- Explicitly manage IPv6 kernel tuning parameters
- Wed Jan 13 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 4.15.0
- Removed EL6 from supported OSes
- Thu Nov 19 2020 Trevor Vaughan tvaughan@onyxpoint.com - 4.14.3-0
- Call
selinux::installprior to using native types that require the packages to be installed.
- Thu Nov 12 2020 Trevor Vaughan tvaughan@onyxpoint.com - 4.14.2-0
- Update the required version of simp/svckill to the puppet 6 safe version.
- Wed Oct 28 2020 Trevor Vaughan tvaughan@onyxpoint.com - 4.14.1-0
- Fixed:
- Ensure that the sudoers rule for removing the puppet ssldir is not created when running from bolt since the directory target is changed at each bolt run and will result in non-idempotency.
- Un-pinned the firewalld module version in .fixtures.yml because that no longer appears to cause issues.
- Allow the local yum repos to optionally specify gpgkey or baseurl strings
since, technically, both are optional in the
yumrepotype if they already exist on disk.
- Thu Oct 15 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 4.14.0-0
- Added:
- New parameters to
simp::yum::repo::local_simpandsimp::yum::repo::local_os_updates:relative_repo_path,baseurl, andgpgkey baseurlandgpgkeyallow complete yumrepo overrides
- New parameters to
- Wed Oct 14 2020 Liz Nemsick lnemsick.simp@gmail.com - 4.14.0-0
- Added:
simp::puppetdb::cipher_suitesparameter to manage the cipher suites supported by PuppetDB's HTTP interface (jetty).- Used to set
puppetdb::cipher_suites. - Value set to a safe set.
- Used to set
- Mon Oct 05 2020 Liz Nemsick lnemsick.simp@gmail.com - 4.13.0-0
- Added:
simp::yum::repo::internet_simpclass:- Uses the SIMP yum repository package (simp-community-release) to configure yum for SIMP's internet public repositories at simp-project.com.
- simp-project.com is the new host for SIMP's yum repositories.
- packagecloud is no longer being updated.
simp::yum::repo::simp_release_versionfunction: Returns the SIMP release version for use in the SIMP internet yum repositories.Simp::Versiondata type alias for valid version strings for use in the SIMP internet repositories.
- Deprecated:
simp::yum::repo::internet_simp_serverandsimp::yum::repo::internet_simp_dependenciesclasses:- These resources are no longer useful because their API matches the OBE packagecloud SIMP repositories.
- As a workaround, the classes have been modified to use
simp::yum::repo::internet_simpto configure the correct repositories at simp-project.com. - You should switch to using
simp::yum::repo::internet_simp, directly, as these classes will be removed in a future release.
simp::yum::repo::sanitize_simp_release_slugfunction: a function only useful to the deprecated classes.
- Tue Sep 15 2020 Jeanne Greulich jeannegreulich@onyxpoint.com - 4.12.0-0
- Updated sssd/client configuration for EL8
- Do not configure local provider for EL8
- Use the files provider for the local domain for el7 and later
- Deprecate sssd client autofs,ssh and sudo settings. The sssd module configures services in sssd::services list. Use that setting to configure those entries.
- Configure sssd even if local and ldap are not configured for el8.
- Wed Sep 09 2020 Trevor Vaughan tvaughan@onyxpoint.com - 4.12.0-0
- Updated simp::mountpoints::proc
- Due to updates to polkit that require being added to the /proc gid group
- Assign a group and gid by default
- Create a group by default
- Discover these values from the system if possible
- Due to updates to polkit that require being added to the /proc gid group
- Wed Aug 19 2020 Jeanne Greulich jeannegreulich@onyxpoint.com - 4.11.1-0
- changed the ssh settings for the wnidows node in the win_client acceptance test
- Tue Aug 18 2020 Jeanne Greulich jeannegreulich@onyxpoint.com - 4.11.1-0
- changed the upper bounds for dependencies for simp_apache and pupmod
- corrected version numbering for chrony
- Tue Aug 04 2020 Trevor Vaughan tvaughan@onyxpoint.com - 4.11.1-0
- Align OpenLDAP terminology with vendor changes
- Mon Mar 30 2020 Trevor Vaughan tvaughan@onyxpoint.com - 4.11.0-0
- The following applications have been removed from the base os applications installed automatically by simp: 'man', 'man-pages', 'vim-enhanced', 'dos2unix', 'elinks', 'hunspell', 'lsof', 'mlocate', 'pax', 'pinfo', 'sos', 'star', 'symlinks', 'words', 'x86info'
- simp::base_apps::manage_elinks_config no longer has any effect
- Replace the use of augeasproviders-shellvar with a direct augeas resource
- Updated the simp::nsswitch class to have sane defaults
- Added support for mymachines and myhostname by default
- Removed all NIS references since NIS should not be in general usage any longer and was never natively supported by SIMP
- Configuration files are now common cross all supported OSs since nsswitch "does the right thing" when it hits a module that it does not recognize
- Mon Dec 16 2019 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.11.0-0
- NTP is not used by default in EL8 so moved ntp to list of OS relevant apps for EL6 and EL7 and added chronyd for EL8.
- Added support for EL8.
- Updated the bootstrap_simp_client to use chrony if kernel version is 4 or later.
- Removed the old runpuppet kickstart scripts. The simp_bootstrap_client scripts should be used instead.
- Deprecated parameter simp::server::kickstart::runpuppet because the runpuppet scripts are no longer used.
- Tue Nov 19 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 4.11.0-0
- Allow nsswitch overrides
- Mon Oct 28 2019 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.11.0-0
- Removed
clamavfrom the list of classes included by default in the SIMP scenarios.- This will not remove ClamAV from a system it is installed on, it will stop managing it.
- To continue managing ClamAV on a system add
clamavtosimp::classesin the appropriate hiera file for that SIMP client. - See the
simp-clamavmodule for information on configuring or removing ClamAV on a system.
- Deprecated
simp::server::clamav.- This parameter will be removed in a future SIMP release.
- Once removed, if you want to manage ClamAV on the SIMP server, you will
have to manually add the
clamavclass tosimp::classesin the SIMP server's hiera file.
- Thu Aug 15 2019 Trevor Vaughan tvaughan@onyxpoint.com - 4.11.0-0
- Add Windows acceptance tests
- Mon Aug 12 2019 Robert Vincent pillarsdotnet@gmail.com - 4.10.2-0
- Support puppetlabs/concat 6.x.
- Mon Aug 05 2019 Trevor Vaughan tvaughan@onyxpoint.com - 4.10.1-0
- Remove broken tasks directory
- Thu Aug 01 2019 Robert Vincent robert.vincent@conning.com - 4.10.0-0
- Exclude the
yumclass from all Windows nodes.
- Fri Jul 05 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 4.10.0-0
- Add v2 compliance_markup data
- Tue Jun 25 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.9.0-0
- Updated the URLs to the EPEL GPG keys. The URLs have changed.
- Tue Jun 18 2019 Trevor Vaughan tvaughan@onyxpoint.com - 4.9.0-0
- Add SELinux login context management to
simp::admin - Update the version of simp-selinux
- Update the upper bound on puppetlabs-stdlib
- Thu May 09 2019 Jeanne Greulich jeannegreulich@onyxpoint.com - 4.8.1-0
- Set permission on /etc/simp and /etc/simp/simp.version to world readable. Puppet needs to be able to read it for simp_version fact.
- Mon May 06 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.8.0-0
- Fixed a bug on el6 systems in which the 'puppetdb-dlo-cleanup' cron job from the puppetdb module could not be created. Cron rejected this job because the puppetdb user did not have cron access.
- Added 2 'dead letter office' cleanup configuration parameters to
simp::puppetdb- simp::puppetdb::automatic_dlo_cleanup which maps directly to puppetdb::automatic_dlo_cleanup
- simp::puppetdb::dlo_max_age which maps directly to puppetdb::dlo_max_age
- Thu Apr 18 2019 Trevor Vaughan tvaughan@onyxpoint.com - 4.8.0-0
- Refactor the simp::mountpoints::tmp to use systemd's tmp.mount target if the system supports systemd.
- Added net.ipv6.conf.all.accept_ra to simp::sysctl management
- Fixed a bug where the root password field was attempting to set an 'undef' value as Sensitive.
- Bumped the supported Puppet version to include Puppet 6
- Removed Puppet 4 from the supported list
- Tue Apr 09 2019 Joseph Sharkey shark.bruhaha@gmail.com - 4.8.0-0
- Remove Elasticsearch and Grafana GPG Keys
- Added missing simp::sysctl value simp::sysctl::netipv4confdefaultlog_martians
- Remove Elasticsearch and Grafana GPG Keys
- Standardized cron datatypes to use the Simplib::Cron::### types. This allows more flexibility in cron scheduling.
- Mon Mar 25 2019 Nick Miller nick.miller@onyxpoint.com - 4.8.0-0
- Add exceptions to the filebucket management and the vardir/simp management to support running from Bolt
- Thu Mar 21 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.8.0-0
- Replaced use of the simplib's Puppet 3 array_include function with stdlib's member function
- Use simplib::host_is_me in lieu of simplib's Puppet 3 host_is_me
- Use simplib::simp_version in lieu of simplib's Puppet 3 simp_version
- Wed Mar 20 2019 Joseph Sharkey shark.bruhaha@gmail.com - 4.8.0-0
- Added switched out chkrootkit for rkhunter on el7 instances
- Mon Mar 11 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.7.0-0
- Replaced simp-timezone (temporary SIMP fork) with saz-timezone and set the lower bound to 5.1.1 in the metadata.json
- Wed Mar 06 2019 Trevor Vaughan tvaughan@onyxpoint.com - 4.7.0-0
- Added the, inert by default, deferred_resources class to all class lists in case the users want to use the functionality. This is particularly relevant to various compliance profiles.
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.7.0-0
- Deprecated simp::puppetdb::read_database_ssl. Use simp::puppetdb::read_database_jdbc_ssl_properties which maps directly to puppetdb::server::read_database_jdbc_ssl_properties (puppetdb version >= 7.0.0).
- Updated to a minimum puppetdb module version 7.1.0 in the metadata.json and expanded the upper bound accordingly
- Expanded the upper bound for the concat and stdlib Puppet modules in the metadata.json
- Updated URLs in the README.md
- Mon Feb 18 2019 Trevor Vaughan tvaughan@onyxpoint.com - 4.7.0-0
- Update the dependency list in metadata.json
- Fix the one_shot scenario tests
- Fri Feb 15 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.7.0-0
- Use simplib::join_mount_opts() in lieu of join_mount_opts(), a deprecated simplib Puppet 3 function.
- Use simplib::nets2cidr() in lieu of nets2cidr(), a deprecated simplib Puppet 3 function.
- Use Puppet's String() in lieu of to_string(), a deprecated simplib Puppet 3 function.
- Use simp_apache::munge_httpd_networks() in lieu of munge_httpd_networks(), a deprecated simp_apache Puppet 3 function.
- Use ssh::global_known_hosts() in lieu of ssh_global_known_hosts(), a deprecated ssh Puppet 3 function.
- Wed Jan 02 2019 Adam Yohrling adam.yohrling@onyxpoint.com - 4.7.0-0
- Add the ability to set the root user password in
simp::root_user
- Tue Dec 11 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.7.0-0
- Added sysctl value to increase max number of inotify user watches.
Default = 8192, New Value 102400 which is roughly 100M on a 64 bit system.
- If max number is reached systemctl fails with "Not enough Space on Disk" even though there is plenty of space.
- See https://unix.stackexchange.com/questions/13751/kernel-inotify-watch-limit-reached for some helpful information.
- Thu Oct 18 2018 Nick Miller nick.miller@onyxpoint.com - 4.6.0-0
- Added $simp::server::yum::createrepo_ensure parameter
- Changed the package from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- Wed Oct 17 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.6.0-0
- Update fixtures to use correct branch of timezone. (Soma as in the tracking file for 6.3
- Wed Oct 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.6.0-0
- Remove unnecessary simp/freeradius dependency in metadata.json
- Mon Sep 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.6.0-0
- Update Hiera 4 to Hiera 5
- Thu Aug 30 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.6.0-0
- Fix a usability bug in which simp::server::kickstart did not allow the bootstrap scripts provided by simp::server::kickstart::runpuppet and simp::server::kickstart::simp_client_bootstrap to be configured via hieradata, when those classes were managed by simp::server::kickstart.
- Mon Aug 27 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.6.0-0
- Switch from using 'sudosh' as the default logging shell to using 'tlog'
- Add a 'simp::admin::default_admin_sudo_cmnds' option to allow users to easily change the default sudo-accessible commands from Hiera.
- Ensure that the global filebucket setting occurs prior to class inclusion to match the new Puppet 5 method of setting resource defaults.
- Tue Jul 17 2018 Nick Miller nick.miller@onyxpoint.com - 4.6.0-0
- Added tests and support for OEL and Puppet 5
- Setting the default filebucket in a module no longer works, so
simp::enable_filebucketingwill do nothing in puppet version >= 5
- Setting the default filebucket in a module no longer works, so
- Fixed some linting issues
- Wed Jun 20 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.5.0-0
- Use the sudo::user_specification default host list which is correct for almost all cases
- Update version range of auditd dependency in metadata.json
- Fri Jun 08 2018 Dylan Cochran dylan.cochran@onyxpoint.com - 4.5.0-0
- Add Windows support
- Change /root perms to RPM default of 0550
- Change /etc/rc.d/rc.local perms to RPM default of 0755
- Thu May 03 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.5.0-0
- Created standalone SIMP client bootstrap script, bootstrap_simp_client.
- Created simp::server::kickstart::runpuppet replacement,
simp::server::kickstart::simp_client_bootstrap, that manages service
files for kickstarting a SIMP client, using bootstrap_simp_client
and either a sysv (simp_client_bootstrap) or a systemd
(simp_client_bootstrap.service) service script. This replacement
provides the following improvements:
- Exponential backoff of requests to the Puppet server, to minimize Puppet server overload.
- Configurable bootstrap timeout.
- An option to force a client reboot on client bootstrap failure.
- More effective puppet agent processing. The bootstrapping takes fewer puppet agent runs.
- Finer grained control of the bootstrap algorithm.
- Error handling
- Bootstrap operation errors are now detected and logged.
- Failed puppet agent runs are now retried, instead of blindly continuing on.
- Timestamped log messages in the bootstrap log file. This includes messages from bootstrap_simp_client, puppet agent, and fixfiles. service start
- simp::server::kickstart::runpuppet is deprecated and will be removed in a future release
- Fri Apr 27 2018 Nick Miller nick.miller@onyxpoint.com - 4.5.0-0
- Add simp::netconsole class to manage the netconsole kernel feature
- Fix a few puppet-lint warnings
- Fri Apr 27 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.5.0-0
- Set permissions of /etc/rc.d/rc.local to 0750, instead of 0770,
- Mon Apr 23 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com 4.5.0-0
- simp_options::selinux was supposed to determine if the selinux module was
included. However, this value was getting overridden by the class lists
which independently included the selinux module. This change removes the
unused simp_options::selinux setting to eliminate the confusion. See the
scenario maps in the data section to see what scenarios include the selinux
module. See the selinux module to see how to use puppet to enable/disable
selinux. This may change the defaults for selinux in the
simp_litescenario.
- Tue Apr 17 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.5.0-0
- Narrow the focus of the internal hieradata to ensure correct runs on unsupported OSs
- Update unsupported OS tests
- Add a test to ensure that an error is throw if an invalid scenario is specified
- Mon Apr 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.5.0-0
- In the runpuppet init script used to bootstrap kickstarted clients, for EL7, persist the hostname retrieved by DHCP as a static hostname. This prevents problems that can arise on EL7 when the DHCP lease expires in the middle of the client bootstrap puppet runs.
- Mon Apr 02 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.5.0-0
- changed permission on ctrl-alt-del-capture.service to prevent "no effect" errors in system logs.
- Thu Mar 29 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.4.1-0
- Ensure that a file exists on EL 6 if portreserve is enabled so that the portreserve service does not flap
- Tue Mar 27 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.4.0-0
- In simp::prelink, ensure prelinking is disabled when the server is in FIPS mode, as FIPS is incompatible with prelinking.
- Fri Mar 16 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.4.0-0
- Updated metadata.json to include trlinkin/nsswitch
- Wed Mar 14 2018 Nick Miller nick.miller@onyxpoint.com - 4.4.0-0
- Fixed a bug where if the
puppet_settingsfact did not exist, users in the%administratorsgroup couldrm -rfany path - The value in the hash was also corrected to
$facts['puppet_settings']['main']['ssldir']
- Fri Mar 09 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.4.0-0
- Set the ownership and permissions of puppet/puppetdb.conf in simp::puppetdb, instead of allowing them to be set to those of the process running puppet, if the file needs to be created. This is part of the fix to the failure of SIMP to bootstrap on a system on which root's umask has already been restricted to 077.
- Mon Feb 26 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.4.0-0
- Remove management of the 'root' user's groups in the User resource
- Works around https://tickets.puppetlabs.com/browse/PUP-8470
- Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.4.0-0
- Remove non-working mcollective remnants
- Remove unnecessary dependency on puppetlabs/inifile.
- Mon Jan 22 2018 Nick Miller nick.miller@onyxpoint.com - 4.4.0-0
- When the host is a member of an IPA domain, do not include the
simp_openldap::clientclass. - Update upper bound for concat dependency
- Tue Jan 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.4.0-0
- Add simp::prelink to the class lists for both the SIMP server and SIMP clients. By default, simp::prelink ensures any prelinking has been removed and that the prelink package is not installed. This satisfies the SCAP Security Guide's OVAL check xccdf_org.ssgproject.content_rule_disable_prelink.
- Mon Nov 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 4.3.0-0
- In simp::sysctl, add parameters for net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route and set them to 0 by default. This satisfies STIG CCI-0000366.
- Small test fixes to allow acceptance tests to run on servers in FIPS mode
- Thu Oct 19 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 4.2.2-0
- Lowered default value of parameter simp::sssd::client::min_id to 500
- Fri Oct 06 2017 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.1-0
- Added simp/timezone to the module dependency list
- Wed Oct 04 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 4.2.0-0
- Fail compilation for a subset of SIMP capabilities, if they are used on unsupported operating systems.
- Wed Oct 04 2017 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0
- Add an acceptance test for the 'poss' scenario using Oracle EL6
- Wed Aug 23 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 4.1.1-0
- change simp::server::classes's lookup_options to be 'unique'
- Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 4.1.1-0
- Update concat version in metadata.json
- Add concat dependency to build/rpm_metadata/requires
- Thu Aug 17 2017 Liz Nemsick lnemsick.simp@gmail.com - 4.1.1-0
- Add camptocamp/kmod to list of dependencies
- Mon Jul 31 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.1.1-0
- call simp::nsswitch in simp and simp-lite scenario instead of just nsswitch to set nsswitch according to simp_options instead of just the nsswitch defaults.
- Thu Jul 20 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 4.1.1-0
- Refactor classification lists to be RedHat specific to support other target platforms
- Thu Jun 15 2017 Nick Miller nick.miller@onyxpoint.com - 4.1.0-0
- simp::yum::internet_simp* repos now use facts in Yum repo baseurls in place of yum macros, who's output is not reliable.
- Fri Jun 09 2017 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-0
- Due to lack of support for knockout_prefix for arrays in older versions of Puppet, simp::knockout functionality has been moved to simplib::knockout because multiple modules are using the function.
- A wrapper has been put around simp::knockout for backwards-compatibility in our code.
- Update puppet requirement in metadata.json
- Tue May 30 2017 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Updated the simp::kmod_blacklist class to also fully disable the module loading
- Provide the ability to override the disabled modules locally on the system by default but also allow for enforcement
- Provide the ability to lock module loading if the underlying OS has the capability
- Wed May 10 2017 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-0
- Added a 'remote_access' scenario
- Mon May 09 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 4.1.0-0
- Use the correct simp_options global catalyst for base_apps::ensure
- Mon Apr 17 2017 Nick Miller nick.miller@onyxpoint.com - 4.1.0-0
- Set the poklit administrator group
- Merged base_services into base_apps, leaving a shim in base_services
- Thu Apr 06 2017 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-0
- Updated apache rsync hosts_allow to $trusted_nets. The previous value of 127.0.0.1 would not allow apache to rsync if stunnel was disabled.
- Mon Apr 03 2017 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0
- Updated the YUM configuration so that no repos are set up by default and it is simple to connect to the public repos for SIMP.
- Yum repos are now individual profiles that can be included ala carte
- Wed Mar 29 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 4.0.0-0
- Fixed the confusion with the 'classes' global Array
- Added support for a 'simp::classes' Array with a knockout prefix of '--'
- Moved scenarios into data in modules
-
Thu Mar 23 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 3.1.0-0
- move fips from base scenario to simp scenario
- made the inclusion of fips module not depend on simp_options::fips setting
- it is included because it used to turn fips on and off.
-
Wed Mar 01 2017 Trevor Vaughan tvaughan@onyxpoint.com - 3.1.0-0
- Added the new Grafana GPG key to the list and retained the old one until they re-sign their old packages.
- Add the basic SIMP scenarios to the module
- simp -> full SIMP profile
- simp_lite -> SIMP with the more aggressive parts removed
- poss -> only connect to the puppet server
- Fri Feb 24 2017 Nick Miller nick.miller@onyxpoint.com - 3.0.1-0
- Moved runpuppet template to its own class so the rupuppet script can be managed independently from the simp::server::kickstart class
- Fri Feb 17 2017 Nick Miller nick.miller@onyxpoint.com - 3.0.0-0
- Refine list of GPG keys used by simp::yum::server
- Tue Feb 14 2017 Trevor Vaughan tvaughan@onyxpoint.com - 3.0.0-0
- Ensure that the filebucket is appropriately set for both local and remote use
- Mon Feb 06 2017 Nick Markowski nmarkowski@keywcorp.com - 3.0.0-0
- Modified rsync stunnel logic to add a connection to the rsync server only if the machine is not the rsync server.
- Wed Jan 18 2017 Nick Miller nick.miller@onyxpoint.com - 3.0.0-0
- Removing including of simp::server::* classes from the simp::server class in favor of including them in the class list in hiera.
- Removed any dangling references or dependencies on ganglia or snmpd
- Rearranged logic in sysctl and removed the ipv6 catalyst. ipv6 will now be unmanaged by default.
- Beefed up simp::server class to include more default classes
- Made $rsync_stunnel enabled by default
- Thu Jan 05 2017 Trevor Vaughan tvaughan@onyxpoint.com - 3.0.0-0
- Added a 'simp::ctrl_alt_del' class for managing the behavior of giving a system the three finger death punch
- Mon Dec 05 2016 Nick Miller nick.miller@onyxpoint.com - 2.0.1-0
- Added simp::kmod_blacklist profile to manage the kernel blacklist using puppet-kmod
- config migrated from simplib
- Thu Dec 02 2016 Nick Markowski nmarkowski@keywcorp.com - 2.0.1-0
- Removed pupmod-simp-sysctl in favor of augeas-sysctl
- Thu Nov 29 2016 Nicholas Hughes, Nick Markowski nmarkowski@keywcorp.com - 2.0.0-0
- Introduced rsyslog rule orders so messages hit 'stop' rules before they reach 'catch-alls'. By doing so, log duplication is prevented.
- Modified the spooler log local rule to ensure both uucp and news facilities are logged in spooler.log.
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 2.0.0-0
- update requirement versions
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 2.0.0-0
- Remove compliance map and General housekeeping
- Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 2.0.0-0
- Updated iptables dependency version
- Updated openldap dependency version
- Tue Oct 25 2016 Nick Markowski nmarkowski@keywcorp.com - 2.0.0-0
- Added logic to ensure simp::puppetdb manages the puppetserver service via pupmod::master::base, NOT puppetdb::master::config.
- Included the puppetdb::master::config class.
- Updated spec.
- Wed Oct 12 2016 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0
- Updated to support Puppet 4 with the latest Puppet Server and PuppetDB
- Foundation for SIMP 6
- Will not work with any Puppet < 4
- Mon Oct 10 2016 Nick Markowski nmarkowski@keywcorp.com - 1.2.10-0
- Ensured netlabel_tools is installed.
- Mon Oct 3 2016 Ralph Wright ralph.wright@onyxpoint.com - 1.2.9-0
- Added Elasticsearch and Grafana Keys to yum config
- Thu Sep 29 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 1.2.8-0
- Fixed beaker reference in Gemfile.
- Tue Aug 09 2016 Nick Markowski nmarkowski@keywcorp.com - 1.2.7-0
- Fixed an invalid data type in simp::nfs::export_home.
- Tue Aug 02 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.2.6-0
- Update to the new naming convention
- Wed Jul 20 2016 Nick Markowski nmarkowski@keywcorp.com - 1.2.5-0
- Migrated create_home_dirs from nfs.
- Modified create_home_dirs to use ruby-net-ldap.
- Wed Jul 13 2016 Nick Miller nick.miller@onyxpoint.com - 1.2.4-0
- Yum repos now default to https with sslverify=false
- Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.2.3-0
- Migration to semantic versioning and fix of the build system
- Sat May 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.2.2-0
- Spec test fixes
- Wed May 11 2016 Nick Markowski nmarkowski@keywcorp.com - 1.2.2-0
- Added a hook to control SSLVerifyClient in ks.conf. Defaults to 'optional'.
- Wed Apr 13 2016 Kendall Moore kendall.moore@onyxpoint.com - 1.2.1-0
- Svckill now ignores quotaon and messagebus in RHEL/CentOS 7
- Mon Mar 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.2.0-0
- Moved to Semantic Versioning 2.0
- Ensure that SSSD is used for systems EL6.7+
- Removed RPM dependency on simp-bootstrap as it is not technically required.
- Test against Puppet 4.3.2
- Tue Mar 08 2016 Nick Markowski nmarkowski@keywcorp.com - 1.1.0-9
- Updated a bad default for nfs_server in the home_client class, which otherwise had the potential to render a nil server value, and break automounting.
- Wed Feb 24 2016 Nick Markowski nmarkowski@keywcorp.com - 1.1.0-8
- Updated the mcollective stock class and added appropriate spec and unit testing for full functionality test coverage.
- Fri Feb 19 2016 Ralph Wright ralph.wright@onyxpoint.com - 1.1.0-8
- Added compliance function support
- Mon Dec 28 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.0-7
- Updated minor logic in simp::yum for flexibility.
- Thu Dec 24 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.0-6
- Add management for the paths that the simp helper commands expect. This is particularly relevant when not installing via RPM
- Thu Nov 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.0-5
- Now use the 'operatingsystem' facts instead of the 'lsb' facts
- Updated to require 'simplib' and 'simpcat' instead of 'common', 'functions', and 'concat'
- Ensure that sssd is used by EL >= 7 due to fatal bugs in nscd and nslcd on these platforms.
- Fri Oct 16 2015 Nick Markowski nmarkowski@keywcorp.com - 1.1.0-4
- Modified stock puppetdb class defaults to conform with upgraded puppetdb module.
- Fri Sep 18 2015 Kendall Moore kmoore@keywcorp.com - 1.1.0-3
- Set the keylength to 2048 in puppet.conf during the execution of runpuppet if FIPS is enabled.
- Thu Sep 10 2015 Nick Markowski nmarkowski@keywcorp.com - 1.1.0-2
- In runpuppet, run fixfiles before the final passes if selinux is enabled.
- Selbool use_nfs_home_dirs set to 1 if remote nfs server used for home directories.
- Fri Jul 31 2015 Kendall Moore kmoore@keywcorp.com - 1.1.0-1
- Added support for the updated rsyslog module.
- Thu Apr 02 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.0-0
- Added PuppetDB support
- Thu Apr 02 2015 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-7
- Modified runpuppet script to ensure the puppetserver service is running before puppet runs.
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-6
- Migrated to the new 'simp' environment.
- Wed Jan 14 2015 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-6
- Re-created the MCollective stock class, now with SSL fully enabled.
- Tue Nov 25 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-5
- Updated the default GPG key list.
- Updated the rsyslog stock classes to remove stunnel support and, instead, take advantage of the native TLS support in rsyslog.
- NOTE: This requires changing the global 'log_server' variable in Hiera to a 'log_servers' Array which is done in the %post section of this RPM.
- Thu Nov 06 2014 Chris Tessmer chris.tessmer@onyxpoint.com - 1.0.0-5
- Removed sssd::conf as it is no longer needed and causes duplicate concat_fragment error
- Fri Oct 31 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-4
- Moved the mcollective IPTables and package material into the main SIMP module.
- Update to account for the stunnel module updates in 4.2.0-0
- Fri Sep 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-3
- Updated the nfs::home_client class to properly account for the port setting in the mounts.
- Tue Aug 19 2014 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-2
- Differentiated the rsync module paths between 4.X and 5.X distributions. 4.X should not include the distribution and release in the path.
- Mon Aug 18 2014 Kendall Moore kmoore@keywcorp.com - 1.0.0-2
- Updated the digest_algorithm in the runpuppet script to be SHA-256.
- Fri Aug 08 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-1
- Ensure that runpuppet returns '1' when queried for status so that svckill doesn't continually attempt to disable it.
- Fri Jul 25 2014 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-0
- Ensured /srv/www/yum/SIMP is created if SIMP version < 5.
- Mon Jul 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-0
- /var/nfs is used for NFS in SIMP>=5 and /srv/nfs otherwise
- Updated yum and kickstart to use /var/www if SIMP>=5 and /srv/www otherwise
- Mon Jul 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-4
- Updated to use the new rsync path.
- Tue Jul 15 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-4
- Updated to support the RHEL7 repo GPG keys.
- Tue Jul 15 2014 Kendall Moore kmoore@keywcorp.com - 0.0.1-4
- Added CentOS as a supported OS as a part of CentOS 7 upgrade.
- Thu Jun 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-3
- Separated out the RHEL6/7 package requirements appropriately.
- Thu Jun 12 2014 Nick Markowski nmarkowski@keywcorp.com - 0.0.1-2
- Ntp servers can be passed to kickstart as an array of server names or a hash of server => 'option' pairs.
- Fri May 16 2014 Kendall Moore kmoore@keywcorp.com - 0.0.1-1
- Added stock classes for FreeRADIUS
- Added stock classes for Ganglia
- Added stock classes for RSyslog
- Added stock classes for krb5
- Added stock classes for MRepo
- Added stock classes for SNMP
- Tue May 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-1
- Added a quiet_puppet variable to runpuppet for the cert download segment.
- Mon May 05 2014 Kendall Moore kmoore@keywcorp.com - 0.0.1-0
- Added stock classes for NFS home directories.
- Fri Mar 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-0
- Initial Release
- Ported all materials from the old default_classes directory.
- Incorporated several parts of sec and common as appropriate to the separation of duties.
Dependencies
- puppet/kmod (>= 2.1.0 < 5.0.0)
- puppet/augeasproviders_sysctl (>= 2.4.0 < 4.0.0)
- puppet/chrony (>= 1.0.0 < 4.0.0)
- puppetlabs/concat (>= 6.4.0 < 10.0.0)
- puppetlabs/puppetdb (>= 7.1.0 < 9.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
- saz/timezone (>= 5.1.1 < 8.0.0)
- simp/aide (>= 6.0.0 < 7.0.0)
- simp/at (>= 0.0.5 < 1.0.0)
- simp/auditd (>= 8.5.0 < 9.0.0)
- simp/chkrootkit (>= 0.1.0 < 1.0.0)
- simp/clamav (>= 6.0.0 < 7.0.0)
- simp/cron (>= 0.1.0 < 1.0.0)
- simp/deferred_resources (>= 0.1.0 < 1.0.0)
- simp/dhcp (>= 6.0.0 < 7.0.0)
- simp/fips (>= 0.2.0 < 1.0.0)
- simp/incron (>= 0.4.0 < 1.0.0)
- simp/iptables (>= 6.5.3 < 8.0.0)
- simp/issue (>= 0.0.3 < 1.0.0)
- simp/ntpd (>= 6.0.0 < 7.0.0)
- simp/pam (>= 6.8.3 < 8.0.0)
- simp/polkit (>= 6.1.0 < 7.0.0)
- simp/postfix (>= 5.5.0 < 6.0.0)
- simp/pupmod (>= 8.0.0 < 9.0.0)
- simp/resolv (>= 0.1.1 < 1.0.0)
- simp/rkhunter (>= 0.0.1 < 1.0.0)
- simp/rsync (>= 6.1.1 < 7.0.0)
- simp/selinux (>= 2.6.1 < 3.0.0)
- simp/simp_apache (>= 7.0.0 < 8.0.0)
- simp/simp_openldap (>= 6.0.0 < 7.0.0)
- simp/simp_options (>= 1.6.1 < 2.0.0)
- simp/simp_rsyslog (>= 0.3.0 < 1.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
- simp/ssh (>= 6.11.0 < 7.0.0)
- simp/sssd (>= 7.0.0 < 8.0.0)
- simp/sudo (>= 5.1.1 < 6.0.0)
- simp/sudosh (>= 6.1.0 < 7.0.0)
- simp/svckill (>= 3.6.1 < 4.0.0)
- simp/swap (>= 0.1.2 < 1.0.0)
- simp/tftpboot (>= 6.3.0 < 7.0.0)
- simp/tlog (>= 0.1.0 < 1.0.0)
- simp/tuned (>= 0.1.0 < 1.0.0)
- simp/useradd (>= 0.2.2 < 2.0.0)
- puppet/nsswitch (>= 2.0.0 < 4.0.0)
pupmod-simp-simp - Puppet Profiles for SIMP
--
Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.
The US Government retains the right to pursue copyright protections outside of
the United States.
The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.
---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.