14. Glossary of Terms

Note

Many terms here have been reproduced from various locations across the Internet and are governed by the licenses surrounding the source material. Please see the reference links for specifics on usage and reproducibility.

389 DS

389-DS

389 Directory Server

An enterprise-class FOSS LDAP server for Linux, capable of providing a full multi-master LDAPv3 infrastructure.

389 DS provides the main data store and directory service components for FreeIPA and IdM. Red Hat Directory Server is the commercially-supported version of 389 DS.

In SIMP, 389 DS replaces the (deprecated) OpenLDAP server as the default LDAP service for EL8+.

Website: https://directory.fedoraproject.org

ACL

Access Control List

A list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation.

See: man 5 acl

AIDE

Advanced Intrusion Detection Environment

An intrusion detection system for checking the integrity of files under Linux. AIDE can be used to help track file integrity by comparing a snapshot of the system’s files prior to and after a suspected incident. It is maintained by Rami Lehti and Pablo Virolainen.

Apache 2.0 License

Apache License

A software license provided by the Apache Software Foundation.

See: Apache License, Version 2.0

APL

Automatic Parameter Lookup

A method where Puppet automatically looks up class parameters in Hiera using the fully-qualified name of the parameter.

See: Looking up data with Hiera

Auditd

The userspace component to the Linux Auditing System. It is responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/audit.rules are read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.

Beaker

A Ruby-based acceptance testing harness, created by the Puppet team and maintained by Vox Pupuli.

Source: Beaker Source Repository:

BIOS

Basic Input/Output System

A type of firmware used to perform hardware initialization during the booting process (power-on startup) on IBM PC compatible computers.

Source: Wikipedia: BIOS

Bolt

Puppet Bolt

An agentless open-source automation and orchestration tool that can execute any scripts or commands as ad hoc tasks, coordinating them with logic in Puppet DSL plans. Bolt’s plugins, plans, and tasks are designed to be distributed in Puppet modules.

Source: Puppetlabs Bolt

CA

Certificate Authority

An entity that issues X.509 digital certificates.

CentOS

Community Enterprise Operating System

An Enterprise-grade Operating System that is mostly compatible with a prominent Linux distribution.

Homepage: https://centos.org/

Class

Classes

Puppet Class

Puppet Classes

Classes are named blocks of Puppet code that are stored in modules and applied later when they are invoked by name.

Source: Classes

Class Parameter

Parameters allow a class to request external data. If a class needs to configure itself with data other than facts, that data should usually enter the class via a parameter.

Each class parameter can be used as a normal variable inside the class definition. The values of these variables are not set with normal assignment statements or looked up from top or node scope; instead, they are set based on user input when the class is declared.

Note that if a class parameter lacks a default value, the module’s user must set a value themselves (either in their external data or an override). As such, you should supply defaults wherever possible.

Each parameter can be preceded by an optional data type. If you include one, Puppet will check the parameter’s value at runtime to make sure that it has the right data type, and raise an error if the value is illegal. If no data type is provided, the parameter will accept values of any data type.

The special variables $title and $name are both set to the class name automatically, so they can’t be used as parameters.

Example:

class foo (
  # '$bar' is the class parameter and can be references as '$foo::bar'
  # from locations outside of the class and simply '$bar' from inside
  # the class.

  String $bar = 'An Example Parameter'
) { }

Source: Class parameters and variables

CLI

Command Line Interface

A means of interacting with a computer program where the user (or client) issues commands to the program in the form of successive lines of text (command lines).

Source: Wikipedia: Command Line Interface

Code Manager

[Puppet] Code Manager automates the management and deployment of your Puppet code. Push code updates to your source control repo, and then Puppet syncs the code to your servers, so that all your servers start running the new code at the same time, without interrupting agent runs.

Source: Managing code with Code Manager See Also: r10k

Compliance Profile

SIMP Compliance Profile

A collection of data that maps policy directly to Puppet class and defined type parameters. These profiles are used by the SIMP Compliance Engine.

Control Repo

Control Repository

A version control repository containing all of the required modules, data, and configuration for one or more Puppet environments. Each branch of the control repository deploys as a separate Puppet environment using r10k or Code Manager.

See:

Core Dump

A dump of the contents of main memory.

CPU

Central Processing Unit

A central processing unit (CPU) is the electronic circuitry within a computer that carries out the instructions of a computer program by performing the basic arithmetic, logical, control and input/output (I/O) operations specified by the instructions

Source: Wikipedia: Central Processing Unit

CRL

Certificate Revocation List

A list of digitical certificates that have been revoked by the CA.

Source: Wikipedia: Certificate revocation list

DAC

Discretionary Access Control

A type of access control defined by the Trusted Computer System Evaluation Criteria “as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)”.

Source: Wikipedia: Discretionary access control

Defined Type

Defined Types

Defined Resource Type

Defined Resource Types

Puppet Defined Type

Puppet Defined Types

Defined resource types, sometimes called defined types or defines, are blocks of Puppet code that can be evaluated multiple times with different parameters.

Source: Defined resource types

DevOps

A set of software development practices that combines software development (Dev) and information technology operations (Ops) to shorten the systems development life cycle while delivering features, fixes, and updates frequently in close alignment with business objectives

Source: Wikipedia: DevOps

DHCP

Dynamic Host Configuration Protocol

A network protocol that enables a server to automatically assign an IP address to a computer.

DNS

Domain Name System

A database system that translates a computer’s fully qualified domain name into an IP address and the reverse.

Docker

Docker containers wrap a piece of software in a complete filesystem that contains everything needed to run: code, runtime, system tools, system libraries – anything that can be installed on a server. This guarantees that the software will always run the same, regardless of its environment.

Source: Docker: What is Docker?

DoS

Denial of Service

Denial of Service Attack

An attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

Source: Wikipedia: Denial-of-service attack

DSL

Domain Specific Language

A computer language specialized to a particular application domain.

Source: Wikipedia: Domain-specific language

EL

Enterprise Linux

In the context of SIMP, EL is a generic term for Enterprise Linux and covers both RHEL and CentOS as well as other RHEL derivatives such as Oracle Linux.

Elasticsearch

A distributed, RESTful search and analytics engine capable of solving a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data so you can discover the expected and uncover the unexpected.

Source: Elasticsearch Homepage

ELG

An acronym for Elasticsearch, Logstash, and Grafana

ENC

External Node Classifier

An arbitrary script or application which can tell Puppet which classes a node should have. It can replace or work in concert with the node definitions in the main site manifest (site.pp).

The Puppet Enterprise Console and The Foreman are two examples of External Node Classifiers.

Source: External Node Classifiers

EPEL

Extra Packages for Enterprise Linux

A Fedora Special Interest Group that creates, maintains, and manages a high quality set of additional packages for Enterprise Linux, including, but not limited to, Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux (SL), Oracle Linux (OL).E

EPEL packages are usually based on their Fedora counterparts and will never conflict with or replace packages in the base Enterprise Linux distributions. EPEL uses much of the same infrastructure as Fedora, including buildsystem, bugzilla instance, updates manager, mirror manager and more.

Source: EPEL Homepage

FACL

File Access Control List

An ACL applied to a file on the filesystem.

Facter

Cross-platform system profiling library for use with Puppet and other management tools. It discovers and reports per-node facts, which are available in your Puppet manifests as variables.

Source: Facter Documentation

FIPS

Federal Information Processing Standard

Federal Information Processing Standards (FIPS) Publications are standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA)

The particular standards of note in SIMP are:

Source: FIPS Publications

FOSS

Open Source

Software licensed in a manner that keeps its source code publicly accessible and free to modify and redistribute.

See: The Open Source Definition

FQDN

Fully Qualified Domain Name

A domain name that specifies its exact location in the tree hierarchy of the DNS. It specifies all domain levels, including the top-level domain and the root zone. An FQDN is distinguished by its unambiguity; it can only be interpreted one way.

FreeIPA

A FOSS identity management solution for Linux, with an emphasis on ease-of-use.

FreeIPA is managed from simple web interface and CLI commands. Behind the scenes, it combines 389 DS, MIT Kerberos, NTP, DNS, and the Dogtag PKI certificate manager. Client systems interact with FreeIPA via SSSD.

Red Hat Identity Management (IdM) is the commercial subscription version of FreeIPA.

Website: https://www.freeipa.org/page/Main_Page

Git

A distributed version control system that supports branches.

Website: https://www.git-scm.com

GPG

GnuPG

Gnu Privacy Guard

A complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP).

Source: GnuPG Homepage

Grafana

A system of pluggable panels and data sources allowing easy extensibility and a variety of panels, including fully featured graph panels with rich visualization options. There is built in support for many of the most popular time series data sources.

Source: Grafana Homepage

GUI

Graphical User Interface

A type of interface that allows users to interact with electronic devices through graphical icons and visual indicators such as secondary notation, as opposed to text-based interfaces, typed command labels or text navigation.

Source: Wikipedia: Graphical User Interface

HDD

Hard Disk Drive

A device for storing and retrieving digital information, primarily computer data.

Hiera

A key/value lookup tool for user-defined data hierarchies, generally organized based on Facter facts. Puppet uses Hiera as it compiles catalogs to provide data during Automatic Parameter Lookup or explicit lookup() calls.

Hiera’s hierarchy and data are usually stored as YAML or EYAML files in the Control Repository. However, data can be provided from any source with a custom Hiera backend.

Source: Hiera Overview

Hiera backend

A Hiera plugin used to retrieve information from a data source and return it appropriately for use in Puppet.

See: Hiera: Writing new data backends

The SIMP Compliance Engine uses a custom Hiera backend to enforce Compliance Profile settings.

hiera-eyaml

Hiera eyaml

EYAML

Hiera eyaml provides a way to keep encrypted data in Hiera data files. It consists of:

The eyaml Hiera backend
The eyaml CLI command
.eyaml Hiera data files

The Hiera backend is configured with decryption keys and reads from .eyaml files. The CLI command is used to generate keys, encrypt/decrypt data, and edit .eyaml files. The .eyaml files are YAML that may contain a mix of encrypted and plaintext values—although for performance reasons, it is common practice to limit .eyaml files to encrypted data and use plaintext .yaml files for everything else.

Encrypted values are prefixed with their encryption method and wrapped with ENC[]. They can occur within arrays, hashes, nested arrays and nested hashes. The default encryption mechanism is PKCS7, however further encryption types (like GPG) can be added with plugins, which are distributed as RubyGems.

The eyaml backend and CLI command are provided by the hiera-eyaml RubyGem, which is been packaged as part of the Puppet Server.

Puppet documentation: Configuring a hierarchy level: hiera-eyaml

GitHub project for the hiera-eyaml gem: https://github.com/voxpupuli/hiera-eyaml

HIRS

Host Integrity at Runtime and Start-up

Attestation Certificate Authority (ACA) and TPM Provisioning with trusted computing-based supply chain validation.

Source: HIRS

IMA

Integrity Management Architecture

The integrity subsystem is to detect if files have been accidentally or maliciously altered, both remotely and locally.

Source: IMA Sourceforge Page

initrd

The Initial RAMDisk. A complete environment that is loaded at boot time to enable booting the rest of the operating system.

InSpec

An open-source testing framework for infrastructure with a human-readable language for specifying compliance, security and other policy requirements.

Source: InSpec Homepage

IP

IP Address

Internet Protocol Address

A numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.

Source: Wikipedia: IP Address

IP6Tables

Internet Protocol 6 Tables

A user space application that provides an interface to the IPv6 firewall rules on modern Linux systems.

IPTables

Internet Protocol Tables

A user space application that provides an interface to the IPv4 firewall rules on modern Linux systems.

ISO

ISO 9660

A file system standard published by the International Organization for Standardization (ISO) or optical disc media.

Source: Wikipedia: ISO_9660

JSON

JavaScript Object Notation

A lightweight data-interchange format defined by ECMA-404.

Source: JSON Homepage

KDC

Key Distribution Center

Part of a cryptosystem intended to reduce the risks inherent in exchanging keys. KDCs often operate in systems within which some users may have permission to use certain services at some times and not at others.

Kerberos

A computer network authentication protocol that works on the basis of “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Kickstart

Automated installation procedure for Red Hat Linux and other Linux distributions.

See: Kickstart

LDAP

Lightweight Directory Access Protocol

A protocol for querying and modifying LDAP directory services including information such as names, addresses, email, phone numbers, and other information from an online directory.

LDIF

Lightweight Directory Interchange Format

A standard plain text data interchange format for representing LDAP (Lightweight Directory Access Protocol) directory content and update requests. LDIF conveys directory content as a set of records, one record for each object (or entry). It also represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each update request.

Source: Wikipedia: LDAP Data Interchange Format

Logstash

An open source, server-side data processing pipeline that ingests data from a multitude of sources simultaneously, transforms it, and then sends it to your favorite “stash.”

Source: Logstash Homepage

LUKS

Linux Unified Key Setup

The standard for Linux hard disk encryption.

See: The LUKS Homepage

MAC

MAC Address

Media Access Control

Media Access Control Address

A unique identifier assigned to network interfaces for communications on the physical network segment.

Source: Wikipedia: MAC address

Mandatory Access Control

A type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.

Source: Wikipedia: Mandatory access control

Meltdown

A hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

Source: Wikipedia: Meltdown (security vulnerability)

NAT

Network Address Translation

The process of modifying IP address information in IP packet headers while in transit across a traffic routing device.

NFS

Network File System

A distributed file system protocol that allows a user on a client computer to access files over a network in a manner similar to how local storage is accessed.

NIST

National Institute of Standards and Technology

The National Institute of Standards and Technology (NIST) was founded in 1901 and now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories.

Source: NIST - About NIST

NIST 800-171

NIST SP 800-171

NIST Special Publication 800-171

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

See: SP 800-171

NIST 800-53

NIST SP 800-53

NIST Special Publication 800-53

Security and Privacy Controls for Federal Information Systems and Organizations

See: SP 800-53

NIST information limiting requirements

Specific NIST 800-53 controls that prohibit passing information to vendors without justification.

Per NIST 800-53r4 AC-20(1) and SC-38:

“OPSEC safeguards help to protect the confidentiality of key information including, for example, limiting the sharing of information with suppliers and potential suppliers of information system components, information technology products and services, and with other non-organizational elements and individuals.”

NIST SP

NIST Special Publication

A set of publications that provide computer/cyber/information security and guidelines, recommendations, and reference materials.

See: NIST Special Publications

NTP

Network Time Protocol

A networking protocol designed to keep computer systems’ clocks within a few milliseconds of each other.

SIMP manages NTP servers and clients on EL7 using simp/ntpd and on EL8 using voxpopuli/chrony.

See: Wikipedia: Network Time Protocol

Website: http://www.ntp.org

OATH

Initiative for Open AuTHentication

A technical framework for open authentication.

Source: OATH Reference Architecture

OpenLDAP

A FOSS implementation of LDAP. The full suite includes a server, libraries, utilities, and “sample” LDAP clients.

SIMP managed the OpenLDAP server as a default LDAP service through EL7. However, the openldap-servers package was deprecated in EL7.4 and removed in EL8. SIMP supports the 389 Directory Server as a replacement on EL8+.

See: OpenLDAP website

OpenSCAP

The OpenSCAP project provides tools that are free to use anywhere you like, for any purpose. Availability of the code results in greater portability – anyone can send patches to add support for their platform of choice.

Source: OpenSCAP Features

OPSEC

Operations Security

A process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information

Source: Wikipedia: Operations Security

OS

Operating System

System software that manages computer hardware and software resources and provides common services for computer programs. All computer programs, excluding firmware, require an operating system to function.

Source: Wikipedia: Operating system

PAM

Pluggable Authentication Modules

A mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independent of the underlying authentication scheme.

PE

Puppet Enterprise

A version of Puppet with commercial support by Puppet, Inc. that provides additional capabilities beyond Puppet.

PEM

Privacy Enhanced Mail

An early standard for securing electronic mail. This is the public-key of a specific certificate. This is also the format used for Certificate Authority certificates.

PERL

Practical Extraction and Report Language

A high-level, general-purpose, interpreted, dynamic programming language. PERL was originally developed by Larry Wall in 1987 as a general-purpose Unix scripting language to make report processing easier.

PKI

Public Key Infrastructure

A security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure Internet. PKI enables users of a basically insecure public networks, such as the Internet, to securely authenticate to systems and exchange data. The exchange of data is done by using a combination of cryptographically bound public and private keys.

Puppet

An Open Source configuration management tool written and maintained by Puppet, Inc.. Written as a Ruby DSL, Puppet provides a declarative language that allows system administrators to provide a consistently applied management infrastructure. Users describes system resource and resource state in the Puppet language. Puppet discovers system specific information via Facter and compiles Puppet manifests into a system-specific catalog containing resources and resource dependencies, which are applied to each client system.

Puppet Custom Type

Custom Type

New Puppet Resources, written in Ruby, that add custom client-side capabilities to the Puppet language.

See: Custom Types:

Puppet Data Type

Added in Puppet version 4, strong data types allow for the enforcement of inherent parameter validation as well as a better understanding of what function the data performs in classes.

See: Language: Data Types

Puppet Environment

Puppet Environments

As the Puppet Environment documentation puts it:

“An environment is a branch that gets turned into a directory on your primary server.”

Depending on the context, the term has several implications:

When describing infrastructure, a Puppet environment is a group of Puppet agent nodes the Puppet Server manages in isolation from other agent nodes (which belong to other Puppet environments).
When discussing file paths or directories on a Puppet Server: a Puppet environment is a directory of source, data, and module files used to compile Puppet catalogs for such a group of agents.

Each Puppet environment directory is located on a Puppet server at /etc/puppetlabs/code/environments/environment_name.
In a Control Repository, each git branch represents a separate Puppet environment, which r10k or PE Code Manager will deploy to a Puppet server as a Puppet environment directory with the same name.
From the perspective of the Puppet compiler and language, a Puppet environment can be seen as a global namespace.

See: https://puppet.com/docs/puppet/latest/environments_about.html

Puppet Module

Puppet Modules

A self-contained bundle of code and data able to be processed by the puppet application.

Puppet Namespace

A mechanism used by the puppet compiler to uniquely identify code during compilation. Generally, namespaces align with Puppet Module file paths and are separated by two colons at each directory.

See: Namespaces and Autoloading

Puppet Resource

Puppet Resources

The fundamental unit for modeling system configurations in Puppet.

See: Resources:

PuppetDB

An Open Source project, PuppetDB collects data generated by Puppet. It enables advanced Puppet features like exported resources, and can be the foundation for other applications that use Puppet’s data.

Source: PuppetDB Overview <https://puppet.com/docs/puppetdb/latest>

Puppetfile

A Ruby file that contains references to Puppet modules.

See the Puppetfile spec: https://github.com/puppetlabs/r10k/blob/main/doc/puppetfile.mkd

PuppetForge

An official repository for Puppet modules

See: https://forge.puppet.com/

Puppetserver

Puppet Server

An application that runs on the Java Virtual Machine (JVM) and provides a puppet compiler service by running several JRuby interpreters running the Puppet compiler through a Clojure-based service.

Source: Puppet’s Services: Puppet Server

PXE

Preboot Execution Environment

An environment to boot computers using a network interface independently of data storage devices (like hard disks) or installed operating systems.

r10k

A code management tool that uses git branches to automate the development and deployment of Puppet code.

Rake

Ruby Make

A Make-like program implemented in Ruby.

Source: Rake Homepage

RAM

Random Access Memory

A form of computer data storage. A random access device allows stored data to be accessed in nearly the same amount of time for any storage location, so data can be accessed quickly in any random order.

Red Hat

Red Hat®

Red Hat®, Inc.

A collection of many different software programs, developed by Red Hat®, Inc. and other members of the Open Source community. All software programs included in Red Hat Enterprise Linux® are GPG signed by Red Hat®, Inc. to indicate that they were supplied by Red Hat®, Inc.