2.3. SIMP Community Edition (CE) 6.3.0-0

This release is known to work with:

  • CentOS 6.10 x86_64
  • CentOS 7.0 1804 x86_64
  • OEL 6.10 x86_64
  • OEL 7.5 x86_64
  • RHEL 6.10 x86_64
  • RHEL 7.5 x86_64

The flagship feature for SIMP 6.3.0 is full compatibility with Puppet 5 and Hiera 5.

The versions of Puppet targeted are those delivered with Puppet Enterprise 2018:

  • Puppet Server: 5.3.X
  • Puppet Agent: 5.5.X

A much wider range of versions is used for unit and acceptance testing. See the .gitlab_ci.yml file in each module to see what versions it has been tested against.

Warning

Puppet 4 is no longer supported as of SIMP 6.3. Users can continue with the SIMP 6.2 release and can obtain commercial support if further Puppet 4 support is required.

From this point on, all components are tested againt Puppet 5 and Puppet 4 support may be removed from any module as a non-breaking change at any time.

2.3.1. 6.3.0-0 Errata

An upstream bug in the incron package, caused the pupmod::master::generate_types code to spin into an infinite loop if the incron package was updated to 0.5.12-6 as published in EPEL.

This bug affects all uses of incron, not just pupmod::master::generate_types. We strongly advise that you remove the 0.5.12-6 package from your upstream repositories and use the following Hiera configuration to ensure that your SIMP 6.3.0-0 installation does not upgrade.

---
yum::config_options:
  exclude="incron"

Warning

If you previously disabled pupmod::master::generate_types then be advised that you will need to manually run puppet generate types on your environments if you upgrade the puppet or puppetserver packages or if you add a new environment to your system.

See the When Should I Run puppet generate types? for additional information.

2.3.2. Breaking Changes

Upgrading from Puppet 4 and earlier versions of Hiera requires some preparation. Please be sure to read Upgrading SIMP carefully.

While Hiera 5 is fully compatible with Hiera 3, there have been some configuration changes to utilize new capabilities.

  • The /etc/puppetlabs/puppet/hiera.yaml file, which defines the hierarchy used to search for parameter values, has been moved to the environment level to utilize the ability to have a unique hiera.yaml configuration per environment.
  • The default data directory has been renamed from hieradata to data to match Hiera 5 conventions.

You should review the puppet documentation for upgrading to Hiera 5 to learn how to upgrade any custom modules or backends that you have created.

2.3.3. Significant Updates

The following items were removed as dependencies for the simp RPM and added as dependencies on the simp-extras RPM since they are not used by the default SIMP configuration:

  • pupmod-richardc-datacat
  • pupmod-simp-autofs
  • pupmod-simp-krb5
  • pupmod-simp-network

2.3.3.1. puppet-simp-tlog

Sudosh has been replaced by Tlog as the default for logging privileged user activities. The default command for a user to switch to privileged access is now:

sudo su - root

2.3.3.2. Package Installation Settings

Several of the SIMP modules have been updated to use the simp_options::package_ensure setting as the default for package resource ensure state. The default for simp_options::package_ensure is installed. This will change the default behavior of some modules that were previously hard-coded to latest. This will not affect anything that was explicitly set.

This change makes the SIMP modules consistent and allows the administrator to set the default across the system with one variable. Also, by setting the default to installed packages will be updated only if the administrator has explicitly set the variable to latest.

Note

This does not affect the nightly cron job that updates all packages on the system and it is recommended that you change this to latest and rely on prudent repository management.

See Nightly Updates for additional information.

The following modules were updated:

  • pupmod-simp-aide
  • pupmod-simp-auditd
  • pupmod-simp-clamav
  • pupmod-simp-dhcp
  • pupmod-simp-fips
  • pupmod-simp-iptables
  • pupmod-simp-krb5
  • pupmod-simp-mozilla
  • pupmod-simp-oddjob
  • pupmod-simp-openscap
  • pupmod-simp-rsync
  • pupmod-simp-rsyslog
  • pupmod-simp-simp_apache
  • pupmod-simp-simp_nfs
  • pupmod-simp-simp_openldap
  • pupmod-simp-ssh
  • pupmod-simp-sudo
  • pupmod-simp-sudosh
  • pupmod-simp-tcpwrappers
  • pupmod-simp-tuned
  • pupmod-simp-vnc
  • pupmod-simp-vsftpd
  • pupmod-simp-xinetd

2.3.3.3. Oracle Enterprise Linux

The testing of the modules on Oracle Enterprise Linux was expanded and automated.

2.3.4. RPM Updates

2.3.4.1. ELG Stack

The application RPMs for Elasticsearch, Logstash, and Grafana will no longer be delivered with the SIMP ISO. Updates in the same major version of Elasticsearch and Logstash have been shown to randomly corrupt data and are therefore too dangerous to potentially drop into upstream repositories by default. Users must now download their own ELG packages.

2.3.5. Removed Modules

2.3.5.1. pupmod-simp-freeradius

There was not enough time to get the freeradius components updated sufficiently for Puppet 5 prior to release. This module may reappear in future releases if there is significant demand.

2.3.7. Fixed Bugs

2.3.7.1. pupmod-simp-auditd

  • Reverted back to using the native service provider for the auditd service
  • Allowed users to opt-out of hooking the audit dispatchers into the SIMP rsyslog module using auditd::config::audisp::syslog::rsyslog = false or, alternatively, setting simp_options::syslog = false.
  • Added a write_logs option to the auditd_class and multiplex between the log_format = NOLOG setting and write_logs = false since there were breaking changes in these settings after auditd version 2.6.0.
  • Added support for log_format = ENHANCED for auditd version >= 2.6.0. Older versions will simply fall back to RAW.
  • Removed unnecessary dependencies from metadata.json. Now, when users install auditd stand-alone i.e. puppet module install, they will not have extraneous modules clutter their environment.

2.3.7.2. pupmod-simp-nfs

  • Allowed users to set the ‘ensure’ state of their client mount points in case they don’t want them to be mounted by default.

2.3.7.3. pupmod-simp-rsyslogd

  • Updated templates to use RainerScript for rsyslogd V8 and later
  • Fixed the MainMsgQueueDiscardMark and MainMsgQueueWorkerThreads parameters
  • Updated rsyslog::rule::remote to select a more intelligent default for StreamDriverPermittedPeers when TLS is enabled. This improvement fixes the bug in which forwarding of logs to servers in different domains was not possible within one call.
  • Added logic to properly handle rsyslogd parameters for V8.6 and later as documented in CentOS 7.5 Release notes. These include moving -x and -w options to global.conf and issuing deprecation warning for -l and -s options.

2.3.7.4. pupmod-simp-simp_grafana

  • Fixed bug in resource ordering of pki::copy and grafana::service
  • Used simplib::passgen() in lieu of deprecated passgen()

2.3.7.5. pupmod-simp-simp_logstash

  • Workaround for upstream bug where OEL6 logstash::service_provider must be set.

2.3.7.6. pupmod-simp-simp_rsyslog

  • Made directory where logs are gathered configurable and make rules that organize them configurable.
  • Updated simp_rsyslog::forward to allow configuration of the StreamDriverPermittedPeers directive in the forwarding rule actions for the remote rsyslog servers. This allows the user to set the correct StreamDriverPermittedPeers value when the default value is incorrect (e.g., when IP addresses are used in simp_rsyslog::log_servers or simp_rsyslog::failover_servers and one or more of those servers is not in the same domain as the client).
  • Removed redundant rules for sudosh since the puppet module will correctly take care of adding those rules.
  • Added support for tlog since it will be commonly replacing sudosh across the SIMP infrastructure.

2.3.7.7. pupmod-simp-simplib

  • Fixed bug where uid_min would throw errors under operating systems without /etc/login.defs.
  • Fixed bug where simplib_sysctl would throw an undefined method error on non-Linux OS’s. (both those with sysctl (MacOS X) and without (Windows))
  • Fixed bug with the boot_dir_uuid fact where it would throw an error if running on a system without a /boot partition (like a container).
  • Ensure that reboot_notify updates resources based on a modified ‘reason’

2.3.7.8. pupmod-simp-ssh

  • Hardened all ssh_host_* keys for security and compliance

2.3.7.9. pupmod-simp-sudo

  • Enabled support for Default of cmnd type in sudoers file.

2.3.7.10. pupmod-simp-svckill

  • Added 7.5 RHEL services to svckill::ignore_defaults list for EL7.

2.3.7.11. rubygem_simp_cli

  • Updated ‘simp config’ to support environment-specific Hiera 5 configuration provided by SIMP-6.3.0.

    • Assumes a legacy Hiera 3 configuration, when the ‘simp’ environment only contains a ‘hieradata’ directory.
    • Assumes a Hiera 5 configuration configuration, when the ‘simp’ environment contains both a ‘hiera.yaml’ file and a ‘data/’
  • Fixed simp bootstrap errors in puppetserver 5+:

    • No longer overwrites web-routes.conf (fix fatal config errors)
    • No longer adds -XX:MaxPermSize for Java >= 8 (fix warnings)
  • The trusted_server_facts was removed in Puppet 5.0.0. The presence of this setting will cause each puppet run to emit the warning:

    Warning: Setting trusted_server_facts is deprecated.

    This patch causes simp config to quietly remove the setting if it is present and Puppet is version 5 or later.

2.3.8. New Features

2.3.8.1. pupmod-simp-x2go and pupmod-simp-mate

These modules are used to configure the x2go client and server to allow for remote access to desktops and servers. This is an alternative to VNC. An example configuration is documented in the Graphical Remote Access documentation.

2.3.8.2. pupmod-simp-tlog

This module configures Tlog for logging privileged user activities. Both sudosh and Tlog are currently available but sudosh is no longer being maintained and is expected to be deprecated in the future.

2.3.8.3. pupmod-simp-simp_pki_service

Warning

This is a technology preview and may break unexpectedly in the future

Traditionally, SIMP has used an internal “FakeCA” openssl-based CA. Over time, this has proven insufficient for our needs, particularly for capabilities in terms of Key Enrollment (SCEP and CMC), OCSP, and overall management of certificates.

Additionally, it was found that users wanted to adjust the certificate parameters for the Puppet subsystem itself outside of the defaults and/or use a “real”, and more scalable CA system for all certificate management.

The pupmod-simp-simp_pki_service module can be used to configure a Certificate Authority (CA) using the Dogtag server. This CA can be configured either for the puppet server CA, the site CA in lieu of FakeCA, or both.

See the README in the module for details on how to configure it.

The Dogtag server was chosen because it is part of the FreeIPA suite and therefore likely to have any issues fixed and be well supported.

2.3.9. Known Bugs

2.3.9.1. Upgrading from previous SIMP 6.X versions

There are known issues when upgrading from Puppet 4 to Puppet 5. Make sure you read the Upgrading SIMP before attempting an upgrade.

2.3.9.2. Tlog

Tlog currently has a bug where session information may not be logged. The immediate mitigation to this is the fact that pam_tty_audit is the primary mode of auditing with tlog and/or sudosh being in place for a better overall tracking and behavior analysis experience.

Tlog has a second bug where the application fails if a user does not have a TTY. This has been mitigated by the SIMP wrapper script simply bypassing tlog if a TTY is not present.