2.1. SIMP Community Edition (CE) 6.6.0

Contents

• SIMP Community Edition (CE) 6.6.0

  • OS compatibility

  • Breaking Changes

  • Significant Updates

  • Security Announcements

  • RPM Updates

  • Removed Puppet Modules

  • Replaced Puppet Modules

  • Fixed Bugs

  • New Features

  • Known Bugs and Limitations

2.1.1. OS compatibility

This release is known to work with:

• CentOS 7.0 2009 x86_64

• CentOS 8.5 2111 x86_64

• CentOS 8 Stream 20220423 x86_64

• OEL 7.9 x86_64

• OEL 8.5 x86_64

• RHEL 7.9 x86_64

• RHEL 8.5 x86_64

2.1.1.1. Full support for EL8

This release introduces full EL8 support for the SIMP Puppet server and agents across the entire SIMP framework.

EL8 support was previously limited to managing Puppet agents with the core SIMP Puppet modules.

2.1.1.2. EL6 support has been removed

EL6 is EOL and is no longer supported by SIMP CE.

All logic and testing in support of EL6 has been completely removed from the entire SIMP framework.

If you require further support for EL6 systems, consider purchasing commercial support.

2.1.2. Breaking Changes

2.1.2.1. ISOs Unpack into Unique Repository Paths

The directory structure of yum repositories unpacked from SIMP ISOs has changed.

Previously, all SIMP RPMs were placed into a single yum repository on the SIMP server, under /var/www/yum/SIMP/. This directory structure wasn’t flexible enough to serve multiple operating systems/releases simultaneously without significant customization.

Starting from this release, repositories will be placed under the directory structure /var/www/yum/SIMP/<os name>/<os version>/<arch>/, which mirrors the layout of the base operating system repositories.

The unpack_dvd script has been updated to ensure that only compatible items are unpacked into the underlying repository. If the script detects incompatibilities, it will fail and provide guidance.

2.1.2.2. Rsyslog < 8.24.0 is no Longer Supported

Due to vendor recommendations, simp/rsyslog no longer supports rsyslog versions under 8.24.0

If you need to support older versions of rsyslog, please use simp/rsyslog 7.6.4 in an alternate Puppet environment.

2.1.2.3. SSSD < 1.16.0 is no Longer Supported

There are multiple issues in versions of sssd prior to 1.16.0. Users should upgrade to the latest release.

2.1.3. Significant Updates

2.1.3.1. SIMP Server Support on EL8

This release provides full support for managing SIMP Puppet servers on EL8.

2.1.3.2. Puppet 7 Support

All SIMP Puppet modules now work with both Puppet 6 and Puppet 7.

2.1.3.3. Puppet 5 Support Removed

Puppet 5 is EOL and support for it has been removed from all modules.

2.1.3.4. PuppetDB no Longer Configured by Default

A review of the newer puppetserver defaults as well as the concept of “only run what you require” led to the removal of puppetdb as a default installed/configured application.

This change should make it easier to run in resource-limited environments.

Existing systems will not be affected, but new systems will need to enable puppetdb per HOWTO Enable PuppetDB.

2.1.3.5. 389 DS replaces OpenLDAP on EL8

On EL8, 389 Directory Server replaces the (deprecated) OpenLDAP server as the default LDAP service.

Existing infrastructures will not be affected on upgrade, but new environments will need to configure correctly for their environment’s LDAP server.

LDAP Clients are still able to connect to either OpenLDAP server or 389 DS as necessary. Please read the upgrade guide if you are switching from OpenLDAP to 389 DS. New systems will require no additional configuration.

2.1.3.6. Switch from Cron to Systemd

With the deprecation of EL6, all supported OSes use systemd. The framework is now in a position to take advantage of systemd-specific features that improve system maintenance and administration.

Where possible, all SIMP puppet modules have been updated to replace old cron jobs with systemd timers. This enhances execution control and reporting for the scheduled jobs.

This practice may eventually enable systems to opt out of installing cron altogether, to the benefit of certain compliance profiles. It also has the benefit of being easier to manage.

2.1.3.7. Switch from Iptables to Firewalld

All SIMP modules now use firewalld by default instead of directly managing iptables. In general, the transition should be seamless for users unless advanced iptables rulesets were being managed (NAT, etc…).

Users still have the ability to directly manage iptables rules, but should be aware that there will be no further development on simp/iptables outside of maintaining the shims that hook it into firewalld.

2.1.4. Security Announcements

2.1.5. RPM Updates

2.1.5.1. Puppet RPMs

The following Puppet RPMs are packaged with the SIMP 6.6.0 ISOs:

Package	Version
puppet-agent	6.27.1-1 or 7.16.0-1
puppet-bolt	3.22.1-1
puppetdb	6.21.0-1 or 7.10.1-1
puppetdb-termini	6.21.0-1 or 7.10.1-1
puppetserver	6.19.0-1 or 7.7.0-1

2.1.6. Removed Puppet Modules

The following modules were removed from the release:

• simp_pki_service

• simp_bolt

2.1.7. Replaced Puppet Modules

Original	Replacement
aboe/chrony	puppet/chrony
camptocamp/kmod	puppet/kmod

2.1.8. Fixed Bugs

2.1.8.1. pupmod-simp-auditd

• Aligned the EL8 STIG settings

• Always add the head rules since they are required for proper functionality of the system

• Use -F key= instead of -k to match the STIG recommendations

• Switched the audit rules to always,exit instead of exit,always to match the man pages

2.1.8.2. pupmod-simp-aide

• Changed to using --check instead of -C by default to match the expectation of most security scanners

• Randomized the scheduling minute field so that I/O load is reduced on hosting platforms

2.1.8.3. pupmod-simp-cron

• Manage the cron packages by default

2.1.8.4. pupmod-simp-fips

• Use the simplib__crypto_policy_state fact instead of crypto_policy__state

• Ensure that dracut_rebuild is called when the fips kernel parameter is changed

2.1.8.5. pupmod-simp-gdm

• Fixed minor errors in the compliance_markup data

• Properly handle integration of systemd-logind with the hidepid flag on /proc

• Added a pam_access entry for the gdm user so that the greeter session can start

2.1.8.6. pupmod-simp-haveged

• Mask the haveged service when disabling it so that it is not restarted on reboot

• Ensure that haveged does not start if rngd is running

2.1.8.7. pupmod-simp-incron

• No longer pin the version of incron since the upstream versions have been fixed

2.1.8.8. pupmod-simp-libreswan

• Removed obsolete configuration items that prevented functionality on EL8:

  • libreswan::ikeport

  • libreswan::nat_ikeport

  • libreswan::klipsdebug

  • libreswan::perpeerlog

  • libreswan::perpeerlogdir

2.1.8.9. pupmod-simp-libvirt

• Removed ipxe-roms from the OEL package lists since they are now optional

2.1.8.10. pupmod-simp-network

• Ensure that the network::eth defined type honors the network::auto_restart parameter

2.1.8.11. pupmod-simp-nfs

• Added _netdev to the default mount options

• Ensure that remote-fs.target is enabled

2.1.8.12. pupmod-simp-ntpd

• Fixed a bug where ntp::allow::rules was not being honored

• Added simp_options::ntp::servers to the default lookup list for ntpd::servers

2.1.8.13. pupmod-simp-openscap

• Fixed the default data stream name in EL7

2.1.8.14. pupmod-simp-pam

• Silenced unnecessary TTY messages

• Added default Hiera deep merges for pam::access::users and pam::limits::rules

• Fixed a bug in system-auth where pam_tty_audit was not skipped if the login did not have a TTY. This prevented the GDM service login from succeeding.

• Set quiet on pam_listfile so that warnings do not get logged that look like authentication failures

2.1.8.15. pupmod-simp-pupmod

• Changed all instances of setting items in the master section to use server instead

• Updated pupmod::conf to automcatically switch master to server

• Automatically remove items from the puppet config in the master section that are set in the server section

• Added pupmod::master::sysconfig::use_code_cache_flushing to reduce excessive memory usage

• Removed SHA1 ciphers from the server cipher list

• Disconnected the puppetserver from the system FIPS libraries since it causes conflicts with the vendor provided settings

• Allow pupmod::puppet_server to accept Arrays

• Properly configure the server list when multiple puppet servers are specified

• Converted all cron settings to systemd timers

• Converted the ‘cleanup’ jobs to systemd.tmpfile jobs

• Fixed a bug where the pupmod::master::sysconfig class was not being applied

• Get certname from trusted facts only for authenticated remote requests

• Fix bolt compatibility

2.1.8.16. pupmod-simp-resolv

• Fixed bugs in the Augeas template

• Use configuration files to manage the global NetworkManager configuration

2.1.8.17. pupmod-simp-rkhunter

• Changed the minute parameter on scheduled tasks to a random number to reduce I/O load on hosting platforms

• Updated to use systemd timers instead of cron by default

• Added default user_fileprop_files_dirs to covert he puppet applications

• Ensure that the initial propupd command runs after the puppet run is complete

• Added a rkhunter::propupd class to ensure that the first cut of properties is updated after all packages have competed in the puppet run

2.1.8.18. pupmod-simp-rsync

• Fixed the documentation

• Noted that sebool_use_nfs and sebool_cifs will be deprecated in the future

2.1.8.19. pupmod-simp-rsyslog

• Fixed a bug where the rsyslog service would start without errors but fail to log when rsyslog::config::default_template was set to traditional

2.1.8.20. pupmod-simp-selinux

• Fixed a dependency cycle when using vox_selinux::boolean

• Fixed a bug where the module would attempt to create selinux_login resources when selinux::login_resources was set but selinux was disabled

2.1.8.21. pupmod-simp-simp

• Updated simp::yum::repo::local_os_updates to use the gpg keys installed into <yum directory>/SIMP/GPGKEYS to work around changes in EL8

• Corrected the HeapDumpOnOutOfMemoryError setting for puppetdb

• Ensure that nsswitch SSSD options for sudoers do not stop on files

• Do not include the auditors sudo user specification if the aliases have not been included

• Added the following to the sudoers defaults:

  • !visiblepw

  • always_set_home

  • match_group_by_gid

  • always_query_group_plugin

• Now use relative paths for the location for the SIMP GPG keys on YUM servers by default

• Support all valid values for simp::pam_limits::max_logins::value

• Added additional parameters to simp::admin to allow for more fine-grained control of global admin and auditor sudo rules

2.1.8.22. pupmod-simp-simp_apache

• Ensure that all file resources that manage more than permissions have an ensure attribute

• Moved the magic file into an EPP template to work better with bolt

• Use systemd to reload/restart the httpd service

2.1.8.23. pupmod-simp-simp_gitlab

• Fixed a bug where the change_gitlab_root_password script did not work with GitLab after 13.6.0

2.1.8.24. pupmod-simp-simp_grub

• Updated the documentation to better reflect GRUB2

2.1.8.25. pupmod-simp-simp_nfs

• Fixed a bug in create_home_directories.rb where EL8 systems could not talk to EL7 LDAP servers when the servers were in FIPS mode

2.1.8.26. pupmod-simp-simp_openldap

• Fixed pki::copy since the ldap group is no longer created by the OpenLDAP client packages

• Fixed Float to String comparison error in simp_openldap::server::conf::tls_protocol_min

• Deprecated parameters only applicable to EL6:

  • simp_openldap::client::strip_128_bit_ciphers

  • simp_openldap::client::nss_pam_ldapd_ensure

2.1.8.27. pupmod-simp-simplib

• Fixed the call to klist to properly handle cache issues

• Increased randomization in simplib::gen_random_password

• simplib::cron::hour_entry now supports comma separated lists

• simplib::cron::minute_entry now supports comma separated lists

• Fixed the simplib__networkmanager fact

• Fixed a bug where the ipa fact did not detect when an EL8 client was joined to an IPA domain

• Ensure that the puppet_settings fact supports both the server and master sections for backwards compatibility

• Added a tertiary check to the grub_version fact

2.1.8.28. pupmod-simp-ssh

• Fixed a bug where some changes to the sshd configuration did not cause a service restart

• Fixed a bug that caused a compilation error when ssh::conf::ensure_sshd_packages was set to true

• Ensure that vox_selinux is included prior to calling selinux_port

• Ensure that parameters that do not apply to EL8+ systems are not set on the target system

• No longer set HostKeyAlgorithms on the client configuration by default

2.1.8.29. pupmod-simp-sssd

• Added an option to sssd::install to prevent installation of the sssd client to increase compatibility with other operating systems

• Fixed multiple compatibility issues with non-OpenLDAP LDAP servers

• No longer use concat but instead drop configuration items into the /etc/sssd/conf.d directory

• Ensure that systems bound to FreeIPA, but not connected, do not cause compilation issues

2.1.8.30. pupmod-simp-stunnel

• Worked around a bug in EL7 where a connection denied by tcpwrappers would cause stunnel to hang and spike to 100% CPU usage indefinitely. All connections are still blocked by the firewall but now are always allowed in tcpwrappers.

2.1.8.31. pupmod-simp-svckill

• Added rngd to the default list of services to never be killed

• Removed obsolete documentation

2.1.8.32. pupmod-simp-swap

• Disable dynamic_swappiness by default

• Set static system swappiness to 60 by default

2.1.8.33. pupmod-simp-tlog

• Add a file resource if the file writer is specified

• Corrected the login in tlog.sh.epp in the case where a user does not have a login shell

2.1.8.34. pupmod-simp-tpm2

• Overrode the systemd unit file for tpm2-abrmd for TCTI compatibility

2.1.8.35. pupmod-simp-vsftpd

• Fixed sysctl updates on service restart

2.1.8.36. simp-doc

• Added HOWTO for managing PuppetDB

• Added HOWTO for enabling client reports

• Corrected SSL recovery documentation

• Corrected documentation relating to using sudo in STIG mode

• Added documentation for using EYAML in SIMP environments

2.1.8.37. simp-environment

• Add the EYAML hierarchy to the default hiera.yaml

2.1.8.38. simp-gpgkeys

• Fixed the target location for copying the GPG keys into the YUM repository

• Removed EL6 keys

• Updated the Red Hat release key

2.1.8.39. simp-rsync

• Removed dynamic BIND files from the list of files to rsync

2.1.8.40. simp-utils

• Fixed the puppetlast script and enabled it to read from filesystem reports

  • You will need to follow the instructions in HOWTO Enable Client Reporting

2.1.8.41. rubygem-simp-cli

• Changed set/get from master to server when updating the puppet configuration

• Use the status endpoint instead of a CRL query to validate the puppetserver status

• Use puppet to set the GRUB password

• Ensure that updating entries in /etc/hosts is idempotent

• Removed the LOCAL domain from the default sssd configuration

• No longer use the deprecated simp_options::ntpd::servers setting

• Simplified the instructions for the ‘local user lockout’ warning

2.1.9. New Features

The following items are common to most module updates and do not warrant specific inclusion below. For full details, see the CHANGELOG of all delivered packages.

• Removal of old Puppet version support

• Removal of EL6 support

• Addition of EL8 support

• Puppet module dependency updates

2.1.9.1. pupmod-simp-ds389

• New module for managing 389 DS

2.1.9.2. pupmod-simp-simp_firewalld

• Added the simp/simp_firewalld module and set it to the default on EL8+

2.1.9.3. pupmod-simp-gnome

• Removed support for GNOME2 since EL6 is no longer supported

• Also removed all gconf parameters and settings since they no longer have any use

2.1.9.4. pupmod-simp-logrotate

• Allow all log size configuration parameters to be specified in bytes, kilobytes, megabytes, or gigabytes

2.1.9.5. pupmod-simp-pam

• Added dictcheck and faillock_log_file parameter support

• Added Amazon Linux 2 support

• Added a pre section for setting auth file content to work with third party plugins

• Added the ability to set extra content in the su configuration

2.1.9.6. pupmod-simp-resolv

• Added the ability to precisely update the resolv.conf contents

• Added the ability to specify the entire contents of resolv.conf

• Added the ability to remove resolv.conf completely

2.1.9.7. pupmod-simp-rsyslog

Please read the module documentation and CHANGELOG since there were numerous changes!

• Dropped support for rsyslog < 8.24.0

• Added the ability to set the default template used for forwarding via rsyslog::config::default_forward_template

• Added parameters to allow additional configuration of the modules and main queue

• Added Direct and Disk to the allowed main message queue types

• Removed parameters only relevant to rsyslog < 8.6.0

  • rsyslog::config::host_list

  • rsyslog::config::domain_list

• Replaced obsolete parameters with modern replacements:

  • rsyslog::config::action_send_stream_driver_mode => rsyslog::config::imtcp_stream_driver_mode

  • rsyslog::config::action_send_stream_driver_auth_mode => rsyslog::config::imtcp_stream_driver_auth_mode

  • rsyslog::config::disable_remote_dns => rsyslog::config::net_enable_dns

  • rsyslog::config::suppress_noauth_warn => rsyslog::config::net_permit_acl_warning

• Deprecated rsyslog::config::default_template for rsyslog::config::default_file_template

• Updated various parts of the configuration from legacy to RainerScript format

2.1.9.8. pupmod-simp-simp

• Added EL8 support

• Added simp::puppetdb::disable_update_checking to disable default analytics in accordance with NIST guidance

• puppetdb now sets UseCodeCacheFlushing by default

• The sssd client configuration now sets the LDAP schema based on the simp::sssd:;client::ldap_server_type

• The simp::sssd::client no longer creates a LOCAL provider

2.1.9.9. pupmod-simp-simp_ds389

• New module providing SIMP-specific settings for 389 DS for providing a suitable replacement for OpenLDAP

2.1.9.10. pupmod-simp-simp_gitlab

• Now default simp_gitlab::allow_fips to true which works with GitLab 14.0.0+

2.1.9.11. pupmod-simp-simp_nfs

• Provide host PKI information to upstream LDAP servers

2.1.9.12. pupmod-simp-simp_options

• Added simp_options::ntp for more generalized configuration of both ntpd and chronyd

2.1.9.13. pupmod-simp-simpkv

• Added an LDAP backend plugin

2.1.9.14. pupmod-simp-simplib

• Added simplib::cron::to_systemd() to convert cron resource parameters to systemd timespec format

• Added simplib::cron::expand_range() to expand ranges into comma separated strings

• Added simplib::params2hash() to return all of the calling scope’s parameters as a Hash

• Added net.ipv6.conf.all.disable_ipv6 to the simplib_sysctl fact

• Added a simplib__cryhpto_policy_state fact

2.1.9.15. pupmod-simp-ssh

• Added an option to turn off managing the AuthorizedKeysFile parameter in /etc/ssh/sshd_config

2.1.9.16. pupmod-simp-sssd

• Made installing the sssd client optional (enabled by default)

• No longer support sssd < 1.16.0

• Users can now set sssd::custom_config to a string that will be placed into /etc/sssd/conf.d/zz_puppet_custom.conf

• Users can optionally purge the /etc/sssd/conf.d directory if they want puppet to be authoritative

2.1.9.17. pupmod-simp-sudo

• Added the ability for users to create include clauses in /etc/sudoers

2.1.9.18. pupmod-simp-tpm2

• Updated tpm2::ownership and the tpm2 fact to support tpm2_tools version 4

• Added a provider for the tpm2_changeauth functionality to provide ownership update capabilities

2.1.9.19. simp-environment

• No longer configure puppetdb by default

2.1.9.20. simp-gpgkeys

• Added the EL8 GPG keys

• Added the new Puppet signing key

2.1.9.21. simp-utils

• Updated the unpack_dvd scripts to work with EL8 ISOs

• Added transition scripts for upgrading from 6.5.0 to 6.6.0

2.1.9.22. rubygem-simp-cli

• Removed management of puppetdb components since it is no longer enabled by default

• Removed support for EL6

• Use OpenLDAP by default on EL7 and 389 DS otherwise

• Set the defaults for both ntpd and chronyd

2.1.10. Known Bugs and Limitations

Below are bugs and limitations known to affect this release. If you discover additional problems, please submit an issue to let use know.

• sssd does not always start the ds389 LDAP server immediately after kickstarting an EL8 system. An additional puppet run clears the problem. The error in the log is

  sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured