Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
- Puppet >= 5.0.0 < 7.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-simp', '4.8.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Overview
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with simp
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Overview
This module is the overarching profile of SIMP managed systems. It should be the entry point for all supported SIMP configurations.
This is a SIMP module
This module is a component of the System Integrity Management Platform
If you find any issues, please submit them via JIRA.
Please read our [Contribution Guide] (https://simp.readthedocs.io/en/stable/contributors_guide/index.html).
This module should be used within the SIMP ecosystem and will be of limited independent use
Module Description
This module provides a convenient entry point for setting up systems to meet the goals of the SIMP Project.
It is effectively a highly malleable Puppet profile that provides mechanisms for direct overall system modification and management.
Setup
What simp affects
The simp
module is meant to be the central controller of all node
configurations. The suggested usage is to place the following in your
environment's site.pp
:
include 'simp_options'
include 'simp'
NOTE: If using Puppet Enterprise, you can add the simp_options
and
simp
classes to nodes via the classification interface. Do be sure to
include simp_options
before simp
so that the simp
module has
appropriate access to the parameters in simp_options
.
Usage
Basic Usage
It is recommended that you start with one of the SIMP scenarios described below.
These may be set via the simp::scenario
parameter via Hiera.
You may want to tweak individual module settings and should reference the module documentation for full details.
SIMP Scenarios
The SIMP module has the following scenarios defined for getting started with different configurations easily:
NOTE
| SIMP scenarios always target the Puppet client systems. The SIMP server | is always kept in the safest mode by default but can be overridden explicitly | in Hiera if desired.
-
simp
- The default scenario. Enables all modules to support the default SIMP
infrastructure configured around security best practices and compatibility
with supported security policies as defined in the
compliance_markup
module.
- The default scenario. Enables all modules to support the default SIMP
infrastructure configured around security best practices and compatibility
with supported security policies as defined in the
-
simp_lite
- The
simp
profile with some of the more aggressive security support modules disabled. These include, but are not limited to,iptables
,fips
, andsvckill
.
- The
-
standalone
- Applies all of the settings in the
simp
profile and, after a successful run, either disablespuppet
from running again or removes it from the system completely. Has options to ensure that there is a way to get back into the system afterwards.
- Applies all of the settings in the
-
poss
- The Puppet Open Source Software (POSS) configuration simply attaches your node to the Puppet server and performs no additional configuration. This can be used as a starting point for building your own configuration without needing to worry about how to configure your Puppet agents.
-
remote_access
- Adds the common remote access capabilities of SIMP to the system on top of
the
poss
scenario.
- Adds the common remote access capabilities of SIMP to the system on top of
the
-
none
- Does nothing at all. All configuration is in your control.
Limitations
SIMP Puppet modules are generally intended to be used on a Red Hat Enterprise Linux-compatible distribution such as EL6 and EL7.
Development
Please read our [Contribution Guide] (https://simp.readthedocs.io/en/stable/contributors_guide/index.html).
Unit tests
Unit tests, written in rspec-puppet
can be run by calling:
bundle exec rake spec
Acceptance tests
To run the system tests, you need Vagrant installed. Then, run:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.
Reference
Table of Contents
Classes
simp
: This class provides an entry point to configuring your systems to take full advantage of SIMP capabilities. This is primarily done through tsimp::admin
: Set up a host of common administrative functions including administrator group system access, auditor access, and defaultsudo
rulessimp::base_apps
: This is a set of applications that you will want on most systems Services this class manages: * irqbalance (enabled by default by vendor)simp::base_services
: This class will be removed in a future version of SIMP.simp::ctrl_alt_del
: Manage the state of pressingctrl-alt-del
simp::kmod_blacklist
: This class provides a default set of blacklist entries per the SCAP Security Guidesimp::mountpoints
: Add security settings to several mounts on the system.simp::mountpoints::el6_tmp_fix
: There is a bizarre bug where/tmp
and/var/tmp
will have incorrect permissions after the second reboot after bootstrapping SIMP. Thsimp::mountpoints::proc
: Mount/proc
simp::mountpoints::tmp
: Manages the various tmp mounts with optional security features.simp::netconsole
: Configure/etc/sysconfig/netconsole
and the netconsole servicesimp::nsswitch
: A SIMP profile for using the nsswitch module to manage /etc/nsswitchsimp::one_shot
: Configure the system to disconnect from the Puppet server once it has successfully run This should not be used as part of the standard SIMsimp::one_shot::finalize
: NOTE: THIS IS A PRIVATE CLASS** A 'last effort' script to clean up all ofsimp::one_shot::user
: NOTE: THIS IS A PRIVATE CLASS** Configure a 'stand alone' system usersimp::pam_limits::max_logins
: Restrict the max logins on a system via PAMsimp::prelink
: Manage prelinkingsimp::puppetdb
: This class enables a PuppetDB server with defaults set for SIMP compatibility. NOTE: Hiera variables must be set appropriately undersimp::rc_local
: Manage the content of/etc/rc.d/rc.local
By default, this class will disable the file altogethersimp::root_user
: Manage resources related to theroot
usersimp::scenario::base
: NOTE: THIS IS A PRIVATE CLASS This class provides the basis of what asimp::scenario::poss
: NOTE: THIS IS A PRIVATE CLASS The 'Puppet Open Source Software' Scenarsimp::server
: Set up a SIMP server in such a way that it will be ready to serve configuration data appropriately to your clients.simp::server::kickstart
: This class provides a working framework for providing a kickstart server for your client hosts.simp::server::kickstart::runpuppet
: This class manages the runpuppet script, which is a script that can be run to bootstrap provisioned clients, adding them to puppet and runninsimp::server::kickstart::simp_client_bootstrap
: This class manages simp_client_bootstrap scripts, which are scripts that can be run to bootstrap SIMP clients via Puppet, in a fashion similasimp::server::ldap
: Sets up either a primary LDAP server or a slave LDAP server. If you are setting up a slave LDAP server, remember that the three digit RID musimp::server::rsync_shares
: Set up various rsync services that are needed by the SIMP clients If you don't have these provided somewhere, many of the modules will not fsimp::server::yum
: This class sets up a YUM site at${data_dir}/yum
and is used by the default SIMP server.simp::sssd::client
: This class sets up an SSSD client based on the normal SIMP parameters This should work for most out-of-the-box installations. Otherwise, itsimp::sudoers
: Provide useful aliases that many people have wanted to use over time. None of this is mandatory and all can be changed via the different parsimp::sudoers::aliases
: A set of default sudoers aliases Take care not to add anything that can access a root shellsimp::sysctl
: Sets sysctl settings that are useful from a general 'modern system' point of view. There are also items in this list that are particularly usimp::version
: Places SIMP version related information on the filesystemsimp::yum::repo::internet_simp_dependencies
: Configure yum to use the internet public repository for SIMP dependenciessimp::yum::repo::internet_simp_server
: Configure yum to use the internet public repository for SIMP serverssimp::yum::repo::local_os_updates
: Configure yum to use a (simp-managed) OS Updates repository Generally, this is used by the ISO installation. * By default, baseurl and GPGsimp::yum::repo::local_simp
: Set up the local SIMP repositiories for disconnected environments. Generally, this is used by the ISO installation. * By default, baseurl asimp::yum::schedule
: Set up a YUM update schedule.
Functions
simp::knockout
: Deprecated knockout function, see simplib::knockoutsimp::yum::repo::baseurl_string
:simp::yum::repo::gpgkey_string
: A function to return a proper set of SIMP YUM repositories for the default build. Of limited use outside of an ISO install.simp::yum::repo::gpgkeys::os_updates
: Build a list of GPG keys needed by a os_updates reposimp::yum::repo::gpgkeys::simp
: Build a list of GPG keys needed by a simp reposimp::yum::repo::sanitize_simp_release_slug
: Sanitize the release slug in the SIMP repo URLs
Classes
simp
This class provides an entry point to configuring your systems to take full advantage of SIMP capabilities.
This is primarily done through the simp::scenario
classes that provide
specifically supported configurations of core SIMP systems and clients.
If you're planning to use SIMP capabilities, you should always include this class.
Parameters
The following parameters are available in the simp
class.
scenario_map
Data type: Hash
An internal use parameter for configuring pre-defined maps
scenario
Data type: String
The SIMP 'scenario' that you wish to apply to your system
- The class list for each scenario is defined by the
scenario_map
which is pulled from the module data. - Please see the README for the list of scenarios
- Please see the module data for the exact class list that is included in each scenario
Default value: 'simp'
enable_data_includes
Data type: Boolean
Deprecated - Has no effect
- Will be removed in the next major release
Default value: true
classes
Data type: Optional[Array]
A list of classes that you wish to include in your SIMP stack in addition
to the scenario
selected above.
-
For a completely stock Puppet experience on your clients, select the
poss
(Puppet Open Source Software) scenario configuration. This also works on Puppet Enterprise -
This Array has been enabled with the
knockout_prefix
of--
-
Any Array item in the lookup hierarchy that you prefix with
--
will be removed from the Array
@example The following list would include the apache
class and exclude
the ntpd
class.
---
simp::classes:
- 'apache'
- '--ntpd'
Default value: []
##### `mail_server`
Data type: `Variant[Boolean,Enum['remote']]`
Install a local mail service on the system
* If ``true`` will install only a locally usable MTA
* If ``remote`` will install a full mail server capable of processing
remote connections
* If you use a remote server, you'll need to set the appropriate
parameters for the ``postfix`` class
Default value: `true`
##### `rsync_stunnel`
Data type: `Variant[Boolean,Simplib::Host]`
The rsync server from which files should be retrieved
* May be set to ``false`` to disable the rsync stunnel connection
* If unset, will default to the Puppet server itself
Default value: simplib::lookup('simp_options::rsync', { 'default_value' => true })
##### `use_ssh_global_known_hosts`
Data type: `Boolean`
Boolean
If true, use the ssh_global_known_hosts function to gather the various host
SSH public keys and populate the /etc/ssh/known_hosts file.
Default value: `false`
##### `version_info`
Data type: `Boolean`
Add SIMP version information onto the client in ``/etc/simp``
Default value: `true`
##### `puppet_server_hosts_entry`
Data type: `Boolean`
Add a ``host`` entry for the Puppet server to the catalog
* This has no effect if the ``$server_facts`` Hash is not populated
Default value: `true`
##### `enable_filebucketing`
Data type: `Boolean`
Enable the filebucket for all managed files
Default value: `false`
##### `filebucket_name`
Data type: `String[1]`
The name of the filebucket that should be used
Default value: 'simp'
##### `filebucket_server`
Data type: `Optional[Simplib::Host]`
Sets up a remote filebucket target if set
Default value: `undef`
##### `filebucket_path`
Data type: `Stdlib::Absolutepath`
The local system path to use as the filebucket
* Has no effect if ``$filebucket_server`` is set
Default value: "${facts['puppet_vardir']}/simp/filebucket"
##### `use_sudoers_aliases`
Data type: `Boolean`
If true, enable simp site sudoers aliases
Default value: `true`
##### `runlevel`
Data type: `Simp::Runlevel`
The default runlevel to which the system should be set
Default value: 3
##### `restrict_max_logins`
Data type: `Boolean`
Enable restrictions of the number of simultaneous logins a user may have
* Has no effect if ``$pam`` is ``false``
Default value: `true`
##### `manage_ctrl_alt_del`
Data type: `Boolean`
Include the ``simp::ctrl_alt_del`` class, which, by default, disables the
use of ctrl_alt_del and logs all instances of the event.
Default value: `true`
##### `manage_root_metadata`
Data type: `Boolean`
Include the ``simp::root_user`` class, which manages resources related to
the ``root`` user
Default value: `true`
##### `manage_root_perms`
Data type: `Boolean`
Ensure that ``/root`` has restricted permissions and proper SELinux
contexts
Default value: `true`
##### `manage_rc_local`
Data type: `Boolean`
Include the ``simp::rc_local`` class
* This **disables** rc.local by default but you may also use it to set
custom content
Default value: `true`
##### `pam`
Data type: `Boolean`
Enable management of PAM resources via SIMP modules
Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })
##### `sssd`
Data type: `Boolean`
Enable management of SSSD resources via SIMP modules
Default value: simplib::lookup('simp_options::sssd', { 'default_value' => true })
##### `ldap`
Data type: `Boolean`
Enable management of LDAP resources via SIMP modules
Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })
##### `stock_sssd`
Data type: `Boolean`
Add a default setup that will successfully connect to the SIMP LDAP server,
if enabled, and will otherwise provide a functional SSSD stack for the
system
* Has no effect if ``$sssd`` is ``false``
Default value: `true`
##### `classification_warning`
Data type: `Boolean`
Create a warning notification if 'include simp' will not auto-classify a node.
Default value: `true`
##### `vardir_owner`
Data type: `String[1]`
Owner for ${facts['puppet_vardir']}/simp directory
Defaults to 'root' if a platform doesn't specify
##### `vardir_group`
Data type: `String[1]`
Group for ${facts['puppet_vardir]}/simp diorectory
Defaults to 'root' if a platform doesn't specify
##### `vardir_mode`
Data type: `Stdlib::Filemode`
Mode for ${facts['puppet_vardir])/simp directory
Defaults to '0750' if a platform doesn't specify
### simp::admin
Set up a host of common administrative functions including administrator
group system access, auditor access, and default ``sudo`` rules
#### Parameters
The following parameters are available in the `simp::admin` class.
##### `admin_group`
Data type: `String`
The group name of the Administrators for the system
* This group will be provided with the ability to ``sudo`` to ``root`` on
the system
Default value: 'administrators'
##### `passwordless_admin_sudo`
Data type: `Boolean`
Allow administrators to use ``sudo`` without a password
* This is on by default due to the expected use of SSH keys without local
passwords
Default value: `true`
##### `auditor_group`
Data type: `String`
The group name of the system auditors group
* This group is provided with the ability to perform selected safe commands
as ``root`` on the system for auditing purposes
Default value: 'security'
##### `passwordless_auditor_sudo`
Data type: `Boolean`
Allow auditors to use ``sudo`` without a password
* This is on by default due to the expected use of SSH keys without local
passwords
Default value: `true`
##### `admins_allowed_from`
Data type: `Simplib::Netlist`
The locations from which administrators are allowed to access the system
Default value: ['ALL']
##### `auditors_allowed_from`
Data type: `Simplib::Netlist`
The locations from which auditors are allowed to access the system
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
##### `force_logged_shell`
Data type: `Boolean`
Only allow ``sudo`` to a shell via a logging shell
Default value: `true`
##### `logged_shell`
Data type: `Enum['sudosh','tlog']`
The name of the logged shell to use
Default value: 'tlog'
##### `default_admin_sudo_cmnds`
Data type: `Array[String[2]]`
The set of commands that ``$admin_group`` should be able to run by default
Default value: ['/bin/su - root']
##### `pam`
Data type: `Boolean`
Allow SIMP management of the PAM stack
* Without this, it is quite likely that your system is not going to respond
as expected with the rules in this class
Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })
##### `set_polkit_admin_group`
Data type: `Boolean`
If the system has PolicyKit support, will register ``$admin_group`` as a
valid administrative group on the system
Default value: `true`
### simp::base_apps
This is a set of applications that you will want on most systems
Services this class manages:
* irqbalance (enabled by default by vendor)
* netlabel (not installed by vendor)
On EL 6:
* haldaemon (enabled by defauly by vendor)
* portreserve (disabled by default by vendor)
* quota_nld (stopped by deafult by vendor)
#### Parameters
The following parameters are available in the `simp::base_apps` class.
##### `ensure`
Data type: `Simp::PackageEnsure`
The ``$ensure`` status of all of the included packages
* Version pinning is not supported
* If you need version pinning, do not include this class
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
##### `extra_apps`
Data type: `Optional[Array[String,1]]`
A list of other applications that you wish to install
Default value: `undef`
##### `manage_elinks_config`
Data type: `Boolean`
Add some useful settings to the global elinks configuration
Default value: `true`
### simp::base_services
This class will be removed in a future version of SIMP.
### simp::ctrl_alt_del
Manage the state of pressing ``ctrl-alt-del``
#### Parameters
The following parameters are available in the `simp::ctrl_alt_del` class.
##### `enable`
Data type: `Boolean`
Allow ``ctrl-alt-del`` to restart the system
Default value: `false`
##### `log`
Data type: `Boolean`
Instead of just disabling the command, set the system up to write a log
entry when the key combination is pressed
Default value: `true`
##### `log_users`
Data type: `Boolean`
Record all logged in users in the log message
Default value: `true`
##### `facility`
Data type: `Simplib::Syslog::Facility`
The ``syslog`` facility to use for the log message
Default value: 'local6'
##### `severity`
Data type: `Simplib::Syslog::Severity`
The ``syslog`` severity to use for the log message
Default value: 'warning'
### simp::kmod_blacklist
This class provides a default set of blacklist entries per the SCAP Security
Guide
#### Parameters
The following parameters are available in the `simp::kmod_blacklist` class.
##### `enable_defaults`
Data type: `Boolean`
Enable to use the default blacklist, otherwise just the
``$custom_blacklist`` will be used
Default value: `true`
##### `blacklist`
Data type: `Array[String,1]`
List of kernel modules to be blacklisted by default
Default value: [
'bluetooth',
'cramfs',
'dccp',
'dccp_ipv4',
'dccp_ipv6',
'freevxfs',
'hfs',
'hfsplus',
'ieee1394',
'jffs2',
'net-pf-31',
'rds',
'sctp',
'squashfs',
'tipc',
'udf',
'usb-storage'
]
##### `custom_blacklist`
Data type: `Array[String]`
Additional kernel modules to be blacklisted
Default value: []
##### `allow_overrides`
Data type: `Boolean`
Allow the addition of kernel module rules that come before the disabling of
the module blacklist and disabling so that optional override autoloading
can work properly
* If this is not set, you will be unable to optionally override the
disabling of the modules
Default value: `true`
##### `lock_modules`
Data type: `Boolean`
Disallow all further modification to modules without a reboot
* Requires that the ``kernel.modules_disabled`` sysctl option is available
Default value: `false`
##### `notify_if_reboot_required`
Data type: `Boolean`
Trigger a 'reboot_notify' resource that will warn at every puppet run that
a reboot is required if necessary.
Default value: `true`
### simp::mountpoints
Add security settings to several mounts on the system.
#### Parameters
The following parameters are available in the `simp::mountpoints` class.
##### `manage_tmp_perms`
Data type: `Boolean`
Ensure that ``/tmp``, ``/var/tmp``, and ``/usr/tmp``, all have the proper
permissions and SELinux contexts.
Default value: `true`
##### `manage_proc`
Data type: `Boolean`
Manage the ``/proc`` mount on the system
Default value: `true`
##### `manage_sys`
Data type: `Boolean`
Manage the ``/sys`` mount on the system
Default value: `true`
##### `sys_options`
Data type: `Array[String]`
The mountpoint options for ``/sys``
Default value: ['rw','nodev','noexec']
##### `manage_dev_pts`
Data type: `Boolean`
Manage the ``/dev/pts`` mount on the system
Default value: `true`
### simp::mountpoints::el6_tmp_fix
There is a bizarre bug where ``/tmp`` and ``/var/tmp`` will have incorrect
permissions after the *second* reboot after bootstrapping SIMP. This upstart
job is an effective, but kludgy, way to remedy this issue
We have not been able to repeat the issue reliably enough in a controlled
environment to determine the root cause.
### simp::mountpoints::proc
Mount ``/proc``
#### Parameters
The following parameters are available in the `simp::mountpoints::proc` class.
##### `proc_hidepid`
Data type: `Integer[0,2]`
* 0: This is the default setting and gives you the default
behavior
* 1: With this option an normal user would not see other processes but
their own about ``ps``, ``top`` , etc..., but they are still able to
see process IDs in ``/proc``
* 2 (default): Users are only able to see their own processes (like with
``hidepid=1``), and process IDs are also hidden in ``/proc``!
* **NOTE:** This option has no effect if ``$manage_proc`` is not ``true``
Default value: 2
##### `proc_gid`
Data type: `Optional[Integer]`
This group will be able to see all processes on the system regardless of
the ``$proc_hidepid`` setting
Default value: `undef`
### simp::mountpoints::tmp
Manages the various tmp mounts with optional security features.
* **See also**
mount(8)
#### Parameters
The following parameters are available in the `simp::mountpoints::tmp` class.
##### `secure`
Data type: `Boolean`
* Set ``noexec,nosuid,nodev`` on temp directories as appropriate and bind
mount ``/var/tmp`` to ``/tmp``
* If ``/tmp`` is *not* a separate partition, then it will be bind mounted
to itself with the modified settings
* **NOTE:** If you have previously secured these directories, setting this
to ``false`` will **not** set them to any particular other mode. This is
because there is no way to know why you are changing these settings or
what, exactly, you want them to be.
Default value: `true`
##### `tmp_opts`
Data type: `Array[String]`
If ``$secure`` is ``true``, add these mount options to the ``/tmp``
directory
* If set to an empty Array, it will simply preserve the options that are
currently in place
* Any ``no*`` options will override their more permissive counterparts that
are currently set on the system
Default value: ['noexec','nodev','nosuid']
##### `var_tmp_opts`
Data type: `Array[String]`
Works the same way as ``$tmp_opts``
Default value: ['noexec','nodev','nosuid']
##### `dev_shm_opts`
Data type: `Array[String]`
Works the same way as ``$tmp_opts``
Default value: ['noexec','nodev','nosuid']
##### `tmp_service`
Data type: `Boolean`
If on systemd system, enable and activate the tmp.mount service
* Note: If you set this to `true` on a system that does not already have
the `tmp.mounts` service running, you may find that the service cannot
start due to processes locking files in the existing `/tmp` directory. If
this occurs, you can run `lsof /tmp` to determine what is locking. You
will probably need to reboot your system to start with a properly clean
`/tmp` mount.
Default value: (
### simp::netconsole
Configure ``/etc/sysconfig/netconsole`` and the netconsole service
* **See also**
https://www.kernel.org/doc/Documentation/networking/netconsole.txt
and
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-configuring_netconsole
#### Parameters
The following parameters are available in the `simp::netconsole` class.
##### `ensure`
Data type: `Enum['present','absent']`
Ensure 'present' or 'absent' on the kernel parameter
##### `target_ip`
Data type: `Optional[Simplib::IP]`
UDP syslog receiver IP address
Default value: `undef`
##### `target_macaddr`
Data type: `Optional[Simplib::MacAddress]`
UDP syslog receiver MAC address
Default value: `undef`
##### `target_port`
Data type: `Optional[Simplib::Port]`
UDP syslog receiver port
Default value: `undef`
##### `source_port`
Data type: `Optional[Simplib::Port]`
Port of the send logs from
Default value: `undef`
##### `source_device`
Data type: `Optional[String]`
Network interface to broadcast logs from
Default value: `undef`
### simp::nsswitch
A SIMP profile for using the nsswitch module to manage /etc/nsswitch
* **Note** This class uses trinklin/nsswitch module.
#### Parameters
The following parameters are available in the `simp::nsswitch` class.
##### `ldap`
Data type: `Boolean`
SIMP global catalyst to enable LDAP
Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })
##### `sssd`
Data type: `Boolean`
SIMP global catalyst to enable sssd
Default value: simplib::lookup('simp_options::sssd', { 'default_value' => false })
### simp::one_shot
Configure the system to disconnect from the Puppet server once it has
successfully run
This should *not* be used as part of the standard SIMP runpuppet
configuration
#### Parameters
The following parameters are available in the `simp::one_shot` class.
##### `enable_user`
Data type: `Boolean`
Add a one_shot user account that will be able to login to the system
Default value: `true`
##### `user_name`
Data type: `String`
The username to use for remote access
Default value: 'simp_one_shot'
##### `user_password`
Data type: `Optional[String[8]]`
The password for the user in **passwd-compatible salted hash** form
* NOTE: Either ``user_password`` or ``user_ssh_public_key`` must be
specified
Default value: `undef`
##### `user_uid`
Data type: `Integer`
The UID of the user
Default value: 1777
##### `user_gid`
Data type: `Integer`
The GID of the user
Default value: $user_uid
##### `user_home`
Data type: `Pattern['^/']`
The full path to the user's home directory
Default value: "/var/local/${user_name}"
##### `user_ssh_authorized_key`
Data type: `Optional[String[1]]`
The SSH authorized key for the user
* See the native ``ssh_authorized_key`` resource definition for details
Default value: `undef`
##### `user_ssh_authorized_key_type`
Data type: `String[1]`
The type of the SSH authorized key for the user
* See the native ``ssh_authorized_key`` resource definition for details
Default value: 'ssh-rsa'
##### `user_sudo_users`
Data type: `String`
The users that the ``username`` user may escalate to
Default value: 'root'
##### `user_sudo_commands`
Data type: `Array[String[1]]`
The commands that the ``username`` user is allowed to execute via sudo as one
of the allowed users
Default value: ['ALL']
##### `user_passwordless_sudo`
Data type: `Boolean`
Allow the user to use passwordless ``sudo``
* If not set, the ``user_password`` must be specified
Default value: `false`
##### `user_allowed_from`
Data type: `Array[String[1]]`
The ``pam_access`` compatible locations that the user will be logging in
from
* Set to ``['ALL']`` to allow from any location
Default value: ['ALL']
##### `finalize_dry_run`
Data type: `Boolean`
Run the finalization script in 'dry run' mode and only print what would
have been done
Default value: `false`
##### `finalize_remove_pki`
Data type: `Boolean`
Remove the SIMP installed host PKI certificates
Default value: `false`
##### `finalize_remove_puppet`
Data type: `Boolean`
Remove the puppet packages from the system during finalization
Default value: `true`
##### `finalize_remove_script`
Data type: `Boolean`
Remove the finalization script itself from the system
Default value: `true`
##### `finalize_debug`
Data type: `Boolean`
Enable syslog output debugging on the one_shot finalization script
Default value: `false`
### simp::one_shot::finalize
NOTE: THIS IS A [PRIVATE](https://github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**
A 'last effort' script to clean up all of the SIMP material on the system
that may cause issues
#### Parameters
The following parameters are available in the `simp::one_shot::finalize` class.
##### `dry_run`
Data type: `Boolean`
Run the finalization script in 'dry_run' mode and output all commands
Default value: $simp::one_shot::finalize_dry_run
##### `remove_pki`
Data type: `Boolean`
Remove the SIMP installed host PKI certificates
Default value: $simp::one_shot::finalize_remove_pki
##### `remove_puppet`
Data type: `Boolean`
Remove the 'puppet' package from the system
Default value: $simp::one_shot::finalize_remove_puppet
##### `remove_script`
Data type: `Boolean`
Remove the finalization script itself from the system
Default value: $simp::one_shot::finalize_remove_script
##### `enable_debug`
Data type: `Boolean`
Default value: $simp::one_shot::finalize_debug
### simp::one_shot::user
NOTE: THIS IS A [PRIVATE](https://github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**
Configure a 'stand alone' system user
#### Parameters
The following parameters are available in the `simp::one_shot::user` class.
##### `enable`
Data type: `Boolean`
Enable the one_shot capabilities
Default value: $simp::one_shot::enable_user
##### `username`
Data type: `String`
The username to use for remote access
Default value: $simp::one_shot::user_name
##### `password`
Data type: `Optional[String]`
The password for the user in passwd-compatible salted hash form
Default value: $simp::one_shot::user_password
##### `home`
Data type: `Pattern['^/']`
The full path to the user's home directory
Default value: $simp::one_shot::user_home
##### `uid`
Data type: `Integer`
The UID of the user
Default value: $simp::one_shot::user_uid
##### `gid`
Data type: `Integer`
The GID of the user
Default value: $simp::one_shot::user_gid
##### `ssh_authorized_key`
Data type: `Optional[String[1]]`
The SSH public key for the user
* See the native ``ssh_authorized_key`` resource definition for details
Default value: $simp::one_shot::user_ssh_authorized_key
##### `ssh_authorized_key_type`
Data type: `String[1]`
The SSH public key type
* See the native ``ssh_authorized_key`` resource definition for details
Default value: $simp::one_shot::user_ssh_authorized_key_type
##### `sudo_users`
Data type: `String`
The users that the ``username`` user may escalate to
Default value: $simp::one_shot::user_sudo_users
##### `passwordless_sudo`
Data type: `Boolean`
Enable passwordless sudo for the user
Default value: $simp::one_shot::user_passwordless_sudo
##### `sudo_commands`
Data type: `Array[String]`
The commands that the ``username`` user is allowed to execute via sudo as one
of the allowed users
Default value: $simp::one_shot::user_sudo_commands
##### `allowed_from`
Data type: `Array[String]`
The ``pam_access`` compatible locations that the user will be logging in
from
* Set to ``['ALL']`` to allow from any location
Default value: $simp::one_shot::user_allowed_from
### simp::pam_limits::max_logins
Restrict the max logins on a system via PAM
#### Parameters
The following parameters are available in the `simp::pam_limits::max_logins` class.
##### `value`
Data type: `Integer[0]`
The maximum number of logins that a user may have simultaneously
* The default meets ``CCE-27457-1``
Default value: 10
### simp::prelink
Manage prelinking
#### Parameters
The following parameters are available in the `simp::prelink` class.
##### `enable`
Data type: `Boolean`
Whether to enable prelinking. Prelinking can only be enabled if
the server is *NOT* in FIPS mode.
* When ``$enable`` is ``true`` and ``$facts['fips_enabled']`` is
``false``, ensures the prelink package is installed and
prelinking has been enabled.
* When ``$enable`` is ``false`` or ``$facts['fips_enabled']`` is
``true``, ensures the prelink package is not installed, undoing
any existing prelinking, if needed. This satisfies the SCAP
Security Guide's OVAL check
xccdf_org.ssgproject.content_rule_disable_prelink.
Default value: `false`
##### `ensure`
Data type: `String`
The ``$ensure`` status of the prelink package, when ``$enable``
is ``true`` and ``$facts['fips_enabled']`` is ``false``.
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
### simp::puppetdb
This class enables a PuppetDB server with defaults set for SIMP
compatibility.
**NOTE:** Hiera variables **must** be set appropriately under the puppetdb
namespace
All other parameters are taken directly from ``puppetdb::server``
#### Parameters
The following parameters are available in the `simp::puppetdb` class.
##### `trusted_nets`
Data type: `Simplib::Netlist`
This is used to allow specific hosts access to PuppetDB
* This should be restricted to only those hosts that need to talk to
PuppetDB, primarly Puppet Masters.
* Unfortunately, this cannot be set via exported resources since PuppetDB
needs to be running prior to exported resources functioning properly.
Once PuppetDB is up, then you can switch this to exported resources mode
using the **use_exported_resources** variable.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
##### `listen_address`
Data type: `Simplib::IP`
Default value: '127.0.0.1'
##### `listen_port`
Data type: `Simplib::Port`
Default value: 8138
##### `open_listen_port`
Data type: `Boolean`
Default value: `false`
##### `ssl_deploy_certs`
Data type: `Boolean`
Default value: `true`
##### `ssl_set_cert_paths`
Data type: `Boolean`
Default value: `true`
##### `ssl_listen_address`
Data type: `Simplib::IP`
Default value: '0.0.0.0'
##### `ssl_listen_port`
Data type: `Simplib::Port`
Default value: 8139
##### `use_puppet_ssl_certs`
Data type: `Boolean`
Default value: `true`
##### `disable_ssl`
Data type: `Boolean`
Default value: `false`
##### `manage_package_repo`
Data type: `Boolean`
Default value: `false`
##### `database_password`
Data type: `String`
Default value: simplib::passgen('simp_puppetdb')
##### `read_database_username`
Data type: `String`
Default value: 'simp_puppetdb'
##### `read_database_password`
Data type: `String`
Default value: simplib::passgen('simp_read_puppetdb')
##### `read_database_name`
Data type: `String`
Default value: 'simp_puppetdb'
##### `read_database_ssl`
Data type: `Optional[Boolean]`
This parameter has been deprecated, because its corresponding
``puppetdb::server`` parameter has been replaced with
``puppetdb::server::read_database_jdbc_ssl_properties``.
Use $read_database_jdbc_ssl_properties = '?ssl=true' instead.
Default value: `undef`
##### `read_database_jdbc_ssl_properties`
Data type: `String`
Default value: '?ssl=true'
##### `manage_firewall`
Data type: `Boolean`
Default value: `true`
##### `manage_puppetserver`
Data type: `Boolean`
Default value: `true`
##### `java_max_memory`
Data type: `String`
Default value: '40%'
##### `java_start_memory`
Data type: `Optional[String]`
Default value: `undef`
##### `java_tmpdir`
Data type: `Stdlib::Absolutepath`
Default value: '/opt/puppetlabs/puppet/cache/pdb_tmp'
##### `java_heapdump_on_oom`
Data type: `Boolean`
Default value: `false`
##### `java_prefer_ipv4`
Data type: `Boolean`
Default value: `true`
##### `automatic_dlo_cleanup`
Data type: `Boolean`
Default value: `true`
##### `dlo_max_age`
Data type: `Integer`
Default value: 90
##### `firewall`
Data type: `Boolean`
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
### simp::rc_local
Manage the content of ``/etc/rc.d/rc.local``
By default, this class will disable the file altogether
#### Parameters
The following parameters are available in the `simp::rc_local` class.
##### `content`
Data type: `String`
Set to ``disable`` to disable the file completely
* Any other value will be written to the file after an optional management
banner
Default value: 'disable'
##### `shell`
Data type: `Stdlib::Absolutepath`
The shell to use to execute the ``rc.local`` file
Default value: '/bin/bash'
##### `management_comment`
Data type: `Boolean`
Adds a 'managed by Puppet' comment to the top of the file
Default value: `true`
### simp::root_user
Manage resources related to the `root` user
#### Parameters
The following parameters are available in the `simp::root_user` class.
##### `manage_perms`
Data type: `Boolean`
Ensure that `$home` has restricted permissions and proper SELinux contexts.
Default value: `true`
##### `manage_user`
Data type: `Boolean`
Ensure the `root` user has appropriate UIDs and groups, etc
Default value: `true`
##### `manage_group`
Data type: `Boolean`
Ensure the `root` group has appropriate UIDs, etc
Default value: `true`
##### `hashed_password`
Data type: `Optional[Simplib::ShadowPass]`
Validate the correctness of the password hash and then pass it through to
the `User` resource for `root`
Default value: `undef`
##### `password`
Data type: `Optional[String[1]]`
Pass this through untouched to the `User` resource for `root`
* Please use `$hashed_password` if possible
Default value: `undef`
##### `username`
Data type: `String[1]`
The username of the `root` user
Default value: 'root'
##### `uid`
Data type: `Integer[0]`
The UID of the `root` user
Default value: 0
##### `gid`
Data type: `Integer[0]`
The GID of the `root` user
Default value: 0
##### `shell`
Data type: `Stdlib::Absolutepath`
The shell to use for the `root` user
Default value: '/bin/bash'
##### `home`
Data type: `Stdlib::Absolutepath`
The home directory of the `root` user
Default value: "/${username}"
### simp::scenario::base
**NOTE: THIS IS A [PRIVATE](https://github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**
This class provides the basis of what a native SIMP system should
be. It is expected that users may deviate from this configuration
over time, but this should be an effective starting place.
#### Parameters
The following parameters are available in the `simp::scenario::base` class.
##### `mail_server`
Data type: `Variant[Boolean,Enum['remote']]`
Install a local mail service on the system
* If ``true`` will install only a locally usable MTA
* If ``remote`` will install a full mail server capable of processing
remote connections
* If you use a remote server, you'll need to set the appropriate
parameters for the ``postfix`` class
Default value: $::simp::mail_server
##### `rsync_stunnel`
Data type: `Variant[Boolean,Simplib::Host]`
The rsync server from which files should be retrieved
* May be set to ``false`` to disable the rsync stunnel connection
* If unset, will default to the Puppet server itself
Default value: $::simp::rsync_stunnel
##### `use_ssh_global_known_hosts`
Data type: `Boolean`
Boolean
If true, use the ssh_global_known_hosts function to gather the various host
SSH public keys and populate the /etc/ssh/known_hosts file.
Default value: $::simp::use_ssh_global_known_hosts
##### `puppet_server_hosts_entry`
Data type: `Boolean`
Add a ``host`` entry for the Puppet server to the catalog
* This has no effect if the ``$server_facts`` Hash is not populated
Default value: $::simp::puppet_server_hosts_entry
##### `use_sudoers_aliases`
Data type: `Boolean`
If true, enable simp site sudoers aliases
Default value: $::simp::use_sudoers_aliases
##### `runlevel`
Data type: `Simp::Runlevel`
The default runlevel to which the system should be set
Default value: $::simp::runlevel
##### `restrict_max_logins`
Data type: `Boolean`
Enable restrictions of the number of simultaneous logins a user may have
* Has no effect if ``$pam`` is ``false``
Default value: $::simp::restrict_max_logins
##### `manage_ctrl_alt_del`
Data type: `Boolean`
Include the ``simp::ctrl_alt_del`` class, which, by default, disables the
use of ctrl_alt_del and logs all instances of the event.
Default value: $::simp::manage_ctrl_alt_del
##### `manage_root_metadata`
Data type: `Boolean`
Include the ``simp::root_user`` class, which manages resources related to
the ``root`` user
Default value: $::simp::manage_root_metadata
##### `manage_root_perms`
Data type: `Boolean`
Ensure that ``/root`` has restricted permissions and proper SELinux
contexts
Default value: $::simp::manage_root_perms
##### `manage_rc_local`
Data type: `Boolean`
Include the ``simp::rc_local`` class
* This **disables** rc.local by default but you may also use it to set
custom content
Default value: $::simp::manage_rc_local
##### `pam`
Data type: `Boolean`
Enable management of PAM resources via SIMP modules
Default value: $::simp::pam
##### `sssd`
Data type: `Boolean`
Enable management of SSSD resources via SIMP modules
Default value: $::simp::sssd
##### `ldap`
Data type: `Boolean`
Enable management of LDAP resources via SIMP modules
Default value: $::simp::ldap
##### `stock_sssd`
Data type: `Boolean`
Add a default setup that will successfully connect to the SIMP LDAP server,
if enabled, and will otherwise provide a functional SSSD stack for the
system
* Has no effect if ``$sssd`` is ``false``
Default value: $::simp::stock_sssd
### simp::scenario::poss
**NOTE: THIS IS A [PRIVATE](https://github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**
The 'Puppet Open Source Software' Scenario
This provides a *minimal* system that connects to a SIMP Puppet server.
This class *does not* provide security for a system but it designed to simply
allow you to connect to the Puppet server and run puppet as a client.
This class requires no additional configuration to function.
#### Parameters
The following parameters are available in the `simp::scenario::poss` class.
##### `puppet_server_hosts_entry`
Data type: `Boolean`
Add a ``host`` entry for the Puppet server to the catalog
* This has no effect if the ``$server_facts`` Hash is not populated
Default value: $::simp::puppet_server_hosts_entry
### simp::server
Set up a SIMP server in such a way that it will be ready to serve
configuration data appropriately to your clients.
#### Parameters
The following parameters are available in the `simp::server` class.
##### `allow_simp_user`
Data type: `Boolean`
Ensure that the ``simp`` user can login to the system
Default value: `false`
##### `pam`
Data type: `Boolean`
Enable SIMP management of the PAM stack
Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })
##### `clamav`
Data type: `Boolean`
Enable SIMP management of Antivirus
Default value: simplib::lookup('simp_options::clamav', { 'default_value' => false })
##### `auditd`
Data type: `Boolean`
Enable SIMP management of auditing
Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false })
##### `scenario`
Data type: `String`
The SIMP scenario to apply to the server
* It is **not advised** to change this from ``simp``
Default value: simplib::lookup('simp::scenario', { 'default_value' => 'simp' })
##### `classes`
Data type: `Array[String]`
Additional classes to include on the server in addition to those included
in the ``scenario``
Default value: []
##### `scenario_map`
Data type: `Hash[String, Array]`
An **internal** parameter used for determining the correct classes to apply
for the ``scenario``
### simp::server::kickstart
This class provides a working framework for providing a kickstart
server for your client hosts.
* **Note** You need both a DHCP and TFTP server for unattended Kickstart
to work but you can use your own if you already have them.
#### Parameters
The following parameters are available in the `simp::server::kickstart` class.
##### `data_dir`
Data type: `Stdlib::Absolutepath`
The location of the web root in which the kickstart directory,
'ks', will reside.
Default value: '/var/www'
##### `trusted_nets`
Data type: `Simplib::Netlist`
The networks to allow into the Kickstart server.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] })
##### `manage_dhcp`
Data type: `Boolean`
If true, have this node act as a DHCP server.
Default value: `true`
##### `manage_tftpboot`
Data type: `Boolean`
If true, have this node act as a TFTP server.
Default value: `true`
##### `manage_runpuppet`
Data type: `Boolean`
If true, generate the runpuppet script in $data_dir/ks.
Default value: `true`
##### `manage_simp_client_bootstrap`
Data type: `Boolean`
If true, generate the simp_client_bootstrap sysv init
script and simp_clinet_bootstrap.service systemd
service unit file in $data_dir/ks.
Default value: `true`
##### `sslverifyclient`
Data type: `Enum['require','none']`
Verify the certificate of the kickstart client. One of optional, require,
none, optional_no_ca.
Default value: 'none'
### simp::server::kickstart::runpuppet
This class manages the runpuppet script, which is a script that can be run
to bootstrap provisioned clients, adding them to puppet and running it in a
fashion similar so `simp bootstrap`.
#### Parameters
The following parameters are available in the `simp::server::kickstart::runpuppet` class.
##### `data_dir`
Data type: `Stdlib::Absolutepath`
The location of the web root in which the kickstart directory
will reside. Only used to compute the default for `location`.
Default value: simplib::lookup('simp::server::kickstart::data_dir', { 'default_value' => '/var/www'})
##### `location`
Data type: `Stdlib::Absolutepath`
The location of the runpuppet file to be placed when generated.
Default value: "${data_dir}/ks/runpuppet"
##### `ntp_servers`
Data type: `Variant[Array, Hash]`
An array of ntp servers or hash of server/value pairs that should
be used during client kickstarts to slew the local time correctly
prior to PKI key distribution.
Failure to set the system clock will not cause the runpuppet script to fail
to execute.
Default value: simplib::lookup('simp_options::ntpd::servers', { 'default_value' => [] })
##### `puppet_server`
Data type: `Optional[Simplib::Host]`
The FQDN of your Puppet server
* If not set, will use ``$server_facts['servername']``, or the puppet
server set in puppet.conf if trusted_server_facts isn't set or found.
Default value: simplib::lookup('simp_options::puppet::server', { 'default_value' => undef })
##### `puppet_ca`
Data type: `Optional[Simplib::Host]`
The FQDN of your Puppet CA
* If not set, will use ``$server_facts['servername']``, or the puppet
server set in puppet.conf if trusted_server_facts isn't set or found.
Default value: simplib::lookup('simp_options::puppet::ca', { 'default_value' => undef })
##### `puppet_ca_port`
Data type: `Simplib::Port`
The port upon which the Puppet CA is listening.
Default value: simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 })
##### `runpuppet_print_stats`
Data type: `Boolean`
If true, print statistics for each client puppet run during bootstrap.
Default value: `true`
##### `runpuppet_wait_for_cert`
Data type: `Variant[Integer[0],Boolean]`
If set to an integer, the runpuppet client script will wait for this many
seconds between checking into the puppet master for a signed certificate.
This will go on until a signed certificate is presented.
If set to false or 0, the client will immediately timeout if a signed
certificate is not presented.
Default value: 10
##### `fips`
Data type: `Boolean`
If true, set puppet keylength to 2048, else 4096. This non-compliant
setting is to work around problems with older versions of Ruby. It
will be fixed, when Puppet fully supports FIPS mode.
Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })
### simp::server::kickstart::simp_client_bootstrap
This class manages simp_client_bootstrap scripts, which are scripts
that can be run to bootstrap SIMP clients via Puppet, in a fashion
similar to `simp bootstrap`, the bootstrap script for the SIMP server.
The three scripts managed by this class are as follows:
* `bootstrap_simp_client`: a Ruby script that configures system
services primarily using Puppet and logs the results of all
configuration actions to file
* `$service_root_name`: sysv init script that calls
`bootstrap_simp_client` to bootstrap the server and then reboots
the client to complete the bootstrap operation
* `<$service_root_name>.service`: systemd service unit file that
uses `bootstrap_simp_client` to bootstrap the server and then
reboots the client to complete the bootstrap operation
#### Parameters
The following parameters are available in the `simp::server::kickstart::simp_client_bootstrap` class.
##### `data_dir`
Data type: `Stdlib::Absolutepath`
The location of the web root in which the kickstart directory
will reside. Only used to compute the default for `directory`.
Default value: simplib::lookup('simp::server::kickstart::data_dir', { 'default_value' => '/var/www'})
##### `directory`
Data type: `Stdlib::Absolutepath`
The directory containing the three managed scripts. By default
is a subdirectory within `data_dir`.
Default value: "${data_dir}/ks"
##### `service_root_name`
Data type: `String`
The root name of the sysv/systemd service scripts.
Default value: 'simp_client_bootstrap'
##### `ntp_servers`
Data type: `Variant[Array, Hash]`
An array of ntp servers or hash of server/value pairs that should
be used during client kickstarts to slew the local time correctly
prior to PKI key distribution.
**NOTE**: Failure to set the system clock will not cause the
simp_client_bootstrap scripts to fail to execute.
Default value: simplib::lookup('simp_options::ntpd::servers', { 'default_value' => [] })
##### `set_static_hostname`
Data type: `Boolean`
Whether to persist the hostname retrieved by DHCP as a static
hostname. This prevents problems that can arise when the DHCP
lease expires in the middle of bootstrap puppet runs. Is not
applicable for RedHat/CentOS 6.
Default value: `true`
##### `puppet_server`
Data type: `Optional[Simplib::Host]`
The FQDN of your Puppet server
* If not set, will use ``$server_facts['servername']``, or the puppet
server set in puppet.conf if trusted_server_facts isn't set or found.
Default value: simplib::lookup('simp_options::puppet::server', { 'default_value' => undef })
##### `puppet_ca`
Data type: `Optional[Simplib::Host]`
The FQDN of your Puppet CA
* If not set, will use ``$server_facts['servername']``, or the puppet
server set in puppet.conf if trusted_server_facts isn't set or found.
Default value: simplib::lookup('simp_options::puppet::ca', { 'default_value' => undef })
##### `puppet_ca_port`
Data type: `Simplib::Port`
The port upon which the Puppet CA is listening.
Default value: simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 })
##### `puppet_digest_algorithm`
Data type: `String`
The digest algorithm Puppet uses for file resources and the filebucket
(e.g. sha256, sha384, sha512).
Default value: 'sha256'
##### `puppet_keylength`
Data type: `Optional[Integer[2048]]`
Puppet certificate keylength. When unset, value is determined based
on `$fips`, to work around Puppet bugs in FIPS mode. (See `$fips`.)
Default value: `undef`
##### `puppet_print_stats`
Data type: `Boolean`
If true, print statistics for each client puppet run during bootstrap.
Default value: `true`
##### `puppet_wait_for_cert`
Data type: `Variant[Integer[0],Boolean]`
If set to an integer, the bootstrap_simp_client script will wait for this many
seconds between checking into the puppet master for a signed certificate.
This will go on until a signed certificate is presented.
If set to false or 0, the client will immediately timeout if a signed
certificate is not presented.
Default value: 10
##### `num_puppet_runs`
Data type: `Integer[1]`
Number of puppet agent runs (after the initial tagged run) to execute,
in order to converge to a stable system configuration.
Default value: 2
##### `initial_retry_interval`
Data type: `Integer[1]`
Initial retry interval in seconds for reattempting a failed puppet
agent run.
Default value: 10
##### `retry_factor`
Data type: `Float[0.1]`
The factor to be applied to the retry interval for a puppet run.
The retry interval is multiplied by this factor for each retry.
For example, if `$initial_retry_interval` is 10 and the retry factor
is 1.5, the first retry would occur 10 seconds after the initial
attempt, the second retry would occur 10*1.5 seconds after that,
the third retry would occur 10*1.5*1.5 seconds after that, etc.
Default value: 1.5
##### `max_seconds`
Data type: `Integer[1]`
Maximum number of seconds this bootstrap script is allowed to run.
Script will abort if it does not complete within this allotted time.
Default value: 1800
##### `reboot_on_failure`
Data type: `Boolean`
Whether to reboot the server if the SIMP client bootstrap service
fails to bootstrap the client. This allows the client to attempt
fix its bootstrap problem without manual intervention. However,
for sites containing a large number of clients, the repeated cycle
of <multiple puppet agent attempts + reboot> may overtax the Puppet
server. In this case, disabling this feature may be most appropriate.
Default value: `true`
##### `fips`
Data type: `Boolean`
If true, set puppet keylength to 2048, else 4096. This non-compliant
setting is to work around problems with older versions of Ruby. It
will be fixed, when Puppet fully supports FIPS mode.
Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })
### simp::server::ldap
Sets up either a primary LDAP server or a slave LDAP server.
If you are setting up a slave LDAP server, remember that the three
digit RID must be unique or each slave server that you attach to the
same master.
#### Parameters
The following parameters are available in the `simp::server::ldap` class.
##### `is_slave`
Data type: `Boolean`
If true, set this node up as an LDAP slave. The Hiera parameter
ldap::master will be used as the master server.
If you want to use values other than the defaults as provided with
simp_openldap::server::syncrepl. Leave this as 'false', include this
class and call simp_openldap::server::syncrepl with your values as
appropriate.
Default value: `false`
##### `rid`
Data type: `Integer[0]`
The RID of the system. See simp_openldap::server::syncrepl for
additional information.
Default value: 111
##### `bind_dn`
Data type: `String`
Used for setting up sync limits for the bind user.
Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => '' })
##### `sync_dn`
Data type: `String`
Used for setting up sync limits for slave nodes.
Default value: simplib::lookup('simp_options::ldap::sync_dn', { 'default_value' => '' })
##### `enable_lastbind`
Data type: `Boolean`
If true, enable the 'lastbind' plugin for OpenLDAP. This records
the last time a user logs into a system within LDAP itself. Note,
if you have auditing enabled, this will cause an LDAP audit record
every time someone logs into any system connected to the LDAP
server.
Default value: `false`
### simp::server::rsync_shares
Set up various rsync services that are needed by the SIMP clients
If you don't have these provided somewhere, many of the modules will not
function properly.
If you want additional ``BIND DNS`` spaces to be served out from rsync,
you'll need to enable them separately.
This module is directly dependent on the output of the
``simp_rsync_environments`` fact which discovers the location, and layout, of
the facts on the hosting system. The shares **will not** be activated if the
directory structure is not properly discovered.
* **See also**
https://docs.puppet.com/facter/latest/custom_facts.html
Custom Fact Walkthrough
#### Parameters
The following parameters are available in the `simp::server::rsync_shares` class.
##### `rsync_base`
Data type: `Stdlib::Absolutepath`
The path to the beginning of the rsync space for this system. There must be
a directory per environment that you want to serve to clients.
* **NOTE** If you change this, you **MUST** create a custom fact for
``simp_rsync_environments`` with a Fact ``weight`` higher than ``1``.
Default value: '/var/simp/environments'
##### `rsync_environments`
Data type: `Optional[Hash]`
The environments that are present under ``$rsync_base`` on the RSync server.
Be **VERY** careful if you change this from the fact that it references by
default.
Default value: $facts['simp_rsync_environments']
##### `stunnel`
Data type: `Boolean`
If set, trusted_nets will be set to ``127.0.0.1`` so that
the stunnel'd rsync will be used.
Default value: simplib::lookup('simp_options::stunnel', { 'default_value' => false })
##### `trusted_nets`
Data type: `Simplib::Netlist`
The hosts from which to allow access to the rsync shares. This option has
no effect if ``$use_stunnel`` is ``true``.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
### simp::server::yum
This class sets up a YUM site at `${data_dir}/yum` and is used by
the default SIMP server.
#### Parameters
The following parameters are available in the `simp::server::yum` class.
##### `data_dir`
Data type: `Stdlib::Absolutepath`
Default value: '/var/www'
##### `trusted_nets`
Data type: `Simplib::Netlist`
The networks to allow into the YUM server.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] })
##### `createrepo_ensure`
Data type: `String`
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
### simp::sssd::client
This class sets up an SSSD client based on the normal SIMP parameters
This should work for most out-of-the-box installations. Otherwise, it serves
as an example of what you can do to make it work for your environment.
Since this class calls several defines, you will want to use a resource
collector to enhance/override the resource declarations.
If you don't specify either ``$ldap_domain`` or ``$local_domain``, this class
will not execute anything on the client.
* **See also**
https://docs.puppetlabs.com/puppet/latest/reference/lang_resources_advanced.html#amending-attributes-with-a-collector
Amending Attributes With a Collector
#### Parameters
The following parameters are available in the `simp::sssd::client` class.
##### `ldap_domain`
Data type: `Boolean`
Enable the LDAP hooks via SSSD
Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })
##### `local_domain`
Data type: `Boolean`
Enable the 'LOCAL' domain
Default value: `true`
##### `autofs`
Data type: `Boolean`
Enable ``autofs`` support in SSSD
Default value: `true`
##### `sudo`
Data type: `Boolean`
Enable ``sudo`` support in SSSD
Default value: `true`
##### `ssh`
Data type: `Boolean`
Enable ``ssh`` support in SSSD
Default value: `true`
##### `enumerate_users`
Data type: `Boolean`
Have SSSD list and cache all the users that it can find on the remote system
* Take care that you don't overwhelm your LDAP server if you enable this
Default value: `false`
##### `cache_credentials`
Data type: `Boolean`
Have SSSD cache the credentials of users that login to the system
Default value: `true`
##### `min_id`
Data type: `Integer`
The lowest user ID that SSSD should recognize from the remote server
Default value: 500
### simp::sudoers
Provide useful aliases that many people have wanted to use over time.
None of this is mandatory and all can be changed via the different
parameters.
Each section simply adds the entry to the sudoers file by joining
the array together appropriately.
#### Parameters
The following parameters are available in the `simp::sudoers` class.
##### `common_aliases`
Data type: `Boolean`
Enable the 'common' aliases from ``simp::suoders::aliases``
Default value: `false`
##### `default_entry`
Data type: `Array`
The global default entry that should apply to **all** users
Default value: [
'listpw=all',
'requiretty',
'syslog=authpriv',
'!root_sudo',
'!umask',
'env_reset',
'secure_path = /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin',
'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"'
]
### simp::sudoers::aliases
A set of default sudoers aliases
Take care not to add anything that can access a root shell
#### Parameters
The following parameters are available in the `simp::sudoers::aliases` class.
##### `audit_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Commands useful for auditing the system
Default value: [
'/bin/cat',
'/bin/ls',
'/usr/bin/rvim',
'/usr/bin/lsattr',
'/sbin/aureport',
'/sbin/ausearch',
'/sbin/lspci',
'/sbin/lsusb',
'/sbin/lsmod',
'/usr/sbin/lsof',
'/bin/netstat',
'/sbin/ifconfig -a',
'/sbin/route ""',
'/sbin/route -[venC]',
'/usr/bin/getent',
'/usr/bin/tail'
]
##### `delegating_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Common system delegation activities
Default value: [
'/usr/sbin/visudo',
'/bin/chown',
'/bin/chmod',
'/bin/chgrp'
]
##### `drivers_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Provides the ability to load and unload kernel modules
Default value: [
'/sbin/modprobe'
]
##### `locate_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Allow a user to update the ``mlocate`` database
Default value: [
'/usr/sbin/updatedb'
]
##### `networking_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Allow a user to perform common network control activities
Default value: [
'/sbin/route',
'/sbin/ifconfig',
'/bin/ping',
'/sbin/dhclient',
'/usr/bin/net',
'/sbin/iptables',
'/usr/bin/rfcomm',
'/usr/bin/wvdial',
'/sbin/iwconfig',
'/sbin/mii-tool'
]
##### `processes_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Allow a user to manage system processes
Default value: [
'/bin/nice',
'/bin/kill',
'/usr/bin/kill',
'/usr/bin/killall'
]
##### `services_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Allow a user to manage system services
Default value: [
'/sbin/service',
'/sbin/chkconfig'
]
##### `selinux_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Allow a user to modify and debug SELinux
Default value: [
'/sbin/restorecon',
'/usr/bin/audit2why',
'/usr/bin/audit2allow',
'/usr/sbin/getenforce',
'/usr/sbin/setenforce',
'/usr/sbin/setsebool'
]
##### `software_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Allow for system software management
Default value: [
'/bin/rpm',
'/usr/bin/up2date',
'/usr/bin/yum'
]
##### `storage_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Allow for storage management
Default value: [
'/sbin/fdisk',
'/sbin/sfdisk',
'/sbin/parted',
'/sbin/partprobe',
'/bin/mount',
'/bin/umount'
]
##### `su_alias`
Data type: `Array[Stdlib::AbsolutePath]`
Allow unfettered access to ``su``
Default value: [ '/bin/su' ]
### simp::sysctl
Sets sysctl settings that are useful from a general 'modern system'
point of view.
There are also items in this list that are particularly useful for
general system security.
See the kernel documentation for the functionality of each variable.
Performance Related Settings
Security Related Settings:
Does not apply to RHEL 7 systems:
#### Parameters
The following parameters are available in the `simp::sysctl` class.
##### `net__netfilter__nf_conntrack_max`
Data type: `Integer[0]`
Default value: 655360
##### `net__unix__max_dgram_qlen`
Data type: `Integer[0]`
Default value: 50
##### `net__ipv4__neigh__default__gc_thresh3`
Data type: `Integer[0]`
Default value: 2048
##### `net__ipv4__neigh__default__gc_thresh2`
Data type: `Integer[0]`
Default value: 1024
##### `net__ipv4__neigh__default__gc_thresh1`
Data type: `Integer[0]`
Default value: 32
##### `net__ipv4__neigh__default__proxy_qlen`
Data type: `Integer[0]`
Default value: 92
##### `net__ipv4__neigh__default__unres_qlen`
Data type: `Integer[0]`
Default value: 6
##### `net__ipv4__tcp_rmem`
Data type: `Array[Integer,3,3]`
Default value: [4096,98304,16777216]
##### `net__ipv4__tcp_wmem`
Data type: `Array[Integer,3,3]`
Default value: [4096,65535,16777216]
##### `net__ipv4__tcp_fin_timeout`
Data type: `Integer[0]`
Default value: 30
##### `net__ipv4__tcp_rfc1337`
Data type: `Integer[0,1]`
Default value: 1
##### `net__ipv4__tcp_keepalive_time`
Data type: `Integer[0]`
Default value: 3600
##### `net__ipv4__tcp_mtu_probing`
Data type: `Integer[0,2]`
Default value: 1
##### `net__ipv4__tcp_no_metrics_save`
Data type: `Integer[0,1]`
Default value: 0
##### `net__core__rmem_max`
Data type: `Integer[0]`
Default value: 16777216
##### `net__core__wmem_max`
Data type: `Integer[0]`
Default value: 16777216
##### `net__core__optmem_max`
Data type: `Integer[0]`
Default value: 20480
##### `net__core__netdev_max_backlog`
Data type: `Integer[0]`
Default value: 2048
##### `net__core__somaxconn`
Data type: `Integer[0]`
Default value: 2048
##### `net__ipv4__tcp_tw_reuse`
Data type: `Integer[0,1]`
Default value: 1
##### `fs__inotify__max_user_watches`
Data type: `Integer[8912]`
Increase the number of inotify watches allowed in order to prevent
systemctl error: "Not Enough Disk Space" caused when it reaches limit.
Default value: 102400
##### `fs__suid_dumpable`
Data type: `Integer[0,1]`
Default value: 0
##### `kernel__core_pattern`
Data type: `String`
If you change this, make sure you create the leading directories!
Default value: '/var/core/%u_%g_%p_%t_%h_%e.core'
##### `kernel__core_pipe_limit`
Data type: `Integer[0]`
Default value: 0
##### `kernel__core_uses_pid`
Data type: `Integer[0,1]`
Default value: 1
##### `kernel__dmesg_restrict`
Data type: `Integer[0,1]`
Default value: 1
##### `kernel__exec_shield`
Data type: `Integer[0,1]`
Default value: 1
##### `kernel__panic`
Data type: `Integer[0]`
Default value: 10
##### `kernel__randomize_va_space`
Data type: `Integer[0,2]`
Default value: 2
##### `kernel__sysrq`
Data type: `Integer[0]`
Default value: 0
##### `net__ipv4__conf__all__accept_redirects`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv4__conf__all__accept_source_route`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv4__conf__all__log_martians`
Data type: `Integer[0,1]`
Default value: 1
##### `net__ipv4__conf__all__rp_filter`
Data type: `Integer[0,2]`
Default value: 1
##### `net__ipv4__conf__all__secure_redirects`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv4__conf__all__send_redirects`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv4__conf__default__accept_redirects`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv4__conf__default__accept_source_route`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv4__conf__default__log_martians`
Data type: `Integer[0,1]`
Default value: 1
##### `net__ipv4__conf__default__rp_filter`
Data type: `Integer[0,2]`
Default value: 1
##### `net__ipv4__conf__default__secure_redirects`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv4__conf__default__send_redirects`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv4__icmp_echo_ignore_broadcasts`
Data type: `Integer[0,1]`
Default value: 1
##### `net__ipv4__icmp_ignore_bogus_error_responses`
Data type: `Integer[0,1]`
Default value: 1
##### `net__ipv4__tcp_challenge_ack_limit`
Data type: `Integer[0]`
Default value: 2147483647
##### `net__ipv4__tcp_max_syn_backlog`
Data type: `Integer[1]`
Default value: 4096
##### `net__ipv4__tcp_syncookies`
Data type: `Integer[0,1]`
Default value: 1
##### `net__ipv6__conf__all__accept_redirects`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__all__accept_source_route`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__all__autoconf`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__all__forwarding`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__all__accept_ra`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__default__accept_ra`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__default__accept_ra_defrtr`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__default__accept_ra_pinfo`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__default__accept_ra_rtr_pref`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__default__accept_redirects`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__default__accept_source_route`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__default__autoconf`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__default__dad_transmits`
Data type: `Integer[0,1]`
Default value: 0
##### `net__ipv6__conf__default__max_addresses`
Data type: `Integer[0]`
Default value: 1
##### `net__ipv6__conf__default__router_solicitations`
Data type: `Integer[0,1]`
Default value: 0
##### `core_dumps`
Data type: `Boolean`
If true, enable core dumps on the system.
Default value: `false`
##### `core_dump_dir`
Data type: `Stdlib::AbsolutePath`
Directory to place core dumps
Default value: '/var/core'
##### `pam`
Data type: `Boolean`
SIMP catalyst for enabling PAM management
As set, meets CCE-27033-0
Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })
##### `ipv6`
Data type: `Optional[Boolean]`
Set to ``false`` to disable IPv6 on your system via ``sysctl``
Default value: `undef`
### simp::version
Places SIMP version related information on the filesystem
### simp::yum::repo::internet_simp_dependencies
Configure yum to use the internet public repository for SIMP dependencies
#### Parameters
The following parameters are available in the `simp::yum::repo::internet_simp_dependencies` class.
##### `simp_release_slug`
Data type: `Optional[String]`
The unique release URL "slug" of SIMP for the target release
(e.g., '6_X', '6_X_Alpha').
* Defaults to the version of the **puppet server**
Default value: `undef`
### simp::yum::repo::internet_simp_server
Configure yum to use the internet public repository for SIMP servers
* **Note** If a system is not intended to be a SIMP server, it probably doesn't need
this profile.
#### Parameters
The following parameters are available in the `simp::yum::repo::internet_simp_server` class.
##### `simp_release_slug`
Data type: `Variant[String,Undef]`
The unique release "slug" of SIMP for the target release
(e.g., '6_X', '6_X_Alpha').
* Defaults to the version of the **puppet server**
Default value: `undef`
### simp::yum::repo::local_os_updates
Configure yum to use a (simp-managed) OS Updates repository
Generally, this is used by the ISO installation.
* By default, baseurl and GPG key URLs will work with repositories managed
with ``simp::server::yum``.
* Multiple yum servers and arbitrary URLs are accepted; see the ``servers``
parameter for details.
* For more complex scenarios, create a site-specific profile and use the native
`yumrepo` type directly.
@example Describing a single server by FQDN
# When classified to an CentOS 6 x86_64 host, this creates an os_updates
# yumrepo with the ``baseurl`` "https://yum.test.simp/yum/CentOS/6/x86_64/Updates"
simp::yum::repo::os_updates_local {
servers => ['yum.test.simp']
}
@example Describing a single server by FQDN
# When classified to an CentOS 6 x86_64 host, this creates an os_updates
# yumrepo with a 3-entry ``baseurl`` and a 3-entry ``gpgkey``
simp::yum::repo::os_updates_local {
servers => [
'yum.test.simp',
'yum2.test.simp',
'https://yum.updates.url/full/path/to/repo/c6-64-u'
],
extra_gpgkey_urls => [
'https://yum.updates.url/full/path/to/repo/c6-64-u/RPM-GPG-KEY-CentOS-6'
]
}
#### Parameters
The following parameters are available in the `simp::yum::repo::local_os_updates` class.
##### `servers`
Data type: `Array[Simp::HostOrURL]`
An Array of FQDNs, IPs, or URLs containing the yum server(s) to use.
* An FQDN or IP will be assumed to host it yum repository and GPG keys at
the URLs established by ``simp::server::yum``.
* A URL will be used as-is, and should point directly to its yum repository.
##### `enable_repo`
Data type: `Boolean`
Enables or disables the Yum repo
Default value: `true`
##### `extra_gpgkey_urls`
Data type: `Simp::Urls`
An optional Array of Urls to include additional GPG key files
Default value: []
### simp::yum::repo::local_simp
Set up the local SIMP repositiories for disconnected environments.
Generally, this is used by the ISO installation.
* By default, baseurl and GPG key URLs will work with repositories managed
with ``simp::server::yum``.
* Multiple yum servers and arbitrary URLs are accepted; see the ``servers``
parameter for details.
* For more complex scenarios, create a site-specific profile and use the native
`yumrepo` type directly.
@example Describing a single server by FQDN
# When classified to an CentOS 6 x86_64 host, this creates an os_updates
# yumrepo with the ``baseurl`` "https://yum.test.simp/yum/CentOS/6/x86_64/Updates"
simp::yum::repo::os_updates_local {
servers => ['yum.test.simp']
}
@example Describing a single server by FQDN
# When classified to an CentOS 6 x86_64 host, this creates an os_updates
# yumrepo with a 3-entry ``baseurl`` and a 3-entry ``gpgkey``
simp::yum::repo::os_updates_local {
servers => [
'yum.test.simp',
'yum2.test.simp',
'https://yum.updates.url/full/path/to/repo/c6-64-u'
],
extra_gpgkey_urls => [
'https://yum.updates.url/full/path/to/repo/c6-64-u/RPM-GPG-KEY-CentOS-6'
]
}
#### Parameters
The following parameters are available in the `simp::yum::repo::local_simp` class.
##### `servers`
Data type: `Array[Simp::HostOrURL]`
An Array of FQDNs, IPs, or URLs containing the yum server(s) to use.
* An FQDN or IP will be assumed to host it yum repository and GPG keys at
the URLs established by ``simp::server::yum``.
* A URL will be used as-is, and should point directly to its yum repository.
##### `enable_repo`
Data type: `Boolean`
Enables or disables the Yum repo
Default value: `true`
##### `extra_gpgkey_urls`
Data type: `Simp::Urls`
An optional Array of Urls to include additional GPG key files
Default value: []
### simp::yum::schedule
Set up a YUM update schedule.
#### Parameters
The following parameters are available in the `simp::yum::schedule` class.
##### `enable`
Data type: `Boolean`
Enable or disable the update schedule
Default value: `true`
##### `minute`
Data type: `Simplib::Cron::Minute`
String Cron minute
Default value: '12'
##### `hour`
Data type: `Simplib::Cron::Hour`
String Cron hour
Default value: '0'
##### `monthday`
Data type: `Simplib::Cron::MonthDay`
String Cron monthday
Default value: '*'
##### `month`
Data type: `Simplib::Cron::Month`
String Cron month
Default value: '*'
##### `weekday`
Data type: `Simplib::Cron::Weekday`
String Cron weekday
Default value: '*'
##### `repos`
Data type: `Array[String]`
If you only want to update from specific repos, then set the repos
variable to an Array with those repo names
Default value: ['all']
##### `disable`
Data type: `Array[String]`
If you want to disable specific repos, then set the $disable
variable to an Array with those repo names
Default value: []
##### `exclude_pkgs`
Data type: `Array[String]`
Packages to exclude from the update
Default value: []
##### `randomize`
Data type: `Integer`
Set to the number of minutes you want yum to randomly wait within before
running
Default value: 5
##### `quiet`
Data type: `Boolean`
Set to false if you want to see the chatter from yum
Default value: `true`
## Functions
### simp::knockout
Type: Puppet Language
Deprecated knockout function, see simplib::knockout
#### `simp::knockout(Array $array)`
Deprecated knockout function, see simplib::knockout
Returns: `Any`
##### `array`
Data type: `Array`
### simp::yum::repo::baseurl_string
Type: Puppet Language
The simp::yum::repo::baseurl_string function.
#### `simp::yum::repo::baseurl_string(Array[Simp::HostOrURL] $servers, String $simp_baseurl_path)`
The simp::yum::repo::baseurl_string function.
Returns: `Any` String
##### `servers`
Data type: `Array[Simp::HostOrURL]`
##### `simp_baseurl_path`
Data type: `String`
### simp::yum::repo::gpgkey_string
Type: Puppet Language
A function to return a proper set of SIMP YUM repositories for the default
build. Of limited use outside of an ISO install.
#### `simp::yum::repo::gpgkey_string(Array[Simp::HostOrURL] $servers, Array[String] $simp_gpgkeys, String $simp_baseurl_path, Simp::Urls $extra_gpgkey_urls = [])`
A function to return a proper set of SIMP YUM repositories for the default
build. Of limited use outside of an ISO install.
Returns: `Any` String
##### `servers`
Data type: `Array[Simp::HostOrURL]`
The list of YUM servers
##### `simp_gpgkeys`
Data type: `Array[String]`
The list of GPG Keys for SIMP
##### `simp_baseurl_path`
Data type: `String`
The standard path to the yum repos on the servers
##### `extra_gpgkey_urls`
Data type: `Simp::Urls`
Additional GPG keys that need to be included
### simp::yum::repo::gpgkeys::os_updates
Type: Puppet Language
Build a list of GPG keys needed by a os_updates repo
#### `simp::yum::repo::gpgkeys::os_updates()`
Build a list of GPG keys needed by a os_updates repo
Returns: `Array<String>`
### simp::yum::repo::gpgkeys::simp
Type: Puppet Language
Build a list of GPG keys needed by a simp repo
#### `simp::yum::repo::gpgkeys::simp()`
Build a list of GPG keys needed by a simp repo
Returns: `Array<String>`
### simp::yum::repo::sanitize_simp_release_slug
Type: Puppet Language
Sanitize the release slug in the SIMP repo URLs
#### `simp::yum::repo::sanitize_simp_release_slug(Variant[String,Undef] $simp_release_slug = undef)`
Sanitize the release slug in the SIMP repo URLs
Returns: `Any` String
##### `simp_release_slug`
Data type: `Variant[String,Undef]`
The ``slug`` to sanitize
- Mon May 06 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.8.0-0
- Fixed a bug on el6 systems in which the 'puppetdb-dlo-cleanup' cron job from the puppetdb module could not be created. Cron rejected this job because the puppetdb user did not have cron access.
- Added 2 'dead letter office' cleanup configuration parameters to
simp::puppetdb
- simp::puppetdb::automatic_dlo_cleanup which maps directly to puppetdb::automatic_dlo_cleanup
- simp::puppetdb::dlo_max_age which maps directly to puppetdb::dlo_max_age
- Thu Apr 18 2019 Trevor Vaughan tvaughan@onyxpoint.com - 4.8.0-0
- Refactor the simp::mountpoints::tmp to use systemd's tmp.mount target if the system supports systemd.
- Added net.ipv6.conf.all.accept_ra to simp::sysctl management
- Fixed a bug where the root password field was attempting to set an 'undef' value as Sensitive.
- Bumped the supported Puppet version to include Puppet 6
- Removed Puppet 4 from the supported list
- Tue Apr 09 2019 Joseph Sharkey shark.bruhaha@gmail.com - 4.8.0-0
- Remove Elasticsearch and Grafana GPG Keys
- Added missing simp::sysctl value simp::sysctl::netipv4confdefaultlog_martians
- Remove Elasticsearch and Grafana GPG Keys
- Standardized cron datatypes to use the Simplib::Cron::### types. This allows more flexibility in cron scheduling.
- Mon Mar 25 2019 Nick Miller nick.miller@onyxpoint.com - 4.8.0-0
- Add exceptions to the filebucket management and the vardir/simp management to support running from Bolt
- Thu Mar 21 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.8.0-0
- Replaced use of the simplib's Puppet 3 array_include function with stdlib's member function
- Use simplib::host_is_me in lieu of simplib's Puppet 3 host_is_me
- Use simplib::simp_version in lieu of simplib's Puppet 3 simp_version
- Wed Mar 20 2019 Joseph Sharkey shark.bruhaha@gmail.com - 4.8.0-0
- Added switched out chkrootkit for rkhunter on el7 instances
- Mon Mar 11 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.7.0-0
- Replaced simp-timezone (temporary SIMP fork) with saz-timezone and set the lower bound to 5.1.1 in the metadata.json
- Wed Mar 06 2019 Trevor Vaughan tvaughan@onyxpoint.com - 4.7.0-0
- Added the, inert by default, deferred_resources class to all class lists in case the users want to use the functionality. This is particularly relevant to various compliance profiles.
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.7.0-0
- Deprecated simp::puppetdb::read_database_ssl. Use simp::puppetdb::read_database_jdbc_ssl_properties which maps directly to puppetdb::server::read_database_jdbc_ssl_properties (puppetdb version >= 7.0.0).
- Updated to a minimum puppetdb module version 7.1.0 in the metadata.json and expanded the upper bound accordingly
- Expanded the upper bound for the concat and stdlib Puppet modules in the metadata.json
- Updated URLs in the README.md
- Mon Feb 18 2019 Trevor Vaughan tvaughan@onyxpoint.com - 4.7.0-0
- Update the dependency list in metadata.json
- Fix the one_shot scenario tests
- Fri Feb 15 2019 Liz Nemsick lnemsick.simp@gmail.com - 4.7.0-0
- Use simplib::join_mount_opts() in lieu of join_mount_opts(), a deprecated simplib Puppet 3 function.
- Use simplib::nets2cidr() in lieu of nets2cidr(), a deprecated simplib Puppet 3 function.
- Use Puppet's String() in lieu of to_string(), a deprecated simplib Puppet 3 function.
- Use simp_apache::munge_httpd_networks() in lieu of munge_httpd_networks(), a deprecated simp_apache Puppet 3 function.
- Use ssh::global_known_hosts() in lieu of ssh_global_known_hosts(), a deprecated ssh Puppet 3 function.
- Wed Jan 02 2019 Adam Yohrling adam.yohrling@onyxpoint.com - 4.7.0-0
- Add the ability to set the root user password in
simp::root_user
- Tue Dec 11 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.7.0-0
- Added sysctl value to increase max number of inotify user watches.
Default = 8192, New Value 102400 which is roughly 100M on a 64 bit system.
- If max number is reached systemctl fails with "Not enough Space on Disk" even though there is plenty of space.
- See https://unix.stackexchange.com/questions/13751/kernel-inotify-watch-limit-reached for some helpful information.
- Thu Oct 18 2018 Nick Miller nick.miller@onyxpoint.com - 4.6.0-0
- Added $simp::server::yum::createrepo_ensure parameter
- Changed the package from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- Wed Oct 17 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.6.0-0
- Update fixtures to use correct branch of timezone. (Soma as in the tracking file for 6.3
- Wed Oct 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.6.0-0
- Remove unnecessary simp/freeradius dependency in metadata.json
- Mon Sep 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.6.0-0
- Update Hiera 4 to Hiera 5
- Thu Aug 30 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.6.0-0
- Fix a usability bug in which simp::server::kickstart did not allow the bootstrap scripts provided by simp::server::kickstart::runpuppet and simp::server::kickstart::simp_client_bootstrap to be configured via hieradata, when those classes were managed by simp::server::kickstart.
- Mon Aug 27 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.6.0-0
- Switch from using 'sudosh' as the default logging shell to using 'tlog'
- Add a 'simp::admin::default_admin_sudo_cmnds' option to allow users to easily change the default sudo-accessible commands from Hiera.
- Ensure that the global filebucket setting occurs prior to class inclusion to match the new Puppet 5 method of setting resource defaults.
- Tue Jul 17 2018 Nick Miller nick.miller@onyxpoint.com - 4.6.0-0
- Added tests and support for OEL and Puppet 5
- Setting the default filebucket in a module no longer works, so
simp::enable_filebucketing
will do nothing in puppet version >= 5
- Setting the default filebucket in a module no longer works, so
- Fixed some linting issues
- Wed Jun 20 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.5.0-0
- Use the sudo::user_specification default host list which is correct for almost all cases
- Update version range of auditd dependency in metadata.json
- Fri Jun 08 2018 Dylan Cochran dylan.cochran@onyxpoint.com - 4.5.0-0
- Add Windows support
- Change /root perms to RPM default of 0550
- Change /etc/rc.d/rc.local perms to RPM default of 0755
- Thu May 03 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.5.0-0
- Created standalone SIMP client bootstrap script, bootstrap_simp_client.
- Created simp::server::kickstart::runpuppet replacement,
simp::server::kickstart::simp_client_bootstrap, that manages service
files for kickstarting a SIMP client, using bootstrap_simp_client
and either a sysv (simp_client_bootstrap) or a systemd
(simp_client_bootstrap.service) service script. This replacement
provides the following improvements:
- Exponential backoff of requests to the Puppet server, to minimize Puppet server overload.
- Configurable bootstrap timeout.
- An option to force a client reboot on client bootstrap failure.
- More effective puppet agent processing. The bootstrapping takes fewer puppet agent runs.
- Finer grained control of the bootstrap algorithm.
- Error handling
- Bootstrap operation errors are now detected and logged.
- Failed puppet agent runs are now retried, instead of blindly continuing on.
- Timestamped log messages in the bootstrap log file. This includes messages from bootstrap_simp_client, puppet agent, and fixfiles. service start
- simp::server::kickstart::runpuppet is deprecated and will be removed in a future release
- Fri Apr 27 2018 Nick Miller nick.miller@onyxpoint.com - 4.5.0-0
- Add simp::netconsole class to manage the netconsole kernel feature
- Fix a few puppet-lint warnings
- Fri Apr 27 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.5.0-0
- Set permissions of /etc/rc.d/rc.local to 0750, instead of 0770,
- Mon Apr 23 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com 4.5.0-0
- simp_options::selinux was supposed to determine if the selinux module was
included. However, this value was getting overridden by the class lists
which independently included the selinux module. This change removes the
unused simp_options::selinux setting to eliminate the confusion. See the
scenario maps in the data section to see what scenarios include the selinux
module. See the selinux module to see how to use puppet to enable/disable
selinux. This may change the defaults for selinux in the
simp_lite
scenario.
- Tue Apr 17 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.5.0-0
- Narrow the focus of the internal hieradata to ensure correct runs on unsupported OSs
- Update unsupported OS tests
- Add a test to ensure that an error is throw if an invalid scenario is specified
- Mon Apr 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.5.0-0
- In the runpuppet init script used to bootstrap kickstarted clients, for EL7, persist the hostname retrieved by DHCP as a static hostname. This prevents problems that can arise on EL7 when the DHCP lease expires in the middle of the client bootstrap puppet runs.
- Mon Apr 02 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.5.0-0
- changed permission on ctrl-alt-del-capture.service to prevent "no effect" errors in system logs.
- Thu Mar 29 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.4.1-0
- Ensure that a file exists on EL 6 if portreserve is enabled so that the portreserve service does not flap
- Tue Mar 27 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.4.0-0
- In simp::prelink, ensure prelinking is disabled when the server is in FIPS mode, as FIPS is incompatible with prelinking.
- Fri Mar 16 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.4.0-0
- Updated metadata.json to include trlinkin/nsswitch
- Wed Mar 14 2018 Nick Miller nick.miller@onyxpoint.com - 4.4.0-0
- Fixed a bug where if the
puppet_settings
fact did not exist, users in the%administrators
group couldrm -rf
any path - The value in the hash was also corrected to
$facts['puppet_settings']['main']['ssldir']
- Fri Mar 09 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.4.0-0
- Set the ownership and permissions of puppet/puppetdb.conf in simp::puppetdb, instead of allowing them to be set to those of the process running puppet, if the file needs to be created. This is part of the fix to the failure of SIMP to bootstrap on a system on which root's umask has already been restricted to 077.
- Mon Feb 26 2018 Trevor Vaughan tvaughan@onyxpoint.com - 4.4.0-0
- Remove management of the 'root' user's groups in the User resource
- Works around https://tickets.puppetlabs.com/browse/PUP-8470
- Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.4.0-0
- Remove non-working mcollective remnants
- Remove unnecessary dependency on puppetlabs/inifile.
- Mon Jan 22 2018 Nick Miller nick.miller@onyxpoint.com - 4.4.0-0
- When the host is a member of an IPA domain, do not include the
simp_openldap::client
class. - Update upper bound for concat dependency
- Tue Jan 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 4.4.0-0
- Add simp::prelink to the class lists for both the SIMP server and SIMP clients. By default, simp::prelink ensures any prelinking has been removed and that the prelink package is not installed. This satisfies the SCAP Security Guide's OVAL check xccdf_org.ssgproject.content_rule_disable_prelink.
- Mon Nov 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 4.3.0-0
- In simp::sysctl, add parameters for net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route and set them to 0 by default. This satisfies STIG CCI-0000366.
- Small test fixes to allow acceptance tests to run on servers in FIPS mode
- Thu Oct 19 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 4.2.2-0
- Lowered default value of parameter simp::sssd::client::min_id to 500
- Fri Oct 06 2017 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.1-0
- Added simp/timezone to the module dependency list
- Wed Oct 04 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 4.2.0-0
- Fail compilation for a subset of SIMP capabilities, if they are used on unsupported operating systems.
- Wed Oct 04 2017 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0
- Add an acceptance test for the 'poss' scenario using Oracle EL6
- Wed Aug 23 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 4.1.1-0
- change simp::server::classes's lookup_options to be 'unique'
- Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 4.1.1-0
- Update concat version in metadata.json
- Add concat dependency to build/rpm_metadata/requires
- Thu Aug 17 2017 Liz Nemsick lnemsick.simp@gmail.com - 4.1.1-0
- Add camptocamp/kmod to list of dependencies
- Mon Jul 31 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 4.1.1-0
- call simp::nsswitch in simp and simp-lite scenario instead of just nsswitch to set nsswitch according to simp_options instead of just the nsswitch defaults.
- Thu Jul 20 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 4.1.1-0
- Refactor classification lists to be RedHat specific to support other target platforms
- Thu Jun 15 2017 Nick Miller nick.miller@onyxpoint.com - 4.1.0-0
- simp::yum::internet_simp* repos now use facts in Yum repo baseurls in place of yum macros, who's output is not reliable.
- Fri Jun 09 2017 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-0
- Due to lack of support for knockout_prefix for arrays in older versions of Puppet, simp::knockout functionality has been moved to simplib::knockout because multiple modules are using the function.
- A wrapper has been put around simp::knockout for backwards-compatibility in our code.
- Update puppet requirement in metadata.json
- Tue May 30 2017 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Updated the simp::kmod_blacklist class to also fully disable the module loading
- Provide the ability to override the disabled modules locally on the system by default but also allow for enforcement
- Provide the ability to lock module loading if the underlying OS has the capability
- Wed May 10 2017 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-0
- Added a 'remote_access' scenario
- Mon May 09 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 4.1.0-0
- Use the correct simp_options global catalyst for base_apps::ensure
- Mon Apr 17 2017 Nick Miller nick.miller@onyxpoint.com - 4.1.0-0
- Set the poklit administrator group
- Merged base_services into base_apps, leaving a shim in base_services
- Thu Apr 06 2017 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-0
- Updated apache rsync hosts_allow to $trusted_nets. The previous value of 127.0.0.1 would not allow apache to rsync if stunnel was disabled.
- Mon Apr 03 2017 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0
- Updated the YUM configuration so that no repos are set up by default and it is simple to connect to the public repos for SIMP.
- Yum repos are now individual profiles that can be included ala carte
- Wed Mar 29 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 4.0.0-0
- Fixed the confusion with the 'classes' global Array
- Added support for a 'simp::classes' Array with a knockout prefix of '--'
- Moved scenarios into data in modules
-
Thu Mar 23 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 3.1.0-0
- move fips from base scenario to simp scenario
- made the inclusion of fips module not depend on simp_options::fips setting
- it is included because it used to turn fips on and off.
-
Wed Mar 01 2017 Trevor Vaughan tvaughan@onyxpoint.com - 3.1.0-0
- Added the new Grafana GPG key to the list and retained the old one until they re-sign their old packages.
- Add the basic SIMP scenarios to the module
- simp -> full SIMP profile
- simp_lite -> SIMP with the more aggressive parts removed
- poss -> only connect to the puppet server
- Fri Feb 24 2017 Nick Miller nick.miller@onyxpoint.com - 3.0.1-0
- Moved runpuppet template to its own class so the rupuppet script can be managed independently from the simp::server::kickstart class
- Fri Feb 17 2017 Nick Miller nick.miller@onyxpoint.com - 3.0.0-0
- Refine list of GPG keys used by simp::yum::server
- Tue Feb 14 2017 Trevor Vaughan tvaughan@onyxpoint.com - 3.0.0-0
- Ensure that the filebucket is appropriately set for both local and remote use
- Mon Feb 06 2017 Nick Markowski nmarkowski@keywcorp.com - 3.0.0-0
- Modified rsync stunnel logic to add a connection to the rsync server only if the machine is not the rsync server.
- Wed Jan 18 2017 Nick Miller nick.miller@onyxpoint.com - 3.0.0-0
- Removing including of simp::server::* classes from the simp::server class in favor of including them in the class list in hiera.
- Removed any dangling references or dependencies on ganglia or snmpd
- Rearranged logic in sysctl and removed the ipv6 catalyst. ipv6 will now be unmanaged by default.
- Beefed up simp::server class to include more default classes
- Made $rsync_stunnel enabled by default
- Thu Jan 05 2017 Trevor Vaughan tvaughan@onyxpoint.com - 3.0.0-0
- Added a 'simp::ctrl_alt_del' class for managing the behavior of giving a system the three finger death punch
- Mon Dec 05 2016 Nick Miller nick.miller@onyxpoint.com - 2.0.1-0
- Added simp::kmod_blacklist profile to manage the kernel blacklist using puppet-kmod
- config migrated from simplib
- Thu Dec 02 2016 Nick Markowski nmarkowski@keywcorp.com - 2.0.1-0
- Removed pupmod-simp-sysctl in favor of augeas-sysctl
- Thu Nov 29 2016 Nicholas Hughes, Nick Markowski nmarkowski@keywcorp.com - 2.0.0-0
- Introduced rsyslog rule orders so messages hit 'stop' rules before they reach 'catch-alls'. By doing so, log duplication is prevented.
- Modified the spooler log local rule to ensure both uucp and news facilities are logged in spooler.log.
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 2.0.0-0
- update requirement versions
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 2.0.0-0
- Remove compliance map and General housekeeping
- Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 2.0.0-0
- Updated iptables dependency version
- Updated openldap dependency version
- Tue Oct 25 2016 Nick Markowski nmarkowski@keywcorp.com - 2.0.0-0
- Added logic to ensure simp::puppetdb manages the puppetserver service via pupmod::master::base, NOT puppetdb::master::config.
- Included the puppetdb::master::config class.
- Updated spec.
- Wed Oct 12 2016 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0
- Updated to support Puppet 4 with the latest Puppet Server and PuppetDB
- Foundation for SIMP 6
- Will not work with any Puppet < 4
- Mon Oct 10 2016 Nick Markowski nmarkowski@keywcorp.com - 1.2.10-0
- Ensured netlabel_tools is installed.
- Mon Oct 3 2016 Ralph Wright ralph.wright@onyxpoint.com - 1.2.9-0
- Added Elasticsearch and Grafana Keys to yum config
- Thu Sep 29 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 1.2.8-0
- Fixed beaker reference in Gemfile.
- Tue Aug 09 2016 Nick Markowski nmarkowski@keywcorp.com - 1.2.7-0
- Fixed an invalid data type in simp::nfs::export_home.
- Tue Aug 02 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.2.6-0
- Update to the new naming convention
- Wed Jul 20 2016 Nick Markowski nmarkowski@keywcorp.com - 1.2.5-0
- Migrated create_home_dirs from nfs.
- Modified create_home_dirs to use ruby-net-ldap.
- Wed Jul 13 2016 Nick Miller nick.miller@onyxpoint.com - 1.2.4-0
- Yum repos now default to https with sslverify=false
- Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.2.3-0
- Migration to semantic versioning and fix of the build system
- Sat May 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.2.2-0
- Spec test fixes
- Wed May 11 2016 Nick Markowski nmarkowski@keywcorp.com - 1.2.2-0
- Added a hook to control SSLVerifyClient in ks.conf. Defaults to 'optional'.
- Wed Apr 13 2016 Kendall Moore kendall.moore@onyxpoint.com - 1.2.1-0
- Svckill now ignores quotaon and messagebus in RHEL/CentOS 7
- Mon Mar 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.2.0-0
- Moved to Semantic Versioning 2.0
- Ensure that SSSD is used for systems EL6.7+
- Removed RPM dependency on simp-bootstrap as it is not technically required.
- Test against Puppet 4.3.2
- Tue Mar 08 2016 Nick Markowski nmarkowski@keywcorp.com - 1.1.0-9
- Updated a bad default for nfs_server in the home_client class, which otherwise had the potential to render a nil server value, and break automounting.
- Wed Feb 24 2016 Nick Markowski nmarkowski@keywcorp.com - 1.1.0-8
- Updated the mcollective stock class and added appropriate spec and unit testing for full functionality test coverage.
- Fri Feb 19 2016 Ralph Wright ralph.wright@onyxpoint.com - 1.1.0-8
- Added compliance function support
- Mon Dec 28 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.0-7
- Updated minor logic in simp::yum for flexibility.
- Thu Dec 24 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.0-6
- Add management for the paths that the simp helper commands expect. This is particularly relevant when not installing via RPM
- Thu Nov 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.0-5
- Now use the 'operatingsystem' facts instead of the 'lsb' facts
- Updated to require 'simplib' and 'simpcat' instead of 'common', 'functions', and 'concat'
- Ensure that sssd is used by EL >= 7 due to fatal bugs in nscd and nslcd on these platforms.
- Fri Oct 16 2015 Nick Markowski nmarkowski@keywcorp.com - 1.1.0-4
- Modified stock puppetdb class defaults to conform with upgraded puppetdb module.
- Fri Sep 18 2015 Kendall Moore kmoore@keywcorp.com - 1.1.0-3
- Set the keylength to 2048 in puppet.conf during the execution of runpuppet if FIPS is enabled.
- Thu Sep 10 2015 Nick Markowski nmarkowski@keywcorp.com - 1.1.0-2
- In runpuppet, run fixfiles before the final passes if selinux is enabled.
- Selbool use_nfs_home_dirs set to 1 if remote nfs server used for home directories.
- Fri Jul 31 2015 Kendall Moore kmoore@keywcorp.com - 1.1.0-1
- Added support for the updated rsyslog module.
- Thu Apr 02 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.0-0
- Added PuppetDB support
- Thu Apr 02 2015 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-7
- Modified runpuppet script to ensure the puppetserver service is running before puppet runs.
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-6
- Migrated to the new 'simp' environment.
- Wed Jan 14 2015 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-6
- Re-created the MCollective stock class, now with SSL fully enabled.
- Tue Nov 25 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-5
- Updated the default GPG key list.
- Updated the rsyslog stock classes to remove stunnel support and, instead, take advantage of the native TLS support in rsyslog.
- NOTE: This requires changing the global 'log_server' variable in Hiera to a 'log_servers' Array which is done in the %post section of this RPM.
- Thu Nov 06 2014 Chris Tessmer chris.tessmer@onyxpoint.com - 1.0.0-5
- Removed sssd::conf as it is no longer needed and causes duplicate concat_fragment error
- Fri Oct 31 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-4
- Moved the mcollective IPTables and package material into the main SIMP module.
- Update to account for the stunnel module updates in 4.2.0-0
- Fri Sep 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-3
- Updated the nfs::home_client class to properly account for the port setting in the mounts.
- Tue Aug 19 2014 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-2
- Differentiated the rsync module paths between 4.X and 5.X distributions. 4.X should not include the distribution and release in the path.
- Mon Aug 18 2014 Kendall Moore kmoore@keywcorp.com - 1.0.0-2
- Updated the digest_algorithm in the runpuppet script to be SHA-256.
- Fri Aug 08 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-1
- Ensure that runpuppet returns '1' when queried for status so that svckill doesn't continually attempt to disable it.
- Fri Jul 25 2014 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-0
- Ensured /srv/www/yum/SIMP is created if SIMP version < 5.
- Mon Jul 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-0
- /var/nfs is used for NFS in SIMP>=5 and /srv/nfs otherwise
- Updated yum and kickstart to use /var/www if SIMP>=5 and /srv/www otherwise
- Mon Jul 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-4
- Updated to use the new rsync path.
- Tue Jul 15 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-4
- Updated to support the RHEL7 repo GPG keys.
- Tue Jul 15 2014 Kendall Moore kmoore@keywcorp.com - 0.0.1-4
- Added CentOS as a supported OS as a part of CentOS 7 upgrade.
- Thu Jun 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-3
- Separated out the RHEL6/7 package requirements appropriately.
- Thu Jun 12 2014 Nick Markowski nmarkowski@keywcorp.com - 0.0.1-2
- Ntp servers can be passed to kickstart as an array of server names or a hash of server => 'option' pairs.
- Fri May 16 2014 Kendall Moore kmoore@keywcorp.com - 0.0.1-1
- Added stock classes for FreeRADIUS
- Added stock classes for Ganglia
- Added stock classes for RSyslog
- Added stock classes for krb5
- Added stock classes for MRepo
- Added stock classes for SNMP
- Tue May 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-1
- Added a quiet_puppet variable to runpuppet for the cert download segment.
- Mon May 05 2014 Kendall Moore kmoore@keywcorp.com - 0.0.1-0
- Added stock classes for NFS home directories.
- Fri Mar 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-0
- Initial Release
- Ported all materials from the old default_classes directory.
- Incorporated several parts of sec and common as appropriate to the separation of duties.
Dependencies
- camptocamp/kmod (>= 2.1.0 < 3.0.0)
- herculesteam/augeasproviders_sysctl (>= 2.2.0 < 3.0.0)
- puppetlabs/concat (>= 2.2.0 < 6.0.0)
- puppetlabs/puppetdb (>= 7.1.0 < 8.0.0)
- puppetlabs/stdlib (>= 4.13.1 < 6.0.0)
- saz/timezone (>= 5.1.1 < 6.0.0)
- simp/aide (>= 6.0.0 < 7.0.0)
- simp/at (>= 0.0.5 < 1.0.0)
- simp/auditd (>= 7.0.0 < 9.0.0)
- simp/chkrootkit (>= 0.1.0 < 1.0.0)
- simp/clamav (>= 6.0.0 < 7.0.0)
- simp/cron (>= 0.1.0 < 1.0.0)
- simp/deferred_resources (>= 0.1.0 < 1.0.0)
- simp/dhcp (>= 6.0.0 < 7.0.0)
- simp/fips (>= 0.2.0 < 1.0.0)
- simp/incron (>= 0.4.0 < 1.0.0)
- simp/iptables (>= 6.0.0 < 7.0.0)
- simp/issue (>= 0.0.3 < 1.0.0)
- simp/ntpd (>= 6.0.0 < 7.0.0)
- simp/pam (>= 6.0.0 < 7.0.0)
- simp/polkit (>= 6.1.0 < 7.0.0)
- simp/postfix (>= 5.0.0 < 6.0.0)
- simp/pupmod (>= 7.1.0 < 8.0.0)
- simp/resolv (>= 0.1.1 < 1.0.0)
- simp/rkhunter (>= 0.0.1 < 1.0.0)
- simp/rsync (>= 6.0.0 < 7.0.0)
- simp/selinux (>= 2.3.0 < 3.0.0)
- simp/simp_apache (>= 6.0.1 < 7.0.0)
- simp/simp_openldap (>= 6.0.0 < 7.0.0)
- simp/simp_rsyslog (>= 0.3.0 < 1.0.0)
- simp/simplib (>= 3.15.0 < 4.0.0)
- simp/ssh (>= 6.5.1 < 7.0.0)
- simp/sssd (>= 6.1.3 < 7.0.0)
- simp/sudo (>= 5.1.0 < 6.0.0)
- simp/sudosh (>= 6.1.0 < 7.0.0)
- simp/svckill (>= 3.3.0 < 4.0.0)
- simp/swap (>= 0.1.2 < 1.0.0)
- simp/tftpboot (>= 6.0.0 < 7.0.0)
- simp/tlog (>= 0.1.0 < 1.0.0)
- simp/tuned (>= 0.1.0 < 1.0.0)
- simp/upstart (>= 6.0.3 < 7.0.0)
- simp/useradd (>= 0.2.2 < 1.0.0)
- trlinkin/nsswitch (>= 2.0.0 < 3.0.0)
pupmod-simp-simp - Puppet Profiles for SIMP -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.