Contents
This release is known to work with:
- RHEL 7.2 x86_64
- CentOS 7.0 1511 x86_64
This update is backwards-compatible for the SIMP 5.2 releases.
Due to Puppet 3.X going EOL in December of 2016, the SIMP stack will be releasing SIMP 6 as the next major release. Among major changes:
- SIMP 6 will use Puppet 4, which is distributed as a single RPM by the Puppet all-in-one (AIO) installer.
- Starting with 6.0.0, the SIMP numbering scheme will follow Semantic Versioning 2.0.0.
- 6.0.0 and will support all operating systems under that numbering scheme henceforth.
Note
This only affects you if you did not have a separate partition for /tmp!
- There were issues in the
secure_mountpointsclass that caused/tmpand/var/tmpto be mounted against the root filesystem. While the new code addresses this, it cannot determine if your system has been modified incorrectly in the past. - To fix the issue, you need to do the following:
- Unmount
/var/tmp(may take multiple unmounts) - Unmount
/tmp(may take multiple unmounts) - Remove the
'bind'entries for/tmpand/var/tmpfrom/etc/fstab - Run
puppetwith the new code in place
- Unmount
Warning
SSSD enforces password strength at login time! This means that, should you have old passwords that do not meet the present password policy on the host, you will not be able to authenticate with your old password!
- The
simp-sysctlmodule will be deprecated in the6.0.0release of SIMP. Current users should migrate to using theaugeasproviders_sysctlmodule provided with SIMP going forward.
- There were no breaking changes in this release.
Detailed upgrade guidance can be found in the :ref:`ug-howto-upgrade-simp` portion of the :ref:`simp-user-guide`.
Warning
You must have at least 2.4GB of free RAM on your system to upgrade to this release.
Note
Upgrading from releases older than 5.0 is not supported.
- CVE-2016-5195
- Dirty COW - A privilege escalation vulnerability in the Linux Kernel
| Package | Old Version | New Version |
|---|---|---|
| pupmod-cristifalcas-journald | N/A | 0.2.2-2016 |
| pupmod-elasticsearch-logstash | 0.6.4-2016 | 0.6.5-2016 |
| pupmod-simp-acpid | 0.0.2-2016 | 0.0.3-2016 |
| pupmod-simp-activemq | 3.0.0-2016 | 3.0.1-2016 |
| pupmod-simp-aide | 4.1.1-2016 | 4.1.2-2016 |
| pupmod-simp-apache | 4.1.5-2016 | 4.1.7-2016 |
| pupmod-simp-auditd | 5.0.4-2016 | 5.1.1-2016 |
| pupmod-simp-autofs | 4.1.2-2016 | 4.1.4-2016 |
| pupmod-simp-clamav | 4.1.1-2016 | 4.1.2-2016 |
| pupmod-simp-compliance_markup | 1.0.0-0 | 1.0.2-2016 |
| pupmod-simp-dhcp | 4.1.1-2016 | 4.1.2-2016 |
| pupmod-simp-dirtycow | N/A | 1.0.1-2016 |
| pupmod-simp-foreman | 0.2.0-2016 | 0.2.2-2016 |
| pupmod-simp-freeradius | 5.0.2-2016 | 5.0.3-2016 |
| pupmod-simp-ganglia | 5.0.0-2016 | 5.0.1-2016 |
| pupmod-simp-haveged | 0.3.1-2016 | 0.3.2-2016 |
| pupmod-simp-iptables | 4.1.4-2016 | 4.1.5-2016 |
| pupmod-simp-jenkins | 4.1.0-2016 | 4.1.1-2016 |
| pupmod-simp-krb5 | 5.0.6-2016 | 5.0.8-2016 |
| pupmod-simp-libreswan | 0.1.0-2016 | 0.1.2-2016 |
| pupmod-simp-libvirt | 4.1.1-2016 | 4.1.2-2016 |
| pupmod-simp-logrotate | 4.1.0-2016 | 4.1.1-2016 |
| pupmod-simp-mcafee | 4.1.1-2016 | 4.1.2-2016 |
| pupmod-simp-mcollective | 2.3.2-2016 | 2.4.0-2016 |
| pupmod-simp-mozilla | 4.1.1-2016 | 4.1.2-2016 |
| pupmod-simp-named | 4.3.1-2016 | 4.3.3-2016 |
| pupmod-simp-network | 4.1.1-2016 | 4.1.3-2016 |
| pupmod-simp-nfs | 4.5.2-2016 | 4.5.3-2016 |
| pupmod-simp-nscd | 5.0.1-2016 | 5.0.2-2016 |
| pupmod-simp-ntpd | 4.1.0-2016 | 4.1.1-2016 |
| pupmod-simp-oddjob | 1.0.0-2016 | 1.0.1-2016 |
| pupmod-simp-openldap | 4.1.8-2016 | 4.1.9-2016 |
| pupmod-simp-openscap | 4.2.1-2016 | 4.2.2-2016 |
| pupmod-simp-pam | 4.2.5-2016 | 4.2.6-2016 |
| pupmod-simp-pki | 4.2.3-2016 | 4.2.5-2016 |
| pupmod-simp-polkit | 4.1.0-2016 | 4.1.1-2016 |
| pupmod-simp-postfix | 4.1.3-2016 | 4.1.5-2016 |
| pupmod-simp-postgresql | 4.1.0-2016 | 4.1.2-2016 |
| pupmod-simp-pupmod | 6.0.5-2016 | 6.0.9-2016 |
| pupmod-simp-rsync | 4.2.2-2016 | 4.2.3-2016 |
| pupmod-simp-rsyslog | 5.1.0-2016 | 5.1.2-2016 |
| pupmod-simp-selinux | 1.0.3-2016 | 1.0.4-2016 |
| pupmod-simp-simp | 1.2.7-2016 | 1.2.10-2016 |
| pupmod-simp-simp_elasticsearch | 3.0.1-2016 | 3.0.3-2016 |
| pupmod-simp-simp_grafana | 0.1.0-2016 | 0.1.1-2016 |
| pupmod-simp-simpcat | 5.0.1-2016 | 5.0.2-2016 |
| pupmod-simp-simplib | 1.3.1-2016 | 1.3.4-2016 |
| pupmod-simp-site | 2.0.1-2016 | 2.0.2-2016 |
| pupmod-simp-snmpd | 4.1.0-2016 | 4.1.1-2016 |
| pupmod-simp-ssh | 4.1.10-2016 | 4.1.13-2016 |
| pupmod-simp-sssd | 4.1.3-2016 | 4.1.4-2016 |
| pupmod-simp-stunnel | 4.2.7-2016 | 4.2.9-2016 |
| pupmod-simp-sudo | 4.1.2-2016 | 4.1.3-2016 |
| pupmod-simp-sudosh | 4.1.1-2016 | 4.1.2-2016 |
| pupmod-simp-svckill | 1.1.3-2016 | 1.1.4-2016 |
| pupmod-simp-sysctl | 4.2.0-2016 | 4.2.1-2016 |
| pupmod-simp-tcpwrappers | 4.1.0-2016 | 4.1.1-2016 |
| pupmod-simp-tftpboot | 4.1.2-2016 | 4.1.3-2016 |
| pupmod-simp-tpm | 0.1.0-2016 | 0.2.0-2016 |
| pupmod-simp-upstart | 4.1.2-2016 | 4.1.3-2016 |
| pupmod-simp-vnc | 4.1.0-2016 | 4.1.1-2016 |
| pupmod-simp-vsftpd | 5.0.4-2016 | 5.0.7-2016 |
| pupmod-simp-windowmanager | 4.1.2-2016 | 4.1.3-2016 |
| pupmod-simp-xinetd | 2.1.0-2016 | 2.1.1-2016 |
| pupmod-simp-xwindows | 4.1.1-2016 | 4.1.2-2016 |
| rubygem-simp-cli | 1.0.20-0.el7 | 1.0.20-0.el7.centos |
| rubygem-simp-cli-doc | 1.0.20-0.el7 | 1.0.20-0.el7.centos |
| simp | 5.2.0-0 | 5.2.1-0 |
| simp-bootstrap | 5.3.2-0 | 5.3.4-0 |
| simp-doc | 5.2.0-0 | N/A |
| simp-gpgkeys | 2.0.0-3.el7 | 2.0.0-3.el7.centos |
| simp-rsync | 5.1.0-3.el7 | 5.1.0-3.el7.centos |
| simp-rsync-clamav | 5.1.0-3.el7 | 5.1.0-3.el7.centos |
| simp-utils | 5.0.1-1 | 5.0.1-2 |
- None
- Updated to use a specific configuration parameter instead of the presence of configured syslog servers to determine whether or not to enable log forwarding
- Updated the
::autofs::map::entryand::autofs::map::mastercode to work safely with thesimp catmodule as well as properly ensuring that theautofsservice is restarted when the content of one of the map files is changed.
- Fixed an invalid
concatdependency for the$auth_user_file
- Fixed chroot compatibility with :term:`EL` 7
- Updated to fix issues with Puppet 4
- Changed the permissions on
/etc/exportsto644which was validated to meet existing security requirements- Vagrant was dying if it could not read this file as a regular user
- Multiple URIs in Hiera entries were not written into
ldap.conf - The
DEREFconfiguration value inldap.confwas not populated correctly
- Properly redirect
STDERRinpuppetagent_cron.erb - Fully expanded the
pupmod::ssldirparameter so that$vardirno longer causes issues when showing up in anauditdconfiguration file - Corrected an issue where the
gem-homeparameter inpuppetserver.confwas malformed
- Enabled forwarding of
journaldmessages to syslog since :term:`EL` 7.2 disabled this by default - Fixed an issue where rules that were no longer managed by the module were not correctly purged
- Ensure that the
netlabel_toolspackage is installed for thenetlabelservice - Added the :term:`Elasticsearch` and :term:`Grafana` :term:`GPG` keys to the :term:`YUM` configuration
- Fixed the
validate_net_list()function when using regex strings against IPv6 addresses - Added support for
nss-myhostnamewhich fixes issues with hostname lookups on :term:`EL` 7+ systems - Added a
puppet_settingsFact that returns a Hash of all settings on the Puppet client system - Fix issues with calls to the
Service['named']resource
- Changed
trusted['clientcert']totrusted['certname']inhiera.yaml
- Ensure that
STDERRis properly discarded during shell redirects
- Ensured that
unpack_dvdandmigrate_to_environmentsproperly squashed STDERR - Corrected the
pupmod-simp-mcollectiveversion that was being built
- Removed the dependency on pssh
- Removed the first call to
fips=1from the kickstart file since it was causing issues with some systems
- Added an upstream
journaldmanagement module since EL7 needs tweaking to the journal on many systems.
- Added the syslog
priorityandfacilityoptions toauditd::config::audisp::syslog
- Adds a notification message if your system is affected by the Dirty COW CVE
- Will not attempt to automatically upgrade your kernel!
- Enabled forwarding of
journaldlogs to syslog
- Added a
puppet_settingsFact that returns a Hash of all settings on the Puppet client system
- Changed the default Storage Root Key password default to
nullfor PKCS#11 and Trusted Boot - Added a fact
ima_log_sizethat returns the byte size of the IMA hash log insecurityfs - Added the ability to edit the default IMA policy
- Be very careful if using this in production
- Mapped NIST 800-171 and ISO/IEC 27001 into the SIMP compliance_map baseline
- Added TPM management documentation
- Updated the ELG stack documentation
- Another set of usability updates to the documentation, mostly around building the system from scratch
- If you are running libvirtd, when
svckillruns it will always attempt to kill dnsmasq unless you are deliberately trying to run the dnsmasq service. This does not actually kill the service but is, instead, an error of the startup script and causes no damage to your system.