Skip to content

Latest commit

 

History

History
4519 lines (2582 loc) · 129 KB

REFERENCE.md

File metadata and controls

4519 lines (2582 loc) · 129 KB
Raw

Reference

Table of Contents

Classes

Functions

Data types

Classes

simp

take full advantage of SIMP capabilities.

This is primarily done through the simp::scenario classes that provide specifically supported configurations of core SIMP systems and clients.

If you're planning to use SIMP capabilities, you should always include this class.

Parameters

The following parameters are available in the simp class:

scenario_map

Data type: Hash

An internal use parameter for configuring pre-defined maps

scenario

Data type: String

The SIMP 'scenario' that you wish to apply to your system

  • The class list for each scenario is defined by the scenario_map which is pulled from the module data.
  • Please see the README for the list of scenarios
  • Please see the module data for the exact class list that is included in each scenario

Default value: 'simp'

enable_data_includes

Data type: Boolean

Deprecated - Has no effect

  • Will be removed in the next major release

Default value: true

classes

Data type: Array

A list of classes that you wish to include in your SIMP stack in addition to the scenario selected above.

  • For a completely stock Puppet experience on your clients, select the poss (Puppet Open Source Software) scenario configuration. This also works on Puppet Enterprise

  • This Array has been enabled with the knockout_prefix of --

  • Any Array item in the lookup hierarchy that you prefix with -- will be removed from the Array

@example The following list would include the apache class and exclude the ntpd class:

---
simp::classes:
    - 'apache'
    - '--ntpd'

Default value: []

mail_server

Data type: Variant[Boolean,Enum['remote']]

Install a local mail service on the system

  • If true will install only a locally usable MTA
  • If remote will install a full mail server capable of processing remote connections
    • If you use a remote server, you'll need to set the appropriate parameters for the postfix class

Default value: true

rsync_stunnel

Data type: Variant[Boolean,Simplib::Host]

The rsync server from which files should be retrieved

  • May be set to false to disable the rsync stunnel connection
  • If unset, will default to the Puppet server itself

Default value: simplib::lookup('simp_options::stunnel', { 'default_value' => true })

use_ssh_global_known_hosts

Data type: Boolean

Boolean If true, use the ssh_global_known_hosts function to gather the various host SSH public keys and populate the /etc/ssh/known_hosts file.

Default value: false

version_info

Data type: Boolean

Add SIMP version information onto the client in /etc/simp

Default value: true

puppet_server_hosts_entry

Data type: Boolean

Add a host entry for the Puppet server to the catalog

  • This has no effect if the $server_facts Hash is not populated

Default value: true

enable_filebucketing

Data type: Boolean

Enable the filebucket for all managed files

Default value: false

filebucket_name

Data type: String[1]

The name of the filebucket that should be used

Default value: 'simp'

filebucket_server

Data type: Optional[Simplib::Host]

Sets up a remote filebucket target if set

Default value: undef

filebucket_path

Data type: Stdlib::Absolutepath

The local system path to use as the filebucket

  • Has no effect if $filebucket_server is set

Default value: "${facts['puppet_vardir']}/simp/filebucket"

use_sudoers_aliases

Data type: Boolean

If true, enable simp site sudoers aliases

Default value: true

runlevel

Data type: Simp::Runlevel

The default runlevel to which the system should be set

Default value: 3

restrict_max_logins

Data type: Boolean

Enable restrictions of the number of simultaneous logins a user may have

  • Has no effect if $pam is false

Default value: true

manage_ctrl_alt_del

Data type: Boolean

Include the simp::ctrl_alt_del class, which, by default, disables the use of ctrl_alt_del and logs all instances of the event.

Default value: true

manage_root_metadata

Data type: Boolean

Include the simp::root_user class, which manages resources related to the root user

Default value: true

manage_root_perms

Data type: Boolean

Ensure that /root has restricted permissions and proper SELinux contexts

Default value: true

manage_rc_local

Data type: Boolean

Include the simp::rc_local class

  • This disables rc.local by default but you may also use it to set custom content

Default value: true

pam

Data type: Boolean

Enable management of PAM resources via SIMP modules

Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })

sssd

Data type: Boolean

Enable management of SSSD resources via SIMP modules

Default value: simplib::lookup('simp_options::sssd', { 'default_value' => true })

ldap

Data type: Boolean

Enable management of LDAP resources via SIMP modules

Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })

stock_sssd

Data type: Boolean

Add a default setup that will successfully connect to the SIMP LDAP server, if enabled, and will otherwise provide a functional SSSD stack for the system

  • Has no effect if $sssd is false

Default value: true

classification_warning

Data type: Boolean

Create a warning notification if 'include simp' will not auto-classify a node.

Default value: true

vardir_owner

Data type: String[1]

Owner for ${facts['puppet_vardir']}/simp directory Defaults to 'root' if a platform doesn't specify

vardir_group

Data type: String[1]

Group for ${facts['puppet_vardir]}/simp diorectory Defaults to 'root' if a platform doesn't specify

vardir_mode

Data type: Stdlib::Filemode

Mode for ${facts['puppet_vardir])/simp directory Defaults to '0750' if a platform doesn't specify

simp::admin

administrator group system access, auditor access, and default sudo rules

Examples

The following is generally needed for transitions to root
Additional rules should be added for non-root users
simp::admin::admin_sudo_options:
  role: 'unconfined_r'
simp::admin::auditor_sudo_options:
  role: 'unconfined_r'

Parameters

The following parameters are available in the simp::admin class:

admin_group

Data type: String

The group name of the Administrators for the system

  • This group will be provided with the ability to sudo to root on the system

Default value: 'administrators'

passwordless_admin_sudo

Data type: Boolean

Allow administrators to use sudo without a password

  • This is on by default due to the expected use of SSH keys without local passwords

Default value: true

auditor_group

Data type: String

The group name of the system auditors group

  • This group is provided with the ability to perform selected safe commands as root on the system for auditing purposes

Default value: 'security'

passwordless_auditor_sudo

Data type: Boolean

Allow auditors to use sudo without a password

  • This is on by default due to the expected use of SSH keys without local passwords

Default value: true

admins_allowed_from

Data type: Simplib::Netlist

The locations from which administrators are allowed to access the system

Default value: ['ALL']

auditors_allowed_from

Data type: Simplib::Netlist

The locations from which auditors are allowed to access the system

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })

force_logged_shell

Data type: Boolean

Only allow sudo to a shell via a logging shell

Default value: true

logged_shell

Data type: Enum['sudosh','tlog']

The name of the logged shell to use

Default value: 'tlog'

default_admin_sudo_cmnds

Data type: Array[String[2]]

The set of commands that $admin_group should be able to run by default

Default value: ['/bin/su - root']

admin_sudo_options

Data type: Hash

A hash of sudo options to give to all admin sudo root transition and puppet commands

Default value: { 'role' => 'unconfined_r' }

auditor_sudo_options

Data type: Hash

A hash of sudo options to give to all specified auditor sudo commands

Default value: {}

admin_runas

Data type: String

What to set the runas user for all admin sudo root transition and puppet commands

Default value: 'root'

auditor_runas

Data type: String

What to set the runas user for all specified auditor sudo commands

Default value: 'root'

pam

Data type: Boolean

Allow SIMP management of the PAM stack

  • Without this, it is quite likely that your system is not going to respond as expected with the rules in this class

Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })

set_polkit_admin_group

Data type: Boolean

If the system has PolicyKit support, will register $admin_group as a valid administrative group on the system

Default value: true

set_selinux_login

Data type: Boolean

Ensure that the SELinux login for $admin_group is set

  • This is recommended if you set the __default__ seusers mapping to user_u

@see seusers(5)

Default value: false

selinux_user_context

Data type: String[1]

The selinux user context to assign to $admin_group

  • Has no effect if $set_selinux_login is not set

Default value: 'staff_u'

selinux_user_mls_range

Data type: String[1]

The selinux MLS range to assign to $admin_group

  • Has no effect if $set_selinux_login is not set

Default value: 's0-s0:c0.c1023'

simp::base_apps

Services this class manages:

  • irqbalance (enabled by default by vendor)
  • netlabel (not installed by vendor)

Parameters

The following parameters are available in the simp::base_apps class:

ensure

Data type: Simp::PackageEnsure

The $ensure status of all of the included packages

  • Version pinning is not supported
  • If you need version pinning, do not include this class

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

extra_apps

Data type: Optional[Array[String,1]]

A list of other applications that you wish to install

Default value: undef

manage_elinks_config

Data type: Optional[Boolean]

DEPRECATED: This functionality is not required for normal operation of the system and should be moved to external management.

Default value: undef

simp::base_services

Deprecated - This class will be removed in a future version of SIMP.

simp::ctrl_alt_del

Manage the state of pressing ctrl-alt-del

Parameters

The following parameters are available in the simp::ctrl_alt_del class:

enable

Data type: Boolean

Allow ctrl-alt-del to restart the system

Default value: false

log

Data type: Boolean

Instead of just disabling the command, set the system up to write a log entry when the key combination is pressed

Default value: true

log_users

Data type: Boolean

Record all logged in users in the log message

Default value: true

facility

Data type: Simplib::Syslog::Facility

The syslog facility to use for the log message

Default value: 'local6'

severity

Data type: Simplib::Syslog::Severity

The syslog severity to use for the log message

Default value: 'warning'

simp::kmod_blacklist

Security Guide

Parameters

The following parameters are available in the simp::kmod_blacklist class:

enable_defaults

Data type: Boolean

Enable to use the default blacklist, otherwise just the $custom_blacklist will be used

Default value: true

blacklist

Data type: Array[String,1]

List of kernel modules to be blacklisted by default

Default value:

[
    'bluetooth',
    'cramfs',
    'dccp',
    'dccp_ipv4',
    'dccp_ipv6',
    'freevxfs',
    'hfs',
    'hfsplus',
    'ieee1394',
    'jffs2',
    'net-pf-31',
    'rds',
    'sctp',
    'squashfs',
    'tipc',
    'udf',
    'usb-storage'
  ]
produce_error

Data type: Boolean

If set to true, any disabled modules will point to '/bin/false', which will produce an error when anyone attempts to load the module. Default is false, which will point to '/bin/true', which will not produce any error.

Default value: false

custom_blacklist

Data type: Array[String]

Additional kernel modules to be blacklisted

Default value: []

allow_overrides

Data type: Boolean

Allow the addition of kernel module rules that come before the disabling of the module blacklist and disabling so that optional override autoloading can work properly

  • If this is not set, you will be unable to optionally override the disabling of the modules

Default value: true

lock_modules

Data type: Boolean

Disallow all further modification to modules without a reboot

  • Requires that the kernel.modules_disabled sysctl option is available

Default value: false

notify_if_reboot_required

Data type: Boolean

Trigger a 'reboot_notify' resource that will warn at every puppet run that a reboot is required if necessary.

Default value: true

simp::kmod_blacklist::lock_modules

into the system until the system has been rebooted.

This will only take effect if the system has the kernel.modules_disabled sysctl feature.

  • WARNING: It is highly likely that you will prevent important modules from loading (such as networking) if you enable this. Test thoroughly before enabling.

Parameters

The following parameters are available in the simp::kmod_blacklist::lock_modules class:

enable

Data type: Any

Lock all module loading abilities

Default value: true

notify_if_reboot_required

Data type: Any

If the change requires the system to be rebooted to take effect, a notification will be printed during puppet runs until the system has been rebooted.

Default value: true

persist

Data type: Any

Lock all modules at boot time.

Default value: false

simp::mountpoints

Add security settings to several mounts on the system.

Parameters

The following parameters are available in the simp::mountpoints class:

manage_tmp_perms

Data type: Boolean

Ensure that /tmp, /var/tmp, and /usr/tmp, all have the proper permissions and SELinux contexts.

Default value: true

manage_proc

Data type: Boolean

Manage the /proc mount on the system

Default value: true

manage_sys

Data type: Boolean

Manage the /sys mount on the system

Default value: true

sys_options

Data type: Array[String]

The mountpoint options for /sys

Default value: ['rw','nodev','noexec']

manage_dev_pts

Data type: Boolean

Manage the /dev/pts mount on the system

Default value: true

simp::mountpoints::proc

Mount /proc

Parameters

The following parameters are available in the simp::mountpoints::proc class:

proc_hidepid

Data type: Integer[0,2]

  • 0: This is the system default setting and provides no access restrictions on /proc

  • 1: With this option an normal user would not see other processes but their own about ps, top , etc..., but they are still able to see process IDs in /proc

  • 2 (default): Users are only able to see their own processes (like with hidepid=1), and process IDs are also hidden in /proc!

Default value: 2

manage_proc_group

Data type: Boolean

Enable management of the group that allows access to /proc

  • This was added, and enabled by default, to fix issue with updates to polkit per the vendor recommended guidance

Default value: true

proc_group

Data type: String[1]

The group name to be associated with $proc_gid

Default value: pick($facts.dig('simplib__mountpoints', '/proc', 'options_hash', '_gid__group'), 'simp_proc_read')

proc_gid

Data type: Integer[0]

This group will be able to see all processes on the system regardless of the $proc_hidepid setting

  • If this is set to 0 then the gid option will be removed from the option string

Default value: pick($facts.dig('simplib__mountpoints', '/proc', 'options_hash', 'gid'), 231)

simp::mountpoints::tmp

Manages the various tmp mounts with optional security features.

  • See also
    • mount(8)

Parameters

The following parameters are available in the simp::mountpoints::tmp class:

secure

Data type: Boolean

  • Set noexec,nosuid,nodev on temp directories as appropriate and bind mount /var/tmp to /tmp

  • If /tmp is not a separate partition, then it will be bind mounted to itself with the modified settings

  • NOTE: If you have previously secured these directories, setting this to false will not set them to any particular other mode. This is because there is no way to know why you are changing these settings or what, exactly, you want them to be.

Default value: true

tmp_opts

Data type: Array[String]

If $secure is true, add these mount options to the /tmp directory

  • If set to an empty Array, it will simply preserve the options that are currently in place
  • Any no* options will override their more permissive counterparts that are currently set on the system

Default value: ['noexec','nodev','nosuid']

var_tmp_opts

Data type: Array[String]

Works the same way as $tmp_opts

Default value: ['noexec','nodev','nosuid']

dev_shm_opts

Data type: Array[String]

Works the same way as $tmp_opts

Default value: ['noexec','nodev','nosuid']

tmp_service

Data type: Boolean

If on systemd system, enable and activate the tmp.mount service

  • Note: If you set this to true on a system that does not already have the tmp.mounts service running, you may find that the service cannot start due to processes locking files in the existing /tmp directory. If this occurs, you can run lsof /tmp to determine what is locking. You will probably need to reboot your system to start with a properly clean /tmp mount.

Default value: (fact('tmp_mount_fstype_tmp') == 'tmpfs') ? { true => true, default => false

simp::netconsole

Configure /etc/sysconfig/netconsole and the netconsole service

Parameters

The following parameters are available in the simp::netconsole class:

ensure

Data type: Enum['present','absent']

Ensure 'present' or 'absent' on the kernel parameter

target_ip

Data type: Optional[Simplib::IP]

UDP syslog receiver IP address

Default value: undef

target_macaddr

Data type: Optional[Simplib::MacAddress]

UDP syslog receiver MAC address

Default value: undef

target_port

Data type: Optional[Simplib::Port]

UDP syslog receiver port

Default value: undef

source_port

Data type: Optional[Simplib::Port]

Port of the send logs from

Default value: undef

source_device

Data type: Optional[String]

Network interface to broadcast logs from

Default value: undef

package_ensure

Data type: String[1]

The ensure parameter for the netconsole package when applicable

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

simp::nsswitch

A SIMP profile for using the nsswitch module to manage /etc/nsswitch

  • Note This class uses trinklin/nsswitch module.

Parameters

The following parameters are available in the simp::nsswitch class:

ldap

Data type: Boolean

SIMP global catalyst to enable LDAP

Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })

sssd

Data type: Boolean

SIMP global catalyst to enable sssd

Default value: simplib::lookup('simp_options::sssd', { 'default_value' => false })

defaults

Data type: Hash

sssd_options

Data type: Hash

ldap_options

Data type: Hash

overrides

Data type: Hash

Default value: {}

simp::one_shot

has successfully run

This should not be used as part of the standard SIMP runpuppet configuration

Parameters

The following parameters are available in the simp::one_shot class:

enable_user

Data type: Boolean

Add a one_shot user account that will be able to login to the system

Default value: true

user_name

Data type: String

The username to use for remote access

Default value: 'simp_one_shot'

user_password

Data type: Optional[String[8]]

The password for the user in passwd-compatible salted hash form

  • NOTE: Either user_password or user_ssh_public_key must be specified

Default value: undef

user_uid

Data type: Integer

The UID of the user

Default value: 1777

user_gid

Data type: Integer

The GID of the user

Default value: $user_uid

user_home

Data type: Pattern['^/']

The full path to the user's home directory

Default value: "/var/local/${user_name}"

user_ssh_authorized_key

Data type: Optional[String[1]]

The SSH authorized key for the user

  • See the native ssh_authorized_key resource definition for details

Default value: undef

user_ssh_authorized_key_type

Data type: String[1]

The type of the SSH authorized key for the user

  • See the native ssh_authorized_key resource definition for details

Default value: 'ssh-rsa'

user_sudo_users

Data type: String

The users that the username user may escalate to

Default value: 'root'

user_sudo_commands

Data type: Array[String[1]]

The commands that the username user is allowed to execute via sudo as one of the allowed users

Default value: ['ALL']

user_passwordless_sudo

Data type: Boolean

Allow the user to use passwordless sudo

  • If not set, the user_password must be specified

Default value: false

user_allowed_from

Data type: Array[String[1]]

The pam_access compatible locations that the user will be logging in from

  • Set to ['ALL'] to allow from any location

Default value: ['ALL']

finalize_dry_run

Data type: Boolean

Run the finalization script in 'dry run' mode and only print what would have been done

Default value: false

finalize_remove_pki

Data type: Boolean

Remove the SIMP installed host PKI certificates

Default value: false

finalize_remove_puppet

Data type: Boolean

Remove the puppet packages from the system during finalization

Default value: true

finalize_remove_script

Data type: Boolean

Remove the finalization script itself from the system

Default value: true

finalize_debug

Data type: Boolean

Enable syslog output debugging on the one_shot finalization script

Default value: false

simp::one_shot::finalize

NOTE: THIS IS A PRIVATE CLASS**

system that may cause issues

Parameters

The following parameters are available in the simp::one_shot::finalize class:

dry_run

Data type: Boolean

Run the finalization script in 'dry_run' mode and output all commands

Default value: $simp::one_shot::finalize_dry_run

remove_pki

Data type: Boolean

Remove the SIMP installed host PKI certificates

Default value: $simp::one_shot::finalize_remove_pki

remove_puppet

Data type: Boolean

Remove the 'puppet' package from the system

Default value: $simp::one_shot::finalize_remove_puppet

remove_script

Data type: Boolean

Remove the finalization script itself from the system

Default value: $simp::one_shot::finalize_remove_script

enable_debug

Data type: Boolean

Default value: $simp::one_shot::finalize_debug

simp::one_shot::user

NOTE: THIS IS A PRIVATE CLASS**

Parameters

The following parameters are available in the simp::one_shot::user class:

enable

Data type: Boolean

Enable the one_shot capabilities

Default value: $simp::one_shot::enable_user

username

Data type: String

The username to use for remote access

Default value: $simp::one_shot::user_name

password

Data type: Optional[String]

The password for the user in passwd-compatible salted hash form

Default value: $simp::one_shot::user_password

home

Data type: Pattern['^/']

The full path to the user's home directory

Default value: $simp::one_shot::user_home

uid

Data type: Integer

The UID of the user

Default value: $simp::one_shot::user_uid

gid

Data type: Integer

The GID of the user

Default value: $simp::one_shot::user_gid

ssh_authorized_key

Data type: Optional[String[1]]

The SSH public key for the user

  • See the native ssh_authorized_key resource definition for details

Default value: $simp::one_shot::user_ssh_authorized_key

ssh_authorized_key_type

Data type: String[1]

The SSH public key type

  • See the native ssh_authorized_key resource definition for details

Default value: $simp::one_shot::user_ssh_authorized_key_type

sudo_users

Data type: String

The users that the username user may escalate to

Default value: $simp::one_shot::user_sudo_users

passwordless_sudo

Data type: Boolean

Enable passwordless sudo for the user

Default value: $simp::one_shot::user_passwordless_sudo

sudo_commands

Data type: Array[String]

The commands that the username user is allowed to execute via sudo as one of the allowed users

Default value: $simp::one_shot::user_sudo_commands

allowed_from

Data type: Array[String]

The pam_access compatible locations that the user will be logging in from

  • Set to ['ALL'] to allow from any location

Default value: $simp::one_shot::user_allowed_from

simp::pam_limits::max_logins

Restrict the max logins on a system via PAM

Parameters

The following parameters are available in the simp::pam_limits::max_logins class:

value

Data type: Pam::Limits::Value

The maximum number of logins that a user may have simultaneously

  • The default meets CCE-27457-1

Default value: 10

simp::prelink

Manage prelinking

Parameters

The following parameters are available in the simp::prelink class:

enable

Data type: Boolean

Whether to enable prelinking. Prelinking can only be enabled if the server is NOT in FIPS mode.

  • When $enable is true and $facts['fips_enabled'] is false, ensures the prelink package is installed and prelinking has been enabled.

  • When $enable is false or $facts['fips_enabled'] is true, ensures the prelink package is not installed, undoing any existing prelinking, if needed. This satisfies the SCAP Security Guide's OVAL check xccdf_org.ssgproject.content_rule_disable_prelink.

Default value: false

ensure

Data type: String

The $ensure status of the prelink package, when $enable is true and $facts['fips_enabled'] is false.

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

simp::puppetdb

compatibility.

NOTE: Hiera variables must be set appropriately under the puppetdb namespace

All other parameters are taken directly from puppetdb::server

Parameters

The following parameters are available in the simp::puppetdb class:

trusted_nets

Data type: Simplib::Netlist

This is used to allow specific hosts access to PuppetDB

  • This should be restricted to only those hosts that need to talk to PuppetDB, primarly Puppet Masters.

  • Unfortunately, this cannot be set via exported resources since PuppetDB needs to be running prior to exported resources functioning properly. Once PuppetDB is up, then you can switch this to exported resources mode using the use_exported_resources variable.

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })

listen_address

Data type: Simplib::IP

Default value: '127.0.0.1'

listen_port

Data type: Simplib::Port

Default value: 8138

open_listen_port

Data type: Boolean

Default value: false

ssl_deploy_certs

Data type: Boolean

Default value: true

ssl_set_cert_paths

Data type: Boolean

Default value: true

ssl_listen_address

Data type: Simplib::IP

Default value: '0.0.0.0'

ssl_listen_port

Data type: Simplib::Port

Default value: 8139

cipher_suites

Data type: Array[Simp::Puppetdb::Ciphersuites]

Cipher suites supported by PuppetDB's HTTP interface (jetty). Used to set puppetdb::cipher_suites.

use_puppet_ssl_certs

Data type: Boolean

Default value: true

disable_ssl

Data type: Boolean

Default value: false

manage_package_repo

Data type: Boolean

Default value: false

database_password

Data type: String

Default value: simplib::passgen('simp_puppetdb')

read_database_username

Data type: String

Default value: 'simp_puppetdb'

read_database_password

Data type: String

Default value: simplib::passgen('simp_read_puppetdb')

read_database_name

Data type: String

Default value: 'simp_puppetdb'

read_database_ssl

Data type: Optional[Boolean]

This parameter has been deprecated, because its corresponding puppetdb::server parameter has been replaced with puppetdb::server::read_database_jdbc_ssl_properties. Use $read_database_jdbc_ssl_properties = '?ssl=true' instead.

Default value: undef

read_database_jdbc_ssl_properties

Data type: String

Default value: '?ssl=true'

manage_firewall

Data type: Boolean

Default value: true

manage_puppetserver

Data type: Boolean

Default value: true

java_max_memory

Data type: String

Default value: '40%'

java_start_memory

Data type: Optional[String]

Default value: undef

java_tmpdir

Data type: Stdlib::Absolutepath

Default value: '/opt/puppetlabs/puppet/cache/pdb_tmp'

java_heapdump_on_oom

Data type: Boolean

Default value: false

java_prefer_ipv4

Data type: Boolean

Default value: true

java_use_code_cache_flushing

Data type: Boolean

Default value: true

automatic_dlo_cleanup

Data type: Boolean

Default value: true

dlo_max_age

Data type: Integer

Default value: 90

disable_update_checking

Data type: Boolean

Default value: true

firewall

Data type: Boolean

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })

simp::rc_local

By default, this class will disable the file altogether

Parameters

The following parameters are available in the simp::rc_local class:

content

Data type: String

Set to disable to disable the file completely

  • Any other value will be written to the file after an optional management banner

Default value: 'disable'

shell

Data type: Stdlib::Absolutepath

The shell to use to execute the rc.local file

Default value: '/bin/bash'

management_comment

Data type: Boolean

Adds a 'managed by Puppet' comment to the top of the file

Default value: true

simp::root_user

Manage resources related to the root user

Parameters

The following parameters are available in the simp::root_user class:

manage_perms

Data type: Boolean

Ensure that $home has restricted permissions and proper SELinux contexts.

Default value: true

manage_user

Data type: Boolean

Ensure the root user has appropriate UIDs and groups, etc

Default value: true

manage_group

Data type: Boolean

Ensure the root group has appropriate UIDs, etc

Default value: true

hashed_password

Data type: Optional[Simplib::ShadowPass]

Validate the correctness of the password hash and then pass it through to the User resource for root

Default value: undef

password

Data type: Optional[String[1]]

Pass this through untouched to the User resource for root

  • Please use $hashed_password if possible

Default value: undef

username

Data type: String[1]

The username of the root user

Default value: 'root'

uid

Data type: Integer[0]

The UID of the root user

Default value: 0

gid

Data type: Integer[0]

The GID of the root user

Default value: 0

shell

Data type: Stdlib::Absolutepath

The shell to use for the root user

Default value: '/bin/bash'

home

Data type: Stdlib::Absolutepath

The home directory of the root user

Default value: "/${username}"

simp::scenario::base

NOTE: THIS IS A PRIVATE CLASS

be. It is expected that users may deviate from this configuration over time, but this should be an effective starting place.

Parameters

The following parameters are available in the simp::scenario::base class:

mail_server

Data type: Variant[Boolean,Enum['remote']]

Install a local mail service on the system

  • If true will install only a locally usable MTA
  • If remote will install a full mail server capable of processing remote connections
    • If you use a remote server, you'll need to set the appropriate parameters for the postfix class

Default value: $::simp::mail_server

rsync_stunnel

Data type: Variant[Boolean,Simplib::Host]

The rsync server from which files should be retrieved

  • May be set to false to disable the rsync stunnel connection
  • If unset, will default to the Puppet server itself

Default value: $::simp::rsync_stunnel

use_ssh_global_known_hosts

Data type: Boolean

If true, use the ssh_global_known_hosts function to gather the various host SSH public keys and populate the /etc/ssh/known_hosts file.

Default value: $::simp::use_ssh_global_known_hosts

puppet_server_hosts_entry

Data type: Boolean

Add a host entry for the Puppet server to the catalog

  • This has no effect if the $server_facts Hash is not populated

Default value: $::simp::puppet_server_hosts_entry

use_sudoers_aliases

Data type: Boolean

If true, enable simp site sudoers aliases

Default value: $::simp::use_sudoers_aliases

runlevel

Data type: Simp::Runlevel

The default runlevel to which the system should be set

Default value: $::simp::runlevel

restrict_max_logins

Data type: Boolean

Enable restrictions of the number of simultaneous logins a user may have

  • Has no effect if $pam is false

Default value: $::simp::restrict_max_logins

manage_ctrl_alt_del

Data type: Boolean

Include the simp::ctrl_alt_del class, which, by default, disables the use of ctrl_alt_del and logs all instances of the event.

Default value: $::simp::manage_ctrl_alt_del

manage_root_metadata

Data type: Boolean

Include the simp::root_user class, which manages resources related to the root user

Default value: $::simp::manage_root_metadata

manage_root_perms

Data type: Boolean

Ensure that /root has restricted permissions and proper SELinux contexts

Default value: $::simp::manage_root_perms

manage_rc_local

Data type: Boolean

Include the simp::rc_local class

  • This disables rc.local by default but you may also use it to set custom content

Default value: $::simp::manage_rc_local

pam

Data type: Boolean

Enable management of PAM resources via SIMP modules

Default value: $::simp::pam

sssd

Data type: Boolean

Enable management of SSSD resources via SIMP modules

Default value: $::simp::sssd

ldap

Data type: Boolean

Enable management of LDAP resources via SIMP modules

Default value: $::simp::ldap

stock_sssd

Data type: Boolean

Add a default setup that will successfully connect to the SIMP LDAP server, if enabled, and will otherwise provide a functional SSSD stack for the system

  • Has no effect if $sssd is false

Default value: $::simp::stock_sssd

simp::scenario::poss

NOTE: THIS IS A PRIVATE CLASS

This provides a minimal system that connects to a SIMP Puppet server.

This class does not provide security for a system but it designed to simply allow you to connect to the Puppet server and run puppet as a client.

This class requires no additional configuration to function.

Parameters

The following parameters are available in the simp::scenario::poss class:

puppet_server_hosts_entry

Data type: Boolean

Add a host entry for the Puppet server to the catalog

  • This has no effect if the $server_facts Hash is not populated

Default value: $::simp::puppet_server_hosts_entry

simp::server

configuration data appropriately to your clients.

Parameters

The following parameters are available in the simp::server class:

allow_simp_user

Data type: Boolean

Ensure that the simp user can login to the system

Default value: false

pam

Data type: Boolean

Enable SIMP management of the PAM stack

Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })

clamav

Data type: Boolean

Deprecated. Enable SIMP management of Antivirus

This parameter and the simp_options::clamav catalyst are deprecated and both will be removed in a future SIMP release. Once removed, if you want to manage ClamAV, you will have to manually include the clamav class from the simp-clamav module in the server's class list.

Default value: simplib::lookup('simp_options::clamav', { 'default_value' => false })

auditd

Data type: Boolean

Enable SIMP management of auditing

Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false })

scenario

Data type: String

The SIMP scenario to apply to the server

  • It is not advised to change this from simp

Default value: simplib::lookup('simp::scenario', { 'default_value' => 'simp' })

classes

Data type: Array[String]

Additional classes to include on the server in addition to those included in the scenario

Default value: []

scenario_map

Data type: Hash[String, Array]

An internal parameter used for determining the correct classes to apply for the scenario

simp::server::kickstart

server for your client hosts.

  • Note You need both a DHCP and TFTP server for unattended Kickstart to work but you can use your own if you already have them.

Parameters

The following parameters are available in the simp::server::kickstart class:

data_dir

Data type: Stdlib::Absolutepath

The location of the web root in which the kickstart directory, 'ks', will reside.

Default value: '/var/www'

trusted_nets

Data type: Simplib::Netlist

The networks to allow into the Kickstart server.

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] })

manage_dhcp

Data type: Boolean

If true, have this node act as a DHCP server.

Default value: true

manage_tftpboot

Data type: Boolean

If true, have this node act as a TFTP server.

Default value: true

manage_runpuppet

Data type: Boolean

Deprecated The runpuppet script has been replaced by the simp_client_bootstrap script. The runpuppet script did not work well on CentOS 7 and will not work on CentOS 8. Remember to update your kickstart scripts to call the correct script. See the bootstrap scripts in simp-core under build/distributions for examples. This parameter will be removed in later versions.

Default value: false

manage_simp_client_bootstrap

Data type: Boolean

If true, generate the simp_client_bootstrap sysv init script and simp_client_bootstrap.service systemd service unit file in $data_dir/ks.

Default value: true

sslverifyclient

Data type: Enum['require','none']

Verify the certificate of the kickstart client. One of optional, require, none, optional_no_ca.

Default value: 'none'

simp::server::kickstart::simp_client_bootstrap

that can be run to bootstrap SIMP clients via Puppet, in a fashion similar to simp bootstrap, the bootstrap script for the SIMP server.

The three scripts managed by this class are as follows:

  • bootstrap_simp_client: a Ruby script that configures system services primarily using Puppet and logs the results of all configuration actions to file

  • $service_root_name: sysv init script that calls bootstrap_simp_client to bootstrap the server and then reboots the client to complete the bootstrap operation

  • <$service_root_name>.service: systemd service unit file that uses bootstrap_simp_client to bootstrap the server and then reboots the client to complete the bootstrap operation

Parameters

The following parameters are available in the simp::server::kickstart::simp_client_bootstrap class:

data_dir

Data type: Stdlib::Absolutepath

The location of the web root in which the kickstart directory will reside. Only used to compute the default for directory.

Default value: simplib::lookup('simp::server::kickstart::data_dir', { 'default_value' => '/var/www'})

directory

Data type: Stdlib::Absolutepath

The directory containing the three managed scripts. By default is a subdirectory within data_dir.

Default value: "${data_dir}/ks"

service_root_name

Data type: String

The root name of the sysv/systemd service scripts.

Default value: 'simp_client_bootstrap'

ntp_servers

Data type: Variant[Array, Hash]

An array of ntp servers or hash of server/value pairs that should be used during client kickstarts to slew the local time correctly prior to PKI key distribution.

NOTE: Failure to set the system clock will not cause the simp_client_bootstrap scripts to fail to execute.

Default value: simplib::lookup('simp_options::ntpd::servers', { 'default_value' => [] })

set_static_hostname

Data type: Boolean

Whether to persist the hostname retrieved by DHCP as a static hostname. This prevents problems that can arise when the DHCP lease expires in the middle of bootstrap puppet runs. Is not applicable for RedHat/CentOS 6.

Default value: true

puppet_server

Data type: Optional[Simplib::Host]

The FQDN of your Puppet server

  • If not set, will use $server_facts['servername'], or the puppet server set in puppet.conf if trusted_server_facts isn't set or found.

Default value: simplib::lookup('simp_options::puppet::server', { 'default_value' => undef })

puppet_ca

Data type: Optional[Simplib::Host]

The FQDN of your Puppet CA

  • If not set, will use $server_facts['servername'], or the puppet server set in puppet.conf if trusted_server_facts isn't set or found.

Default value: simplib::lookup('simp_options::puppet::ca', { 'default_value' => undef })

puppet_ca_port

Data type: Simplib::Port

The port upon which the Puppet CA is listening.

Default value: simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 })

puppet_digest_algorithm

Data type: String

The digest algorithm Puppet uses for file resources and the filebucket (e.g. sha256, sha384, sha512).

Default value: 'sha256'

puppet_keylength

Data type: Optional[Integer[2048]]

Puppet certificate keylength. When unset, value is determined based on $fips, to work around Puppet bugs in FIPS mode. (See $fips.)

Default value: undef

puppet_print_stats

Data type: Boolean

If true, print statistics for each client puppet run during bootstrap.

Default value: true

puppet_wait_for_cert

Data type: Variant[Integer[0],Boolean]

If set to an integer, the bootstrap_simp_client script will wait for this many seconds between checking into the puppet master for a signed certificate. This will go on until a signed certificate is presented.

If set to false or 0, the client will immediately timeout if a signed certificate is not presented.

Default value: 10

num_puppet_runs

Data type: Integer[1]

Number of puppet agent runs (after the initial tagged run) to execute, in order to converge to a stable system configuration.

Default value: 2

initial_retry_interval

Data type: Integer[1]

Initial retry interval in seconds for reattempting a failed puppet agent run.

Default value: 10

retry_factor

Data type: Float[0.1]

The factor to be applied to the retry interval for a puppet run. The retry interval is multiplied by this factor for each retry. For example, if $initial_retry_interval is 10 and the retry factor is 1.5, the first retry would occur 10 seconds after the initial attempt, the second retry would occur 101.5 seconds after that, the third retry would occur 101.5*1.5 seconds after that, etc.

Default value: 1.5

max_seconds

Data type: Integer[1]

Maximum number of seconds this bootstrap script is allowed to run. Script will abort if it does not complete within this allotted time.

Default value: 1800

reboot_on_failure

Data type: Boolean

Whether to reboot the server if the SIMP client bootstrap service fails to bootstrap the client. This allows the client to attempt fix its bootstrap problem without manual intervention. However, for sites containing a large number of clients, the repeated cycle of <multiple puppet agent attempts + reboot> may overtax the Puppet server. In this case, disabling this feature may be most appropriate.

Default value: true

fips

Data type: Boolean

If true, set puppet keylength to 2048, else 4096. This non-compliant setting is to work around problems with older versions of Ruby. It will be fixed, when Puppet fully supports FIPS mode.

Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })

simp::server::ldap

If you are setting up a consumer LDAP server, remember that the three digit RID must be unique or each consumer server that you attach to the same master.

Parameters

The following parameters are available in the simp::server::ldap class:

is_slave

Data type: Boolean

Deprecated in favor of vendor-aligned update: is_consumer

Default value: false

is_consumer

Data type: Boolean

If true, set this node up as an LDAP consumer. The Hiera parameter ldap::master will be used as the master server.

If you want to use values other than the defaults as provided with simp_openldap::server::syncrepl. Leave this as 'false', include this class and call simp_openldap::server::syncrepl with your values as appropriate.

Default value: $is_slave

rid

Data type: Integer[0]

The RID of the system. See simp_openldap::server::syncrepl for additional information.

Default value: 111

bind_dn

Data type: String

Used for setting up sync limits for the bind user.

Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => '' })

sync_dn

Data type: String

Used for setting up sync limits for consumer nodes.

Default value: simplib::lookup('simp_options::ldap::sync_dn', { 'default_value' => '' })

enable_lastbind

Data type: Boolean

If true, enable the 'lastbind' plugin for OpenLDAP. This records the last time a user logs into a system within LDAP itself. Note, if you have auditing enabled, this will cause an LDAP audit record every time someone logs into any system connected to the LDAP server.

Default value: false

simp::server::rsync_shares

If you don't have these provided somewhere, many of the modules will not function properly.

If you want additional BIND DNS spaces to be served out from rsync, you'll need to enable them separately.

This module is directly dependent on the output of the simp_rsync_environments fact which discovers the location, and layout, of the facts on the hosting system. The shares will not be activated if the directory structure is not properly discovered.

Parameters

The following parameters are available in the simp::server::rsync_shares class:

rsync_base

Data type: Stdlib::Absolutepath

The path to the beginning of the rsync space for this system. There must be a directory per environment that you want to serve to clients.

  • NOTE If you change this, you MUST create a custom fact for simp_rsync_environments with a Fact weight higher than 1.

Default value: '/var/simp/environments'

rsync_environments

Data type: Optional[Hash]

The environments that are present under $rsync_base on the RSync server.

Be VERY careful if you change this from the fact that it references by default.

Default value: $facts['simp_rsync_environments']

stunnel

Data type: Boolean

If set, trusted_nets will be set to 127.0.0.1 so that the stunnel'd rsync will be used.

Default value: simplib::lookup('simp_options::stunnel', { 'default_value' => false })

trusted_nets

Data type: Simplib::Netlist

The hosts from which to allow access to the rsync shares. This option has no effect if $use_stunnel is true.

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })

simp::server::yum

the default SIMP server.

Parameters

The following parameters are available in the simp::server::yum class:

data_dir

Data type: Stdlib::Absolutepath

Default value: '/var/www'

trusted_nets

Data type: Simplib::Netlist

The networks to allow into the YUM server.

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] })

createrepo_ensure

Data type: String

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

simp::sssd::client

This should work for most out-of-the-box installations. Otherwise, it serves as an example of what you can do to make it work for your environment.

Parameters

The following parameters are available in the simp::sssd::client class:

local_domain

Data type: Boolean

DEPRECATED: This param does nothing. It will be removed in the next version

Default value: false

local_domain_options

Data type: Hash

DEPRECATED: This param does nothing. It will be removed in the next version

Default value: {}

ldap_domain

Data type: Boolean

Configure the LDAP domain

To Enable the LDAP domain you must include 'LDAP' sssd::domains via hiera

Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })

ldap_domain_options

Data type: Hash

A Hash of options to pass directly into the sssd::domain defined type

Default value: {}

ldap_server_type

Data type: Variant[Boolean[false], Enum['plain','389ds']]

The type of LDAP server that the system is communicating with

  • This mainly matters for password policy details but may increase in scope in the future

  • Use 389ds for servers that are 'Netscape compatible'. This includes FreeIPA, Red Hat Directory Server, and other Netscape DS-derived systems

  • Use plain for servers that are 'regular LDAP' like OpenLDAP

Default value: $ldap_domain ? { false => false, default => undef

ldap_provider_options

Data type: Hash

A Hash of options to pass directly into the sssd::provider::ldap defined type

Default value: {}

enumerate_users

Data type: Boolean

Have SSSD list and cache all the users that it can find on the remote system

  • Take care that you don't overwhelm your LDAP server if you enable this

Default value: false

cache_credentials

Data type: Boolean

Have SSSD cache the credentials of users that login to the system

Default value: true

min_id

Data type: Integer

The lowest user ID that SSSD should recognize from the remote server

Default value: 500

autofs

Data type: Boolean

Deprecated

Default value: true

sudo

Data type: Boolean

Deprecated

Default value: true

ssh

Data type: Boolean

Deprecated

Default value: true

enable_domain_warn

Data type: Boolean

Set to true to enable local domain warning

Default value: true

simp::sudoers

time.

None of this is mandatory and all can be changed via the different parameters.

Each section simply adds the entry to the sudoers file by joining the array together appropriately.

Parameters

The following parameters are available in the simp::sudoers class:

common_aliases

Data type: Boolean

Enable the 'common' aliases from simp::suoders::aliases

Default value: false

default_entry

Data type: Array

The global default entry that should apply to all users

Default value:

[
    '!visiblepw',
    'always_set_home',
    'match_group_by_gid',
    'always_query_group_plugin',
    'listpw=all',
    'requiretty',
    'syslog=authpriv',
    '!root_sudo',
    '!umask',
    'secure_path = /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin',
    'env_reset',
    'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
      LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
      LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
      LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
      LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
      _XKB_CHARSET XAUTHORITY"'
  ]

simp::sudoers::aliases

Take care not to add anything that can access a root shell

Parameters

The following parameters are available in the simp::sudoers::aliases class:

audit_alias

Data type: Array[Stdlib::AbsolutePath]

Commands useful for auditing the system

Default value:

[
    '/bin/cat',
    '/bin/ls',
    '/usr/bin/rvim',
    '/usr/bin/lsattr',
    '/sbin/aureport',
    '/sbin/ausearch',
    '/sbin/lspci',
    '/sbin/lsusb',
    '/sbin/lsmod',
    '/usr/sbin/lsof',
    '/bin/netstat',
    '/sbin/ifconfig -a',
    '/sbin/route ""',
    '/sbin/route -[venC]',
    '/usr/bin/getent',
    '/usr/bin/tail'
  ]
delegating_alias

Data type: Array[Stdlib::AbsolutePath]

Common system delegation activities

Default value:

[
    '/usr/sbin/visudo',
    '/bin/chown',
    '/bin/chmod',
    '/bin/chgrp'
  ]
drivers_alias

Data type: Array[Stdlib::AbsolutePath]

Provides the ability to load and unload kernel modules

Default value:

[
    '/sbin/modprobe'
  ]
locate_alias

Data type: Array[Stdlib::AbsolutePath]

Allow a user to update the mlocate database

Default value:

[
    '/usr/sbin/updatedb'
  ]
networking_alias

Data type: Array[Stdlib::AbsolutePath]

Allow a user to perform common network control activities

Default value:

[
    '/sbin/route',
    '/sbin/ifconfig',
    '/bin/ping',
    '/sbin/dhclient',
    '/usr/bin/net',
    '/sbin/iptables',
    '/usr/bin/rfcomm',
    '/usr/bin/wvdial',
    '/sbin/iwconfig',
    '/sbin/mii-tool'
  ]
processes_alias

Data type: Array[Stdlib::AbsolutePath]

Allow a user to manage system processes

Default value:

[
    '/bin/nice',
    '/bin/kill',
    '/usr/bin/kill',
    '/usr/bin/killall'
  ]
services_alias

Data type: Array[Stdlib::AbsolutePath]

Allow a user to manage system services

Default value:

[
    '/sbin/service',
    '/sbin/chkconfig'
  ]
selinux_alias

Data type: Array[Stdlib::AbsolutePath]

Allow a user to modify and debug SELinux

Default value:

[
    '/sbin/restorecon',
    '/usr/bin/audit2why',
    '/usr/bin/audit2allow',
    '/usr/sbin/getenforce',
    '/usr/sbin/setenforce',
    '/usr/sbin/setsebool'
  ]
software_alias

Data type: Array[Stdlib::AbsolutePath]

Allow for system software management

Default value:

[
    '/bin/rpm',
    '/usr/bin/up2date',
    '/usr/bin/yum'
  ]
storage_alias

Data type: Array[Stdlib::AbsolutePath]

Allow for storage management

Default value:

[
    '/sbin/fdisk',
    '/sbin/sfdisk',
    '/sbin/parted',
    '/sbin/partprobe',
    '/bin/mount',
    '/bin/umount'
  ]
su_alias

Data type: Array[Stdlib::AbsolutePath]

Allow unfettered access to su

Default value: [ '/bin/su' ]

simp::sysctl

point of view.

There are also items in this list that are particularly useful for general system security.

See the kernel documentation for the functionality of each variable.

Performance Related Settings Security Related Settings:

Parameters

The following parameters are available in the simp::sysctl class:

net__netfilter__nf_conntrack_max

Data type: Integer[0]

Default value: 655360

net__unix__max_dgram_qlen

Data type: Integer[0]

Default value: 50

net__ipv4__neigh__default__gc_thresh3

Data type: Integer[0]

Default value: 2048

net__ipv4__neigh__default__gc_thresh2

Data type: Integer[0]

Default value: 1024

net__ipv4__neigh__default__gc_thresh1

Data type: Integer[0]

Default value: 32

net__ipv4__neigh__default__proxy_qlen

Data type: Integer[0]

Default value: 92

net__ipv4__neigh__default__unres_qlen

Data type: Integer[0]

Default value: 6

net__ipv4__tcp_rmem

Data type: Array[Integer,3,3]

Default value: [4096,98304,16777216]

net__ipv4__tcp_wmem

Data type: Array[Integer,3,3]

Default value: [4096,65535,16777216]

net__ipv4__tcp_fin_timeout

Data type: Integer[0]

Default value: 30

net__ipv4__tcp_rfc1337

Data type: Integer[0,1]

Default value: 1

net__ipv4__tcp_keepalive_time

Data type: Integer[0]

Default value: 3600

net__ipv4__tcp_mtu_probing

Data type: Integer[0,2]

Default value: 1

net__ipv4__tcp_no_metrics_save

Data type: Integer[0,1]

Default value: 0

net__core__rmem_max

Data type: Integer[0]

Default value: 16777216

net__core__wmem_max

Data type: Integer[0]

Default value: 16777216

net__core__optmem_max

Data type: Integer[0]

Default value: 20480

net__core__netdev_max_backlog

Data type: Integer[0]

Default value: 2048

net__core__somaxconn

Data type: Integer[0]

Default value: 2048

net__ipv4__tcp_tw_reuse

Data type: Integer[0,1]

Default value: 1

fs__inotify__max_user_watches

Data type: Integer[8912]

Increase the number of inotify watches allowed in order to prevent systemctl error: "Not Enough Disk Space" caused when it reaches limit.

Default value: 102400

fs__suid_dumpable

Data type: Integer[0,1]

Default value: 0

kernel__core_pattern

Data type: String

If you change this, make sure you create the leading directories!

Default value: '/var/core/%u_%g_%p_%t_%h_%e.core'

kernel__core_pipe_limit

Data type: Integer[0]

Default value: 0

kernel__core_uses_pid

Data type: Integer[0,1]

Default value: 1

kernel__dmesg_restrict

Data type: Integer[0,1]

Default value: 1

kernel__exec_shield

Data type: Integer[0,1]

DEPRECATED BY VENDOR WILL BE REMOVED IN NEXT RELEASE

Default value: 1

kernel__panic

Data type: Integer[0]

Default value: 10

kernel__randomize_va_space

Data type: Integer[0,2]

Default value: 2

kernel__sysrq

Data type: Integer[0]

Default value: 0

net__ipv4__conf__all__accept_redirects

Data type: Integer[0,1]

Default value: 0

net__ipv4__conf__all__accept_source_route

Data type: Integer[0,1]

Default value: 0

net__ipv4__conf__all__log_martians

Data type: Integer[0,1]

Default value: 1

net__ipv4__conf__all__rp_filter

Data type: Integer[0,2]

Default value: 1

net__ipv4__conf__all__secure_redirects

Data type: Integer[0,1]

Default value: 0

net__ipv4__conf__all__send_redirects

Data type: Integer[0,1]

Default value: 0

net__ipv4__conf__default__accept_redirects

Data type: Integer[0,1]

Default value: 0

net__ipv4__conf__default__accept_source_route

Data type: Integer[0,1]

Default value: 0

net__ipv4__conf__default__log_martians

Data type: Integer[0,1]

Default value: 1

net__ipv4__conf__default__rp_filter

Data type: Integer[0,2]

Default value: 1

net__ipv4__conf__default__secure_redirects

Data type: Integer[0,1]

Default value: 0

net__ipv4__conf__default__send_redirects

Data type: Integer[0,1]

Default value: 0

net__ipv4__icmp_echo_ignore_broadcasts

Data type: Integer[0,1]

Default value: 1

net__ipv4__icmp_ignore_bogus_error_responses

Data type: Integer[0,1]

Default value: 1

net__ipv4__tcp_challenge_ack_limit

Data type: Integer[0]

Default value: 2147483647

net__ipv4__tcp_max_syn_backlog

Data type: Integer[1]

Default value: 4096

net__ipv4__tcp_syncookies

Data type: Integer[0,1]

Default value: 1

net__ipv6__conf__all__accept_redirects

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__all__accept_source_route

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__all__autoconf

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__all__forwarding

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__all__accept_ra

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__default__accept_ra

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__default__accept_ra_defrtr

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__default__accept_ra_pinfo

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__default__accept_ra_rtr_pref

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__default__accept_redirects

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__default__accept_source_route

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__default__autoconf

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__default__dad_transmits

Data type: Integer[0,1]

Default value: 0

net__ipv6__conf__default__max_addresses

Data type: Integer[0]

Default value: 1

net__ipv6__conf__default__router_solicitations

Data type: Integer[0,1]

Default value: 0

core_dumps

Data type: Boolean

If true, enable core dumps on the system.

Default value: false

core_dump_dir

Data type: Stdlib::AbsolutePath

Directory to place core dumps

Default value: '/var/core'

pam

Data type: Boolean

SIMP catalyst for enabling PAM management As set, meets CCE-27033-0

Default value: simplib::lookup('simp_options::pam', { 'default_value' => false })

ipv6

Data type: Optional[Boolean]

Set to false to disable IPv6 on your system via sysctl

Default value: undef

simp::version

Places SIMP version related information on the filesystem

simp::yum::repo::internet_simp

Configure yum to use the internet public repository for SIMP

Parameters

The following parameters are available in the simp::yum::repo::internet_simp class:

simp_repos_package

Data type: String[1]

Name of the SIMP yum repository package. This package provides yum repository files for SIMP Puppet modules and their dependencies.

Default value: 'simp-release-community'

simp_repos_package_url

Data type: String[1]

URL to the SIMP yum repository package

Default value: "https://download.simp-project.com/${simp_repos_package}.rpm"

package_ensure

Data type: Simp::PackageEnsure

The $ensure status of $simp_repos_package.

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

simp_release_version

Data type: Optional[Simp::Version]

The Major(X), Minor(Y), or Patch(Z) release of SIMP you want.

  • The format is 'X', 'X.Y', 'X.Y.Z', or 'X.Y.Z-iteration. For example, '6', '6.5', '6.5.0', or '6.5.0-0'.
  • Setting this to a 'X' will install the latest release for that SIMP Major version and grab updates for all future minor and patch releases in that Major version of SIMP. This is the appropriate setting if you want all SIMP releases as they are tested and released.
  • Setting this to 'X.Y' will install the latest X.Y release and grab updates for all future patches to that X.Y version, but never update to the next Minor version. This is the appropriate setting if you want a specific Minor version of SIMP, but don't want to install new Minor version.
  • Setting this to 'X.Y.Z' or 'X.Y.Z-iteration' will install that specific SIMP release and never grab any updates. This is the appropriate setting, along with $simp_release_type = 'releases', if you want only a specific release of SIMP, and no future updates.
  • When not set, this class will attempt to detect the version of SIMP installed on the system and fail if the version cannot be detected.

Default value: undef

simp_release_type

Data type: String

Type of release you want:

  • 'releases': Packages from fully tested SIMP releases. This is the recommended setting.
  • 'rolling': Packages that have not yet made it into a SIMP release, but have been tested and released individually with confidence.
  • 'unstable/6': Packages in the unstable repository for SIMP 6. This is extremely dangerous and not recommended for production environments.

Default value: 'releases'

simp::yum::repo::internet_simp_dependencies

The packagecloud yum repository that used to be configured by this class is no longer maintained. As an interim workaround, this class now uses simp::yum::repo::internet_simp to configure the correct repositories. You should switch to using simp::yum::repo::internet_simp directly, as this class will be removed in a future release.

Parameters

The following parameters are available in the simp::yum::repo::internet_simp_dependencies class:

simp_release_slug

Data type: Optional[String]

The unique release URL "slug" of SIMP for the target release.

Default value: undef

simp::yum::repo::internet_simp_server

The packagecloud yum repository that used to be configured by this class is no longer maintained. As an interim workaround, this class now uses simp::yum::repo::internet_simp to configure the correct repository. You should switch to using simp::yum::repo::internet_simp directly, as this class will be removed in a future release.

Parameters

The following parameters are available in the simp::yum::repo::internet_simp_server class:

simp_release_slug

Data type: Optional[String]

The unique release URL "slug" of SIMP for the target release.

Default value: undef

simp::yum::repo::local_os_updates

Generally, this is used by the ISO installation's SIMP agents.

  • By default, baseurl and GPG key URLs will work with repositories managed with simp::server::yum.

  • Multiple yum servers and arbitrary URLs are accepted; see the servers parameter for details.

  • For more complex scenarios, create a site-specific profile and use the native yumrepo type directly.

@example Describing a single server by FQDN

When classified to an CentOS 7 x86_64 host, this creates an os_updates

yumrepo with the baseurl "https://yum.test.simp/yum/CentOS/7/x86_64/Updates"

simp::yum::repo::local_os_updates { servers => ['yum.test.simp'] }

@example Describing a several servers with FQDN and full url.

When classified to an CentOS 7 x86_64 host, this creates an os_updates

yumrepo with a 3-entry baseurl and a 3-entry gpgkey

simp::yum::repo::local_os_updates { servers => [ 'yum.test.simp', 'yum2.test.simp', 'https://yum.updates.url/specific/path/to/repo/c7-64-u' ], gpgkey => 'https://yum.updates.url/full/path/to/repo/c6-64-u/RPM-GPG-KEY-CentOS-7', }

Parameters

The following parameters are available in the simp::yum::repo::local_os_updates class:

servers

Data type: Array[Simp::HostOrURL]

An Array of FQDNs, IPs, or URLs containing the yum server(s) to use.

  • An FQDN or IP will be assumed to host it yum repository and GPG keys at the URLs established by simp::server::yum.

  • A URL will be used as-is, and should point directly to its yum repository.

This parameter has no effect if the baseurl parameter is set directly.

enable_repo

Data type: Boolean

Enables or disables the Yum repo

Default value: true

extra_gpgkey_urls

Data type: Simp::Urls

An optional Array of Urls to include additional GPG key files. This parameter has no effect if the gpgkey parameter is set directly.

Default value: []

relative_repo_path

Data type: String[1]

The relative path to the yum repo relative to the URL(s) set in $servers. This parameter has no effect if the baseurl parameter is set directly.

Default value: "${facts['os']['name']}/${facts['os']['release']['major']}/${facts['os']['architecture']}"

relative_gpgkey_path

Data type: String[1]

The relative path to the yum server to the GPGKEYS. It defaults to where both the ISO and smp-gpgkey rpm will install them: SIMP/GPGKEYS This parameter has no effect if the gpgkey parameter is set.

Default value: 'SIMP/GPGKEYS'

baseurl

Data type: Optional[String[1]]

This parameter only works on EL7 systems. The URL for this repository. Set this to absent to remove it from the file completely. Set this parameter directly to completely skip all automated URL logic. files for non-simp repos.

Default value: undef

gpgkey

Data type: Optional[String[1]]

The URL for the GPG key with which packages from this repository are signed. Set this parameter directly to completely skip default URL/path logic.

Default value:

simp::yum::repo::gpgkey_string(
      $servers,
      simp::yum::repo::gpgkeys::os_updates(),
      $relative_gpgkey_path,
      $extra_gpgkey_urls
  )

simp::yum::repo::local_simp

Generally, this is used by the ISO installation's SIMP agents.

  • By default, baseurl and GPG key URLs will work with repositories managed with simp::server::yum.

  • Multiple yum servers and arbitrary URLs are accepted; see the servers parameter for details.

  • For more complex scenarios, create a site-specific profile and use the native yumrepo type directly.

@example Describing a single server by FQDN

When classified to an CentOS 7 x86_64 host, this creates a simp

yumrepo with the baseurl "https://yum.test.simp/yum/CentOS/7/x86_64/Updates"

simp::yum::repo::simp_local { servers => ['yum.test.simp'] }

@example Describing a single server by FQDN

When classified to an CentOS 7 x86_64 host, this creates a simp

yumrepo with a 3-entry baseurl and a multiple gpgkey entries

simp::yum::repo::simp_local { servers => [ 'yum.test.simp', 'yum2.test.simp', 'https://yum.updates.url/full/path/to/repo/c6-64-u' ], }

@example Describing a single server with specific URLs

This explicitly sets the baseurl and gpgkey keys in simp.repo

(This overrides all other parameters and automagic URL logic.)

simp::yum::repo::local_simp { baseurl => 'https://yum.test.simp/yum/SIMP/CentOS/8/x86_64', gpgkey => [ 'https://yum.test.simp/yum/SIMP/GPGKEYS/RPM-GPG-KEY-EPEL-8', 'https://yum.test.simp/yum/SIMP/GPGKEYS/RPM-GPG-KEY-PGDG-94', 'https://yum.test.simp/yum/SIMP/GPGKEYS/RPM-GPG-KEY-PGDG-96', 'https://yum.test.simp/yum/SIMP/GPGKEYS/RPM-GPG-KEY-SIMP', 'https://yum.test.simp/yum/SIMP/GPGKEYS/RPM-GPG-KEY-SIMP-6', 'https://yum.test.simp/yum/SIMP/GPGKEYS/RPM-GPG-KEY-puppet', 'https://yum.test.simp/yum/SIMP/GPGKEYS/RPM-GPG-KEY-puppetlabs', ].join("\n ") }

Parameters

The following parameters are available in the simp::yum::repo::local_simp class:

servers

Data type: Array[Simp::HostOrURL]

An Array of FQDNs, IPs, or URLs containing the yum server(s) to use.

  • An FQDN or IP will be assumed to host it yum repository and GPG keys at the URLs established by simp::server::yum.

  • A URL will be used as-is, and should point directly to its yum repository.

This parameter has no effect if the baseurl parameter is set directly.

enable_repo

Data type: Boolean

Enables or disables the Yum repo

Default value: true

extra_gpgkey_urls

Data type: Simp::Urls

An optional Array of Urls to include additional GPG key files. This parameter has no effect if the gpgkey parameter is set directly.

Default value: []

relative_repo_path

Data type: String[1]

The relative path to the yum repo relative to the URL(s) set in $servers. In simp repos This parameter has no effect if the baseurl parameter is set directly.

Default value: "SIMP/${facts['os'][name]}/${facts['os']['release']['major']}"

relative_gpgkey_path

Data type: String[1]

The relative path to the GPGKEYS for the SIMP repo. It defaults to the directory where simp-gpgkeys installs the gpgkeys.

Default value: 'SIMP/GPGKEYS'

baseurl

Data type: Optional[String[1]]

The URL for this repository. Set this to absent to remove it from the file completely. Set this parameter directly to completely skip all automated URL logic.

Default value: simp::yum::repo::baseurl_string($servers, "${relative_repo_path}/${facts['os']['architecture']}")

gpgkey

Data type: Optional[String[1]]

The URL for the GPG key with which packages from this repository are signed. Set this parameter directly to completely skip default URL/path logic.

Default value:

simp::yum::repo::gpgkey_string(
    $servers,
    simp::yum::repo::gpgkeys::simp(),
    $relative_gpgkey_path,
    $extra_gpgkey_urls
  )

simp::yum::schedule

Set up a YUM update schedule.

Parameters

The following parameters are available in the simp::yum::schedule class:

enable

Data type: Boolean

Enable or disable the update schedule

Default value: true

minute

Data type: Simplib::Cron::Minute

String Cron minute

Default value: '12'

hour

Data type: Simplib::Cron::Hour

String Cron hour

Default value: '0'

monthday

Data type: Simplib::Cron::MonthDay

String Cron monthday

Default value: '*'

month

Data type: Simplib::Cron::Month

String Cron month

Default value: '*'

weekday

Data type: Simplib::Cron::Weekday

String Cron weekday

Default value: '*'

repos

Data type: Array[String]

If you only want to update from specific repos, then set the repos variable to an Array with those repo names

Default value: ['all']

disable

Data type: Array[String]

If you want to disable specific repos, then set the $disable variable to an Array with those repo names

Default value: []

exclude_pkgs

Data type: Array[String]

Packages to exclude from the update

Default value: []

randomize

Data type: Integer

Set to the number of minutes you want yum to randomly wait within before running

Default value: 5

quiet

Data type: Boolean

Set to false if you want to see the chatter from yum

Default value: true

Functions

simp::knockout

Type: Puppet Language

Deprecated knockout function, see simplib::knockout

simp::knockout(Array $array)

Deprecated knockout function, see simplib::knockout

Returns: Array[String]

array

Data type: Array

The array to knock out

simp::yum::repo::baseurl_string

Type: Puppet Language

The simp::yum::repo::baseurl_string function.

simp::yum::repo::baseurl_string(Array[Simp::HostOrURL] $servers, String $simp_baseurl_path)

The simp::yum::repo::baseurl_string function.

Returns: Variant[Undef,String]

servers

Data type: Array[Simp::HostOrURL]

simp_baseurl_path

Data type: String

simp::yum::repo::gpgkey_string

Type: Puppet Language

A function to return a proper set of SIMP YUM repositories for the default build. Of limited use outside of an ISO install.

simp::yum::repo::gpgkey_string(Array[Simp::HostOrURL] $servers, Array[String] $simp_gpgkeys, String $simp_baseurl_path, Simp::Urls $extra_gpgkey_urls = [])

A function to return a proper set of SIMP YUM repositories for the default build. Of limited use outside of an ISO install.

Returns: Variant[Undef,String]

servers

Data type: Array[Simp::HostOrURL]

The list of YUM servers

simp_gpgkeys

Data type: Array[String]

The list of GPG Keys for SIMP

simp_baseurl_path

Data type: String

The standard path to the yum repos on the servers

extra_gpgkey_urls

Data type: Simp::Urls

Additional GPG keys that need to be included

simp::yum::repo::gpgkeys::os_updates

Type: Puppet Language

Build a list of GPG keys needed by a os_updates repo

simp::yum::repo::gpgkeys::os_updates()

Build a list of GPG keys needed by a os_updates repo

Returns: Array<String>

simp::yum::repo::gpgkeys::simp

Type: Puppet Language

Build a list of GPG keys needed by a simp repo

simp::yum::repo::gpgkeys::simp()

Build a list of GPG keys needed by a simp repo

Returns: Array<String>

simp::yum::repo::sanitize_simp_release_slug

Type: Puppet Language

DEPRECATED Sanitize the release slug in the SIMP repo URLs

The packagecloud repositories to which this release slug generated by this function corresponds are no longer maintained.

simp::yum::repo::sanitize_simp_release_slug(Optional[String] $simp_release_slug = undef)

DEPRECATED Sanitize the release slug in the SIMP repo URLs

The packagecloud repositories to which this release slug generated by this function corresponds are no longer maintained.

Returns: String

simp_release_slug

Data type: Optional[String]

The slug to sanitize

simp::yum::repo::simp_release_version

Type: Puppet Language

Returns the SIMP release version for use in SIMP internet yum repositories.

When $simp_release_version is specified, this value is simply returned. Otherwise, attempts to determine the SIMP release version automatically. When this automatic detection fails or the version is not a released version (e.g., Beta version), this function fails.

simp::yum::repo::simp_release_version(Optional[Simp::Version] $simp_release_version = undef)

Returns the SIMP release version for use in SIMP internet yum repositories.

When $simp_release_version is specified, this value is simply returned. Otherwise, attempts to determine the SIMP release version automatically. When this automatic detection fails or the version is not a released version (e.g., Beta version), this function fails.

Returns: Simp::Version

simp_release_version

Data type: Optional[Simp::Version]

Optional desired SIMP release version.

Data types

Simp::HostOrURL

Shortcut for either hosts or URLs

Alias of Variant[Simplib::Host, Simplib::Host::Port, Simplib::Hostname, Simplib::Hostname::Port, Simplib::IP::V4, Simplib::IP::V4::Port, Simplib::IP::V6, Simplib::IP::V6::Port, Stdlib::HTTPSUrl, Stdlib::HTTPUrl]

Simp::PackageEnsure

Valid package resource 'ensure' settings

Alias of Enum['latest', 'absent', 'present', 'installed']

Simp::Puppetdb::Ciphersuites

Valid SSL Cipher Suites for puppetdb

Alias of Enum['TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA', 'TLS_EMPTY_RENEGOTIATION_INFO_SCSV']

Simp::Runlevel

Valid system runlevel settings

Alias of Variant[Enum['rescue','multi-user','graphical'], Integer[1,5]]

Simp::Scenario

Valid SIMP scenarios

See the documentation for details on 'SIMP scenarios'

Alias of Enum['simp', 'simp_lite', 'poss', 'none', 'remote_access']

Simp::Urls

URL shortcut for SIMP classes

Alias of Array[Variant[Stdlib::HTTPSUrl,Stdlib::HTTPUrl]]

Simp::Version

Version of the form 'X', 'X.Y', 'X.Y.Z' or 'X.Y.Z-N'

Alias of Pattern['^[0-9]+(((\.[0-9]+){1,2})|((\.[0-9]+){2}\-[0-9]+))?$']