release/003.033 (2014-08-31)
Add base::noipmi. This allows "odd" machines to suppress loading ipmi
support and running the exec that disables cipher zero. (whm)
release/003.032 (2014-08-27)
Remove yuelu from filter syslog exceptions. (whm)
release/003.032 (2014-08-22)
Update the backports preferences file to pull the perl remctl
support from backports. The newer module is required by the
latest stanford-server package. (whm)
release/003.031 (2014-07-04)
Change the work directory used by rsyslog for disk queues to match
the package default. (whm)
Change the queue.MaxFileSize to 100m to override the default of 1m
in the default and ldap rsyslog fragments. This will prevent the
creation of many small files when the syslog server is
unreachable. (whm)
Create /etc/facter/facts.d in puppetclient. This is the default
/etc directory for external facts on both Debian and RHEL.
(jonrober)
release/003.030 (2014-07-07)
Fix for IPMI on kernels >= 3.13. (darrenp1)
On each Puppet run on a system that enables Puppet, check if cipher
zero is enabled and disable it if so. (rra)
Update ssh filter-syslog rules for current staff members. (rra)
Set the queue.TimeoutEnqueue parameter to zero for LDAP, TLS, and
default rsyslog fragments. Reformat the fragments for
readability. (whm)
release/003.029 (2014-06-17)
Correct path new for RELP module fragment in
base::syslog::tls_support. (whm)
release/003.028 (2014-06-17)
Fix filter-syslog rules for rsyslog to ignore restart messages. (rra)
Update ssh filter-syslog rules for current staff members and add
another failed login pattern. (rra)
Add the squeeze-lts distribution to sources.list for squeeze systems.
This is the long-term support archive, which provides extended
security support. (rra)
Adjust highWater marking settings for remote rsyslog queues based
on suggestions from rsyslog start messages. (whm)
Add base::syslog::tls to support TLS/RELP connections between
an rsyslog client and an rsyslog server. (whm)
release/003.027 (2014-05-23)
Update the v5 rsyslog default to remove depreciated warnings on
v7 systems. (whm)
release/003.026 (2014-05-19)
Change the default rsyslog configuration to assume v7 syntax.
(whm)
Update comments in remctl and ssh modules. (rra)
release/003.025 (2014-05-12)
Change the default transport for rsyslog v5 remote syslog message
delivery to UDP. This will result in message loss when the remote
syslog server is unavailable, but it avoids the complexities of
the v5 queue configuration. (whm)
release/003.024 (2014-05-08)
Backout one of the boolean changes because the original test
never was for a boolean. (whm)
release/003.023 (2014-05-07)
Change handling of use_ parameters in rsyslog.pp to handle the
cases where booleans must be tested as strings. (whm from Darren)
release/003.022 (2014-05-05)
Removed smtp-bypass iptable fragments. Move it to s_emailrouter
class. (sfeng)
Change the handling of the use_syslog_conf variable in the
rsyslog.conf.erb template to allow the variable to be either a
string or a boolean. This works around a problem with puppet's
handling of booleans in some situations. (whm)
Clean up puppet client ERB file to better handle servers like
frankoz2-new. (adamhl)
Ignore another new variation on ssh logs from wheezy. (rra)
Add dependencies in base::postfix::recipient on the postfix package so
that the required directory structure will exist. (rra)
Remove base::kerberos filter-syslog rules. These only had rules for
ksu, which we no longer use, so they're now pointless. (rra)
Coding style cleanup for base::syslog::fragment, using the newer
method for handling defines that should take both source and content.
(rra)
Added web-aws rule to block non-root user to access metadata URL.
(sfeng)
Default to the backports version of facter on wheezy systems to pick
up the fix for detecting Xen VMs. (rra)
Modify the default rsyslog configuration for V7 servers. The new
configuration creates a separate queues for writing to the local
disk and sending to the remote syslog server. This prevents
messages from being lost when the central server is down and
allows writing to local disk to continue. (whm)
release/003.021 (2014-03-11)
Fix cron issues on RHEL. (darrenp1)
release/003.020 (2014-03-05)
Remove class that used lsdb-dev for dev Puppet CA (should have been
removed a long time ago). (adamhl)
release/003.019 (2014-02-27)
fix typo in reolv.conf.erb. This changes only affect some
DNS servers. (myl)
release/003.018 (2014-02-24)
Set the default behavior for rsyslog to forward /etc/messages to
the central syslog service, i.e. logsink.stanford.edu. (whm)
release/003.017 (2014-02-24)
Correct rsyslog v7 template. The template fix removes an
extra space that is causing problem for filter syslog parsing.
This change also reverts the default behavior of forwarding
syslog to the logsink servers. (whm)
release/003.016 (2014-02-19)
Added a new xinetd configuration file: stunnel. (adamhl)
release/003.015 (2014-02-17)
Change the default rsyslog configuration to forward syslog
messages to the central syslog server in addition to writing
them locally. Change the date format for syslog to RFC 3399
format.
release/003.014 (2014-02-12)
Correct double variable reference in base::dns::dr-cache. (whm)
release/003.013 (2014-02-12)
Fix cut and past error in defining base::dns::dr-cache. (whm)
release/003.012 (2014-02-12)
Fix doubly defined class and add missing in the dns support
used by Livermore servers. (whm)
release/003.011 (2014-02-12)
Fix syntax error specification of preferences file for rsyslog.
(whm)
release/003.010 (2014-02-11)
Add an apt preferences file to use the rsyslog version from
backports. Remove preferences installation from the syslog
module. (whm)
release/03.009 (2014-02-10)
add code to generate different resolv.conf for DNS servers. (meeilee)
release/003.008 (2014-02-05)
Update comment documentation in base::pam::workgroup. Remove
unused parameter and variables. (whm)
Correct variable used to identified the syslog server to send
output to in base::syslog::fragment. (whm)
Re-enable usage of DNS server at Livermore. (whm)
release/003.007 (2014-02-04)
Disable usage of DNS server at Livermore until the server is
rebuild. (whm)
release/003.006 (2014-01-21)
Correct template for rsyslog forwarding using v7 syntax. (whm)
release/003.005 (2014-01-20)
Lowercase the hostname when forming a Kerberos principal in the
out-of-date cron job. Some Networking systems use .Stanford.EDU in
the official hostname. (rra)
Ignore more buggy power limit notifications from new Dell hardware.
Several cases were missed in the previous change. (rra)
Fix for Ubuntu portmap / rpcbind service name. (darrenp1)
Update ntp.conf with IPv6 options. (darrenp1)
Update syslog support to allow transition to new configuration policy
of putting all templates and output specifications in the rsyslog.d
fragments directory. (whm)
Globally disable monlist in all the ntp.conf variations to protect
against use of monlist to launch UDP-based DoS attacks. This was
probably already prevented by firewall rules, but may as well make
sure. (rra)
release/003.004 (2013-12-03)
Recognize Amazon EC2 instances as virtual for the purposes of not
installing the IPMI kernel module. (sfeng)
release/003.003 (2013-12-02)
Remove the temp work file in the dell-warranty-facts cronjob.
(mgoll)
Ignore buggy CPU core power limit notifications from new Dell
hardware in default Debian filter-syslog rules. (rra)
release/003.002 (2013-11-24)
Make it simpler to override the default rsyslog behaviour. Change
the name of the default rsyslog fragment. Add a default fragment for
remote logging. Correct path references to common syslog fragment
templates. (whm)
release/003.001 (2013-11-20)
Correct syntax error in rsyslog.pp. (whm)
release/003.000 (2013-11-19)
Updates to base::syslog. Retire /etc/syslog.conf. Modify
/etc/rsyslog.conf so that it contains no input/output specifications.
Create a fragments define to manage files in /etc/rsyslog.d. Define
one default fragment that replicates current behavior if no additional
fragments are added. (whm)
release/002.003 (2013-11-19)
Fixes for Ubuntu: precise/raring vmguest open-vm-dkms, and os::ubuntu
doesn't ensure logrotate cron removed (that is done in newsyslog).
Just disable logrotate for all hosts including base::newsyslog instead
of trying to remove it on Debian, Ubuntu, and Red Hat 4. We keep
running into other packages that depend on it, which makes removing it
unnecessarily complex. This means the base::logrotate::disabled class
is now obsolete and has been removed. Users of that class can just
remove the include of that class.
Map Ubuntu raring to wheezy instead of squeeze for the Stanford-local
Debian repositories.
In postfix-policyd, disable WHITELISTING for zimbra so ratelimit can
be applied to zimbra servers. This is required after we enforce
ratelimit for smtp servers.
Install a separate newsyslog configuration file for btmp so that its
permissions can be set to 0660 while setting wtmp's to 0664.
Remove obsolete blacklist-acct-accounts iptables template.
Add validation check in newsyslog config.
release/002.002 (2013-09-10)
Add support for a listen_addresses parameter to ssh::config::sshd that
restricts sshd to listen to particular hosts.
Add fix for Ubuntu (and others) in base::vmguest to install the right
open-vm-tools package.
release/002.001 (2013-08-08)
Add additional ignore patterns for failed ssh logins from IT Services
staff, and ignore new ssh failure patterns seen in Debian wheezy.
Use OpenAFS 1.6.5 in RHEL5 and RHEL6 yum repository configuration.
release/002.000 (2013-07-15)
The deprecated classes base::newsyslog::messages::sa and
base::newsyslog::messages::sa::override have been deleted. Global
overrides for the default base::newsyslog behavior should be put into
the local defaults module instead.
base::cron::filter-user-noise has been deleted. This was specific to
Research Computing systems and should be handled in that local
repository.
base::ssh::rc has been deleted. This isn't part of any base::ssh
inheritance tree and can live only in the Research Computing Puppet
Git repository.
The acceptable runtime for tmpreaper (used by base::tmpclean on Debian
and Ubuntu) has been extended to 20 minutes globally, and the
base::tmpclean::longer class, which existed only to do that, has been
removed as unnecessary. The longer runtime limit should not pose a
problem on any system.
The static crontab files installed by base::cron have been replaced
with a template to handle differences between Red Hat and Debian. The
periodic cron jobs no longer even attempt to use anacron, avoiding any
problems with unpredictable cron run times if anacron is installed on
the system.
Move campus anycast DNS servers to the bottom of the DNS server list
for now. These are not yet considered production DNS servers.
Remove Kerberos filter-syslog rules for eklogind and kshd.
base::daemontools::supervise now uses current coding standards and no
longer special-cases various default options to some of its
parameters.
base::remctl no longer installs remctl-client. This is going to be
handled by the stanford-server-packages metapackage, and is
independent of what's set up by this module.
release/001.002 (2013-07-10)
newsyslog::config now supports a new analyze_logs parameter, which
specifies the list of logs to run through the analyze action (when
different than the list in logs). analyze_logs defaults to logs if
not given.
Restructure the newsyslog::config template so that both the template
and its output is somewhat more readable.
newsyslog no longer sets up a weekly command to tar up
/root/.history-save and removes /etc/newsyslog.weekly/audit if it
exists. We're no longer using per-user history files and we're
letting bash handle managing the length of the history file.
newsyslog now creates btmp and wtmp writable by group utmp, matching
the operating system defaults.
newsyslog no longer attempts to clean up sysklogd cron jobs or remove
the old /etc/newsyslog.daily/syslog file installed by ancient versions
of stanford-server.
Append to the temporary file used for Dell warranty facts instead of
deleting it and recreating it (which defeats some of the point of
using mktemp).
The default out-of-date cron job always uses the host/* principal of
the local host for authentication instead of the first principal in
/etc/krb5.keytab, which may be for some other principal or a host/*
principal for an old hostname.
Remove out-of-date::server. This is only used on a single host, so
all of the files and Puppet manifest have been moved to the Puppet
model for that server.
Change Puppet master server for frankoz servers to jimhenson1 since
jimhenson4 is down with hardware trouble.
Change the base::dns* classes to use a template to generate the
resolv.conf file for a system and add the DNS anycast servers into
the configuration.
release/001.001 (2013-06-25)
Drop installation of stanford-klogin from base::os::debian. We've
switched completely to Kerberized ssh and no longer install Kerberos
rlogin or rsh, so no need for the clients.
release/001.000 (2013-06-22)
Enable the security and updates repositories for wheezy now that
wheezy has been released.
For Red Hat systems, switch to using the VMware tools packages and
install the necessary yum configuration.
Add filter-syslog rules for new remctl error messages and another sshd
error message from terminated network connections.
Add base::portmap.