Merge pull request #116 from DevoKun/master

Changes required for PCI-DSSv3 compliance.

Author: stephenrjohnson

manifests/master.pp

@@ -58,48 +58,50 @@
 #  }
 #
 class puppet::master (
-  $user_id                      = undef,
-  $group_id                     = undef,
-  $modulepath                   = $::puppet::params::modulepath,
-  $manifest                     = $::puppet::params::manifest,
-  $external_nodes               = undef,
-  $node_terminus                = undef,
-  $hiera_config                 = $::puppet::params::hiera_config,
-  $environmentpath              = $::puppet::params::environmentpath,
-  $environments                 = $::puppet::params::environments,
-  $reports                      = store,
-  $storeconfigs                 = false,
-  $storeconfigs_dbserver        = $::puppet::params::storeconfigs_dbserver,
-  $storeconfigs_dbport          = $::puppet::params::storeconfigs_dbport,
-  $certname                     = $::fqdn,
-  $autosign                     = false,
-  $reporturl                    = undef,
-  $puppet_ssldir                = $::puppet::params::puppet_ssldir,
-  $puppet_docroot               = $::puppet::params::puppet_docroot,
-  $puppet_vardir                = $::puppet::params::puppet_vardir,
-  $puppet_passenger_port        = $::puppet::params::puppet_passenger_port,
-  $puppet_passenger_tempdir     = false,
-  $puppet_passenger_cfg_addon   = '',
-  $puppet_master_package        = $::puppet::params::puppet_master_package,
-  $puppet_master_service        = $::puppet::params::puppet_master_service,
-  $version                      = 'present',
-  $apache_serveradmin           = $::puppet::params::apache_serveradmin,
-  $pluginsync                   = true,
-  $parser                       = $::puppet::params::parser,
-  $puppetdb_startup_timeout     = '60',
-  $puppetdb_strict_validation   = $::puppet::params::puppetdb_strict_validation,
-  $dns_alt_names                = ['puppet'],
-  $digest_algorithm             = $::puppet::params::digest_algorithm,
-  $generate_ssl_certs           = true,
-  $strict_variables             = undef,
-  $puppetdb_version             = 'present',
-  $always_cache_features        = false,
-  $passenger_max_pool_size      = $::processorcount,
-  $passenger_high_performance   = on,
-  $passenger_max_requests       = 10000,
-  $passenger_stat_throttle_rate = 30,
-  $serialization_format         = undef,
-  $serialization_package        = undef,
+  $user_id                       = undef,
+  $group_id                      = undef,
+  $modulepath                    = $::puppet::params::modulepath,
+  $manifest                      = $::puppet::params::manifest,
+  $external_nodes                = undef,
+  $node_terminus                 = undef,
+  $hiera_config                  = $::puppet::params::hiera_config,
+  $environmentpath               = $::puppet::params::environmentpath,
+  $environments                  = $::puppet::params::environments,
+  $reports                       = store,
+  $storeconfigs                  = false,
+  $storeconfigs_dbserver         = $::puppet::params::storeconfigs_dbserver,
+  $storeconfigs_dbport           = $::puppet::params::storeconfigs_dbport,
+  $certname                      = $::fqdn,
+  $autosign                      = false,
+  $reporturl                     = undef,
+  $puppet_ssldir                 = $::puppet::params::puppet_ssldir,
+  $puppet_docroot                = $::puppet::params::puppet_docroot,
+  $puppet_vardir                 = $::puppet::params::puppet_vardir,
+  $puppet_passenger_port         = $::puppet::params::puppet_passenger_port,
+  $puppet_passenger_ssl_protocol = $::puppet::params::puppet_passenger_ssl_protocol,
+  $puppet_passenger_ssl_cipher   = $::puppet::params::puppet_passenger_ssl_cipher,
+  $puppet_passenger_tempdir      = false,
+  $puppet_passenger_cfg_addon    = '',
+  $puppet_master_package         = $::puppet::params::puppet_master_package,
+  $puppet_master_service         = $::puppet::params::puppet_master_service,
+  $version                       = 'present',
+  $apache_serveradmin            = $::puppet::params::apache_serveradmin,
+  $pluginsync                    = true,
+  $parser                        = $::puppet::params::parser,
+  $puppetdb_startup_timeout      = '60',
+  $puppetdb_strict_validation    = $::puppet::params::puppetdb_strict_validation,
+  $dns_alt_names                 = ['puppet'],
+  $digest_algorithm              = $::puppet::params::digest_algorithm,
+  $generate_ssl_certs            = true,
+  $strict_variables              = undef,
+  $puppetdb_version              = 'present',
+  $always_cache_features         = false,
+  $passenger_max_pool_size       = $::processorcount,
+  $passenger_high_performance    = on,
+  $passenger_max_requests        = 10000,
+  $passenger_stat_throttle_rate  = 30,
+  $serialization_format          = undef,
+  $serialization_package         = undef,
 ) inherits puppet::params {
 
   anchor { 'puppet::master::begin': }
@@ -138,21 +140,23 @@
 
   Anchor['puppet::master::begin'] ->
   class {'puppet::passenger':
-    puppet_passenger_port        => $puppet_passenger_port,
-    puppet_docroot               => $puppet_docroot,
-    apache_serveradmin           => $apache_serveradmin,
-    puppet_conf                  => $::puppet::params::puppet_conf,
-    puppet_ssldir                => $puppet_ssldir,
-    certname                     => $certname,
-    conf_dir                     => $::puppet::params::confdir,
-    dns_alt_names                => join($dns_alt_names,','),
-    generate_ssl_certs           => $generate_ssl_certs,
-    puppet_passenger_tempdir     => $puppet_passenger_tempdir,
-    config_addon                 => $puppet_passenger_cfg_addon,
-    passenger_max_pool_size      => $passenger_max_pool_size,
-    passenger_high_performance   => $passenger_high_performance,
-    passenger_max_requests       => $passenger_max_requests,
-    passenger_stat_throttle_rate => $passenger_stat_throttle_rate,
+    puppet_passenger_port         => $puppet_passenger_port,
+    puppet_passenger_ssl_protocol => $puppet_passenger_ssl_protocol,
+    puppet_passenger_ssl_cipher   => $puppet_passenger_ssl_cipher,
+    puppet_docroot                => $puppet_docroot,
+    apache_serveradmin            => $apache_serveradmin,
+    puppet_conf                   => $::puppet::params::puppet_conf,
+    puppet_ssldir                 => $puppet_ssldir,
+    certname                      => $certname,
+    conf_dir                      => $::puppet::params::confdir,
+    dns_alt_names                 => join($dns_alt_names,','),
+    generate_ssl_certs            => $generate_ssl_certs,
+    puppet_passenger_tempdir      => $puppet_passenger_tempdir,
+    config_addon                  => $puppet_passenger_cfg_addon,
+    passenger_max_pool_size       => $passenger_max_pool_size,
+    passenger_high_performance    => $passenger_high_performance,
+    passenger_max_requests        => $passenger_max_requests,
+    passenger_stat_throttle_rate  => $passenger_stat_throttle_rate,
 
   } ->
   Anchor['puppet::master::end']

manifests/params.pp

@@ -35,6 +35,9 @@
   $classfile                        = '$statedir/classes.txt'
   $package_provider                 = undef # falls back to system default
 
+  $puppet_passenger_ssl_protocol    = 'TLSv1.2'
+  $puppet_passenger_ssl_cipher      = 'AES256+EECDH:AES256+EDH'
+
   # Only used when environments == directory
   $environmentpath                  = "${confdir}/environments"
 

manifests/passenger.pp

@@ -34,6 +34,8 @@
 class puppet::passenger(
   $generate_ssl_certs = true,
   $puppet_passenger_port,
+  $puppet_passenger_ssl_protocol,
+  $puppet_passenger_ssl_cipher,
   $puppet_passenger_tempdir = false,
   $puppet_docroot,
   $apache_serveradmin,
@@ -48,15 +50,31 @@
   $passenger_max_requests = 0,
   $passenger_stat_throttle_rate = 10,
 ){
-  include apache
+
+  class { 'apache':
+    default_mods        => false,
+    default_confd_files => false,
+    default_vhost       => false,
+    server_tokens       => 'Prod',
+    server_signature    => 'Off',
+    trace_enable        => 'Off',
+  }
+
+  apache::mod { 'access_compat': }
+  apache::mod { 'status': package_ensure => 'absent' }
+
   include puppet::params
   class { 'apache::mod::passenger':
     passenger_max_pool_size      => $passenger_max_pool_size,
     passenger_high_performance   => $passenger_high_performance,
     passenger_max_requests       => $passenger_max_requests,
     passenger_stat_throttle_rate => $passenger_stat_throttle_rate,
   }
-  include apache::mod::ssl
+
+  class { 'apache::mod::ssl':
+    ssl_protocol => [$puppet_passenger_ssl_protocol],
+    ssl_cipher   => $puppet_passenger_ssl_cipher,
+  }
 
   if $::osfamily == 'redhat' {
     file { '/var/lib/puppet/reports':
@@ -121,8 +139,8 @@
     ssl_chain            => "${puppet_ssldir}/ca/ca_crt.pem",
     ssl_ca               => "${puppet_ssldir}/ca/ca_crt.pem",
     ssl_crl              => "${puppet_ssldir}/ca/ca_crl.pem",
-    ssl_protocol         => 'ALL -SSLv2 -SSLv3',
-    ssl_cipher           => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK',
+    ssl_protocol         => $::puppet::params::ssl_protocol,
+    ssl_cipher           => $::puppet::params::ssl_cipher,
     ssl_honorcipherorder => 'On',
     ssl_verify_client    => 'optional',
     ssl_verify_depth     => '1',

manifests/repo/puppetlabs.pp

@@ -7,7 +7,7 @@
   if($::osfamily == 'Debian') {
     Apt::Source {
       location    => 'http://apt.puppetlabs.com',
-      key         => '4BD6EC30',
+      key         => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
       key_content => template('puppet/pgp.key'),
     }
     apt::source { 'puppetlabs':      repos => 'main' }

spec/classes/puppet_passenger_spec.rb

@@ -3,18 +3,20 @@
 describe 'puppet::passenger', :type => :class do
       let (:params) do
             {
-                :puppet_passenger_port        => '8140',
-                :puppet_docroot               => '/etc/puppet/rack/public/',
-                :apache_serveradmin           => 'root',
-                :puppet_conf                  => '/etc/puppet/puppet.conf',
-                :puppet_ssldir                => '/var/lib/puppet/ssl',
-                :certname                     => 'test.test.com',
-                :conf_dir                     => '/etc/puppet',
-                :dns_alt_names                => 'puppet',
-                :passenger_max_pool_size      => '4',
-                :passenger_high_performance   => true,
-                :passenger_max_requests       => '1000',
-                :passenger_stat_throttle_rate => '30',
+                :puppet_passenger_port         => '8140',
+                :puppet_passenger_ssl_protocol => 'TLSv1.2',
+                :puppet_passenger_ssl_cipher   => 'AES256+EECDH:AES256+EDH',
+                :puppet_docroot                => '/etc/puppet/rack/public/',
+                :apache_serveradmin            => 'root',
+                :puppet_conf                   => '/etc/puppet/puppet.conf',
+                :puppet_ssldir                 => '/var/lib/puppet/ssl',
+                :certname                      => 'test.test.com',
+                :conf_dir                      => '/etc/puppet',
+                :dns_alt_names                 => 'puppet',
+                :passenger_max_pool_size       => '4',
+                :passenger_high_performance    => true,
+                :passenger_max_requests        => '1000',
+                :passenger_stat_throttle_rate  => '30',
         }
         end
     context 'on Debian' do
@@ -107,19 +109,21 @@
       end
       let (:params) do
         {
-          :puppet_passenger_port        => '8140',
-          :puppet_docroot               => '/etc/puppet/rack/public/',
-          :apache_serveradmin           => 'root',
-          :puppet_conf                  => '/etc/puppet/puppet.conf',
-          :puppet_ssldir                => '/var/lib/puppet/ssl',
-          :certname                     => 'test.test.com',
-          :conf_dir                     => '/etc/puppet',
-          :dns_alt_names                => ['puppet'],
-          :puppet_passenger_tempdir     => '/tmp/passenger',
-          :passenger_max_pool_size      => '4',
-          :passenger_high_performance   => true,
-          :passenger_max_requests       => '1000',
-          :passenger_stat_throttle_rate => '30',
+          :puppet_passenger_port         => '8140',
+          :puppet_passenger_ssl_protocol => 'TLSv1.2',
+          :puppet_passenger_ssl_cipher   => 'AES256+EECDH:AES256+EDH',
+          :puppet_docroot                => '/etc/puppet/rack/public/',
+          :apache_serveradmin            => 'root',
+          :puppet_conf                   => '/etc/puppet/puppet.conf',
+          :puppet_ssldir                 => '/var/lib/puppet/ssl',
+          :certname                      => 'test.test.com',
+          :conf_dir                      => '/etc/puppet',
+          :dns_alt_names                 => ['puppet'],
+          :puppet_passenger_tempdir      => '/tmp/passenger',
+          :passenger_max_pool_size       => '4',
+          :passenger_high_performance    => true,
+          :passenger_max_requests        => '1000',
+          :passenger_stat_throttle_rate  => '30',
         }
       end
       it {

spec/classes/puppet_repo_puppetlabs_spec.rb

@@ -14,12 +14,12 @@
       should contain_apt__source('puppetlabs').with(
         :repos      => 'main',
         :location   => 'http://apt.puppetlabs.com',
-        :key        => '4BD6EC30'
+        :key        => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30'
       )
       should contain_apt__source('puppetlabs-deps').with(
         :repos      => 'dependencies',
         :location   => 'http://apt.puppetlabs.com',
-        :key        => '4BD6EC30'
+        :key        => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30'
       )
     end
   end

templates/config.erb

@@ -1,3 +1,12 @@
+####################################################################
+####################################################################
+##
+## File controlled by Puppet Module puppet::master
+## Any changes you make will be overwritten.
+##
+####################################################################
+####################################################################
+
 # a config.ru, for use with every rack-compatible webserver.
 # SSL needs to be handled outside this, though.
 

templates/etc/default/puppet.erb

@@ -1,4 +1,13 @@
-# Only used on debian. Defaults for puppet - sourced by /etc/init.d/puppet
+####################################################################
+####################################################################
+##
+## File controlled by Puppet Module puppet::master
+## Any changes you make will be overwritten.
+##
+####################################################################
+####################################################################
+
+# Only used on Debian. Defaults for puppet - sourced by /etc/init.d/puppet
 
 # Start puppet on boot?
 START=<%= @startonboot %>

templates/etc/sysconfig/puppet.erb

@@ -1,3 +1,12 @@
+####################################################################
+####################################################################
+##
+## File controlled by Puppet Module puppet::master
+## Any changes you make will be overwritten.
+##
+####################################################################
+####################################################################
+
 # The puppetmaster server
 PUPPET_SERVER=<%= @puppet_server %>
 

templates/puppet_passenger.conf.erb

@@ -1,3 +1,12 @@
+####################################################################
+####################################################################
+##
+## File controlled by Puppet Module puppet::master
+## Any changes you make will be overwritten.
+##
+####################################################################
+####################################################################
+
 PassengerHighPerformance on
 PassengerPoolIdleTime 1500
 # PassengerMaxRequests 1000