Verify if the server is joined to the correct domain instead of relying on a "oncefile"

If the file puppet_joined exists the module seems to skip any other sanity checks when installing.
This could cause the issue that the /etc/pam files are configured for vas, when vas is actually not really installed on the server.
This can be verified by doing the following steps:

• Install vas using puppet
• Remove the binaries and make sure puppet restores the pam files
• Install vas using puppet again

Worst case you have a server where you can not even logon as root from console.

I would suggest that for the next release that it checks both for puppet_joined and do verify that the packages are installed before.

I'd like to propose to evaluate and (selectively) adopt secure software development best practices recommended by the Open Source Security Foundation (OpenSSF) [1]. The OpenSSF Scorecard project checks various development best practices of open source projects hosted on GitHub and provides guidance on how to improve those practices [2]. The overall goal of this issue is to adopt best practices to further mature the project.

The proposed steps include:

• running Scorecards against the ecchronos repo,
• evaluation of the scan results of Scorecards in terms of applicability,
• adoption and/or implementation of the recommendation considered feasible and valuable.

[1] https://openssf.org/
[2] https://github.com/ossf/scorecard/tree/main#scorecard-checks

thanks!

Collection of planned changes for next major version

Add mscldap-timeout and lazy-cache-update-interval from redmine ticket #312

got this bug report:

symptom: on RHEL 5 servers in the Hub after system boot the automounter does not use NIS maps - until it is restarted.
root cause: an unlucky dependency chain in the services netfs, ypbind, vasypd, rsyslog, that cannot be resolved.

As a result, when VAS is installed or upgraded, it creates /etc/rc3.d/S28vasypd despite there is /etc/rc3.d/S27ypbind.
Then, during a system boot, ypbind times out because it cannot bind to vasypd.
And automounter, /etc/rc3.d/S28autofs, starts without NIS maps. Then puppet seems to see the missing ypbind and starts it - but too late for automounter.

Fix: run the following shell script:

cd /etc/rc3.d && test -f S27ypbind && test -f S28vasypd && mv S28vasypd S27vasypd

NB "test -f file" tests for a file, following a symbolic link. I.e. a stat() is performed.

That changes makes S27vasypd that comes before S27ypbind in the alphabet. (And then S28autofs > follows.) Because of the tiny change there cannot be an impact on other services.

Can we get this in Puppet?
Scope is RHEL 5, but if the above checks are done then it will not change anything in other OS.
Mininum would be "VAS install/upgrade", but at least for a short time should be rolled out everywhere.
Logically it belongs to the VAS module.

coded this workaround and use it successfully since four weeks:

class workarounds::automounter (
) {
  if "${::operatingsystem}-${::operatingsystemmajrelease}" == 'RedHat-5' {
    exec { "fix_rh5_automounter":
      command => 'mv /etc/rc3.d/S28vasypd /etc/rc3.d/S27vasypd',
      onlyif  => 'test -f /etc/rc3.d/S27ypbind && test -f /etc/rc3.d/S28vasypd',
      path    => '/bin:/usr/bin',
    }
  }
}

Should I create a PR to integrate it into the vas module ?

There is no good way to control enctypes with this modules and the defaults in the templates/vas.conf.erb is quite old. "default_etypes_des = des-cbc-crc" should probably be removed and left to be default value since none is using DES anymore. Instead of arcfour-hmac-md5 the default should probably be something sane like aes256-cts-hmac-sha1-96 so it matches with more modern Active Directory.

The keys that should be changed or deleted are:
default_tgs_enctypes = arcfour-hmac-md5
default_tkt_enctypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
default_etypes = arcfour-hmac-md5