Comments (2)
jeffmccune
commented on June 14, 2024
As part of this issue, we should also clean up the comments we're currently leaving behind in all of the configuration files.
The consensus from the demo today was that a single comment mentioning the migration has completed will be sufficient.
My notes are:
Clean up the comments in the configuration file (recommendation, only one comment with the step we've completed through…)
# CVE-2011-3872 Fix (Was: /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem)
SSLCertificateFile /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem
# CVE-2011-3872 Fix (Was: /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster.pem)
SSLCertificateKeyFile /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster.pem
# CVE-2011-3872 Fix (Was: /etc/puppetlabs/puppet/ssl/certs/ca.pem)
SSLCertificateChainFile /etc/puppetlabs/puppet/ssl/certs/ca_bundle.pem
# CVE-2011-3872 Fix (Was: /etc/puppetlabs/puppet/ssl/certs/ca.pem)
SSLCACertificateFile /etc/puppetlabs/puppet/ssl/certs/ca_bundle.pem
# CRL checking should be enabled; if you have problems with Apache complaining about the CRL, disable the next line
from puppetlabs-cve20113872.
jeffmccune
commented on June 14, 2024
We're no longer modifying apache's configuration and site.pp is being restored to the original state in step 5. Agents are also switching back to their original DNS name in step 4.
from puppetlabs-cve20113872.
Related Issues (20)
- Step 2 script should include CVE class at top scope, not in default node. HOT 1
- All comments/changes remaining in conf files should reference the CVE#
- Refactor step1 and step2 to be only the minimum steps to secure the fleet HOT 1
- (possibly spurious) Unrecognized escape sequences. HOT 1
- PATH not set to include /opt/puppet/bin in step 3
- Need a script to see the fleet progress through the steps HOT 3
- Dashboard puppet certificate is not re-keyed HOT 3
- Step 4 (?) should restore agents' server settings to the previous master name HOT 3
- Step 5 should (?) remove remediation includes from site.pp HOT 2
- We shouldn't be enforcing that the agent is running as puppet/pe-puppet HOT 2
- PE specific functionality in the remediation module. HOT 1
- check for puppetmaster is too loose. HOT 1
- Provide a way to scan a certificate store for Subject Alt Names HOT 1
- Show an example of adding noop for puppet.conf HOT 1
- Support dns_alt_names in migration process HOT 1
- (low) backup section fails if puppet.conf or site.pp are missing.
- $PATH trickery isn't right. HOT 1
- pe_step1 remediation fails when incrementing "idx" HOT 1
- Support dns_alt_names in migration process (FOSS) HOT 1
- webrick scan_certs errors out on RHEL5 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppetlabs-cve20113872.