Skip to main content

Applied Configuration Management

Project description

License Travis CI Build Status AppVeyor Build Status Latest Version

Watchmaker

Applied Configuration Management

Overview

Watchmaker is a Python package that helps bootstrap a vanilla OS image and apply an OS configuration. Watchmaker itself reads a simple YAML configuration file, which can be hosted on the local filesystem or on a web server.

Complex configuration management (CM) environments may be layered in as part of the provisioning framework. Watchmaker includes a default configuration that will install Salt and a handful Salt Formulas that can be used to harden a system to DISA STIG standards, as well as integrate with common enterprise services.

Documentation

For more information on installing and using Watchmaker, go to https://watchmaker.readthedocs.io.

Changelog

0.6.6 (2017.10.18) - Change from 0.6.5 release

  • ash-linux-formula

    • (el7) Fixes typos in the firewalld “safety” scripts that resulted in a failure when firewalld was reloaded

  • mcafee-agent-formula

    • (el7) Adds required inbound ports to all firewalld zones, to support the event where the default zone is modified from “public”

  • splunkforwarder-formula

    • (el7) Adds required outbound ports to the OUTPUT chain; previously, they were mistakenly being added as inbound rules

0.6.5 (2017.09.29) - Change from 0.6.4 release

  • [PR #391] Updates CloudFormation templates with a parameter that exposes the option to use the S3 API and the instance role to retrieve the Watchmaker content archive

  • ash-linux-formula

    • (el7) Updates firewalld “safety” state so that firewalld remains in the active state; the prior approach left firewalld dead/inactive, until the service was restarted or the system was rebooted

0.6.4 (2017.09.22) - Change from 0.6.3 release

  • [PR #381] Restricts wheel version on Python 2.6 to be less than or equal to 0.29.0, as wheel 0.30.0 removed support for py26.

0.6.3 (2017.08.11) - Change from 0.6.2 release

  • ash-linux-formula

    • (el7) Includes a “safety” state for firewalld that ensures SSH inbound access will remain available, in the event the default zone is set to “drop”

0.6.2 (2017.08.07) - Change from 0.6.1 release

  • ash-linux-formula

    • (el6) Improve the method of disabling the sysctl option ip_forward, to account for the behavior of the aws-vpc-nat rpm

  • scap-formula

    • (elX) Updates openscap security guide content to version 0.1.34-1

0.6.1 (2017.08.01) - Change from 0.6.0 release

  • ash-linux-formula

    • Modified the FIPS custom execution module to discover the boot partition and add the boot= line to the grub configuration

0.6.0 (2017.07.25) - Change from 0.5.1 release

  • ash-linux-formula

    • Updates the EL7 stig baseline to manage the FIPS state. The state defaults to enabled but can be overridden via a pillar or grain, ash-linux:lookup:fips-state. The grain takes precedence over the pillar. Valid values are enabled or disabled

  • ash-windows-formula

    • Updates the STIG baselines for Windows Server 2016 member servers and domain controllers with SCAP content from the DISA v1r1 SCAP benchmark release

  • join-domain-formula

    • Fixes an issue when joining Windows 2016 servers to a domain, where the Set-DnsSearchSuffix.ps1 helper would fail because the builtin PowerShell version does not work when $null is used in a ValidateSet. The equivalent value must now be passed as the string, "null"

  • scap-formula

    • Adds SCAP content for the Window Server 2016 SCAP v1r1 Benchmark

0.5.1 (2017.07.08) - Change from 0.5.0 release

  • [Issue #341][PR #342] Manages selinux around salt state execution. In some non-interactive execution scenarios, if selinux is enforcing it can interfere with the execution of privileged commands (that otherwise work fine when executed interactively). Watchmaker now detects if selinux is enforcing and temporarily sets it to permissive for the duration of the salt state execution

0.5.0 (2017.06.27) - Change from 0.4.4 release

  • [Issue #331][PR #332] Writes the role grain to the key expected by the ash-windows formula. Fixes usage of the --ash-role option in the salt worker

  • [Issue #329][PR #330] Outputs watchmaker version at the debug log level

  • [Issue #322][PR #323][PR #324] Fixes py2/py3 compatibility bug in how the yum worker handles file opening to check the Linux distro

  • [Issue #316][PR #320] Improves logging when salt state execution fails due to failed a state. The salt output is now returned to the salt worker, which processes the output, identifies the failed state, and raises an exception with the state failure

  • join-domain-formula

    • (Linux) Reworks the pbis config states to make the logged output more readable

0.4.4 (2017.05.30) - Change from 0.4.3 release

  • join-domain-formula

    • (Linux) Ignores a bad exit code from pbis config utility. The utility will return exit code 5 when modifying the NssEnumerationEnabled setting, but still sets the requested value. This exit code is now ignored

0.4.3 (2017.05.25) - Change from 0.4.2 release

  • name-computer-formula

    • (Linux) Uses an alternate method of working around a bad code-path in salt that does not handle quoted values in /etc/sysconfig/network.

0.4.2 (2017.05.19) - Change from 0.4.1 release

  • [PR #301] Sets the grains for admin_groups and admin_users so the keys are named as expected by the join-domain formula

  • ash-linux-formula

    • Adds a custom module that lists users from the shadow file

    • Gets local users from the shadow file rather than user.list_users. Prevents a domain-joined system from attempting to iterate over all domain users (and potentially deadlocking on especially large domains)

  • join-domain-formula

    • Modifies PBIS install method to use RPMs directly, rather than the SHAR installer

    • Updates approaches to checking for collisions and current join status to better handle various scenarios: not joined, no collision; not joined, collision; joined, computer object present; joined, computer object missing

    • Disables NSS enumeration to prevent PBIS from querying user info from the domain for every call to getent (or equivalents); domain-based user authentication still works fine

  • name-computer-formula

    • (Linux) Does not attempt to retain network settings, to avoid a bug in salt; will be revisited when a patched salt version has been released

0.4.1 (2017.05.09) - Change from 0.4.0 release

  • (EL7) Running watchmaker against EL7 systems will now pin the resulting configuration to the watchmaker version. See the updates to the two formulas in this version. Previously, ash-linux always used the content from the scap-security-guide rpm, which was updated out-of-sync with watchmaker, and so the resulting configuration could not be pinned by pinning the watchmaker version. With this version, ash-linux uses content distributed by watchmaker, via scap-formula, and so the resulting configuration will always be same on EL7 for a given version of watchmaker (as has always been the case for the other supported operating systems).

  • ash-linux-formula

    • Supports getting scap content locations from pillar

  • scap-formula

    • Updates stig content with latest benchmark versions

    • Adds openscap ds.xml content, used to support remediate actions

0.4.0 (2017.05.06) - Change from 0.3.1 release

  • [PR #286] Sets the computername grain with the correct key expected by the formula

  • [PR #284] Converts cli argument parsing from argparse to click. This modifies the watchmaker depedencies, which warranted a 0.x.0 version bump. Cli and API arguments remain the same, so the change should be backwards-compatible.

  • name-computer-formula

    • Adds support for getting the computername from pillar

    • Adds support for validating the specified computername against a pattern

  • pshelp-formula

    • Attempts to address occasional stack overflow exception when updating powershell help

0.3.1 (2017.05.01) - Change from 0.3.0 release

  • [PR #280] Modifies the dynamic import of boto3 to use only absolute imports, as the previous approach (attempt absolute and relative import) was deprecated in Python 3.3

  • ntp-client-windows-formula:

    • Stops using deprecated arguments on reg.present states, which cleans up extraneous log messages in watchmaker runs under some configurations

  • join-domain-formula:

    • (Windows) Sets the DNS search suffix when joining the domain, including a new pillar config option, ec2config to enable/disable the EC2Config option that also modifies the DNS suffix list.

0.3.0 (2017.04.24) - Change from 0.2.4 release

  • [Issue #270] Defaults to a platform-specific log directory when call from the CLI:

    • Windows: ${Env:SystemDrive}\Watchmaker\Logs

    • Linux: /var/log/watchmaker

  • [PR #271] Modifies CLI arguments to use explicit log-levels rather than a verbosity count. Arguments have been adjusted to better accommodate the semantics of this approach:

    • Uses -l|--log-level instead of -v|--verbose

    • -v and -V are now both used for --version

    • -d is now used for --log-dir

0.2.4 (2017.04.20) - Change from 0.2.3 release

  • Fixes a bad version string

0.2.3 (2017.04.20) - Change from 0.2.2 release

  • [Issue #262] Merges lists in pillar files, rather than overwriting them

  • [Issue #261] Manages the enabled/disabled state of the salt-minion service, before and after the install

  • splunkforwarder-formula

    • (Windows) Ignores false bad exits from Splunk clone-prep-clear-config

0.2.2 (2017.04.15) - Change from 0.2.1 release

  • [PR #251] Adds CloudFormation templates that integrate Watchmaker with an EC2 instance or Autoscale Group

  • join-domain-formula

    • (Linux) Corrects tests that determine whether the instance is already joined to the domain

0.2.1 (2017.04.10) - Change from 0.2.0 release

  • ash-linux-formula

    • Reduces spurious stderr output

    • Removes notify script flagged by McAfee scans

  • splunkforwarder-formula

    • (Windows) Clears system name entries from local Splunk config files

0.2.0 (2017.04.06) - Change from 0.1.7 release

  • [Issue #238] Captures all unhandled exceptions and logs them

  • [Issue #234] Stops the salt service prior to managing salt formulas, to ensure that the filesystem does not throw any errors about the files being locked

  • [Issue #72] Manages salt service so the service state after watchmaker completes is the same as it was prior to running watchmaker. If the service was running beforehand, it remains running afterwards. If the service was stopped (or non-existent) beforehad, the service remains stopped afterwards

  • [Issue #163] Modifies the user_formulas config option to support a map of <formula_name>:<formula_url>

  • [PR #235] Extracts salt content to the same target srv location for both Window and Linux. Previously, the salt content was extracted to different points in the filesystem hierarchy, which required different content for Windows and Linux. Now the same salt content archive can be used for both

  • [PR #242] Renames salt worker param content_source to salt_content

  • systemprep-formula

    • Deprecated and removed. Replaced by new salt content structure that uses native salt capabilities to map states to a system

  • scc-formula

    • Deprecated and removed. Replaced by scap-formula

  • scap-formula

    • New bundled salt formula. Provides SCAP scans using either openscap or scc

  • pshelp-formula

    • New bundled salt formula. Installs updated PowerShell help content to Windows systems

0.1.7 (2017.03.23) - Change from 0.1.6 release

  • Uses threads to stream stdout and stderr to the watchmaker log when executing a command via subproces

  • [Issue #226] Minimizes salt output of successful states, to make it easier to identify failed states

  • join-domain-formula

    • (Linux) Exits with stateful failure on a bad decryption error

  • mcafee-agent-formula

    • (Linux) Avoids attempting to diff a binary file

    • (Linux) Installs ed as a dependency of the McAfee VSEL agent

  • scc-formula

    • Retries scan up to 5 times if scc exits with an error

0.1.6 (2017.03.16) - Change from 0.1.5 release

  • ash-linux-formula

    • Provides same baseline states for both EL6 and EL7

0.1.5 (2017.03.15) - Change from 0.1.4 release

  • ash-linux-formula

    • Adds policies to disable insecure Ciphers and MACs in sshd_config

  • ash-windows-formula

    • Adds scm and stig baselines for Windows 10

    • Adds scm baseline for Windows Server 2016 (Alpha)

    • Updates all scm and stig baselines with latest content

  • mcafee-agent-formula

    • Uses firewalld on EL7 rather than iptables

  • scc-formula

    • Skips verification of GPG key when install SCC RPM

  • splunkforwarder-formula

    • Uses firewalld on EL7 rather than iptables

0.1.4 (2017.03.09) - Change from 0.1.3 release

  • [Issue #180] Fixes bug where file_roots did not contain formula paths

0.1.3 (2017.03.08) - Change from 0.1.2 release

  • [Issue #164] Aligns cli syntax for extra_arguments with other cli opts

  • [Issue #165] Removes ash_role from default config file

  • [Issue #173] Fixes exception when re-running watchmaker

0.1.2 (2017.03.07) - Change from 0.1.1 release

  • Adds a FAQ page to the docs

  • Moves salt formulas to the correct location on the local filesystem

  • join-domain-formula:

    • (Linux) Modifies decryption routine for FIPS compliance

  • ash-linux-formula:

    • Removes several error exits in favor of warnings

    • (EL7-alpha) Various patches to improve support for EL7

  • dotnet4-formula:

    • Adds support for .NET 4.6.2

    • Adds support for Windows Server 2016

  • emet-formula:

    • Adds support for EMET 5.52

0.1.1 (2017.02.28) - Change from 0.1.0 release

  • Adds more logging messages when downloading files

0.1.0 (2017.02.22)

  • Initial release!

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

watchmaker-0.6.6.tar.gz (37.4 MB view details)

Uploaded Source

Built Distribution

watchmaker-0.6.6-py2.py3-none-any.whl (38.5 MB view details)

Uploaded Python 2 Python 3

File details

Details for the file watchmaker-0.6.6.tar.gz.

File metadata

  • Download URL: watchmaker-0.6.6.tar.gz
  • Upload date:
  • Size: 37.4 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for watchmaker-0.6.6.tar.gz
Algorithm Hash digest
SHA256 0f8fed14caa1b5f7f608a0a178c72d1c6eee0231505fbaf2de3eb512f61cfea4
MD5 5505f47395ea7bc755942e34fa36fea4
BLAKE2b-256 6dc5537ffd278796eb00494d3b5a7671d87a9e6d0544320d52eb51b31e1e55ba

See more details on using hashes here.

File details

Details for the file watchmaker-0.6.6-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for watchmaker-0.6.6-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 d74f9b261b77c893ffae6732344d5bab27dfa252f0e576648559f0d533c0ff50
MD5 18fc1179f544f5b41e47ebddf738c711
BLAKE2b-256 8bdeb8301167f8e95ea2732b1990cb206edc1619ef408f274d5ed34da70649e5

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page