(SIMP-10203) Fix SSL recovery documentation (#435)

- Correct SSL recovery documentation
- Convert all instances of 'puppet master' to 'puppet server'
- Convert all instances of 'SIMP master' to 'SIMP server'
- Correct a few links

SIMP-10203 #close

CHANGELOG

@@ -1,3 +1,8 @@
+* Wed Jul 14 2021 Trevor Vaughan <[email protected]>
+- Correct SSL recovery documentation
+- Convert all instances of 'puppet master' to 'puppet server'
+- Correct a few links
+
 * Wed Jun 30 2021 Trevor Vaughan <[email protected]>
 - Add 389-DS documentation
 

README.md

@@ -48,6 +48,10 @@ You may need some additional OS packages for building PDFs with sphinx
 Install python dependencies:
 
 ```sh
+virtualenv venv
+source venv/bin/activate
+
+pip install --upgrade pip setuptools
 pip install -r requirements.txt
 ```
 

docs/FAQ/Puppet.rst

@@ -27,7 +27,7 @@ troubleshoot the issue.
    .. code-block:: bash
 
       openssl s_client -host $(puppet config print server) \
-      -port $(puppet config print masterport) \
+      -port $(puppet config print serverport) \
       -cert $(puppet config print hostcert) \
       -key $(puppet config print hostprivkey) \
       -CAfile $(puppet config print localcacert)

docs/HOWTO/20_Puppet/Changing_Puppet_Masters.rst

@@ -3,7 +3,7 @@
 HOWTO Move a Client to a new Puppet Server
 ==========================================
 
-The following provides details on how to move an client to a new Puppet server.
+The following provides details on how to move an client to a new :term:`Puppet Server`.
 
 .. NOTE::
 
@@ -13,7 +13,7 @@ On the Old Puppet Server
 ------------------------
 
 The following procedures will archive the agent's artifacts from all environments, copy them to the new
-Puppet server, and clean out the agent's Hiera data.
+Puppet Server, and clean out the agent's :term:`Hiera` data.
 
 Archive the agent's artifacts from all environments
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -28,7 +28,7 @@ Archive the agent's artifacts from all environments
 
   .. code-block:: shell
 
-     find `puppet config --section master print vardir`/simp -name "*<agent-fqdn>*" -exec tar --selinux --xattrs -rpvf <agent-fqdn>_transfer.tar {} \;
+     find `puppet config --section server print vardir`/simp -name "*<agent-fqdn>*" -exec tar --selinux --xattrs -rpvf <agent-fqdn>_transfer.tar {} \;
 
 
 3. Archive the agent's Hiera data from all :term:`Puppet Environments`:
@@ -73,7 +73,7 @@ Remove agent-specific Hiera data from all environments
 
      puppetserver reload
 
-On the New Puppet Master
+On the New Puppet Server
 ------------------------
 
 .. WARNING::

docs/HOWTO/20_Puppet/Disconnect_PuppetDB_from_Puppet_Server.rst

@@ -18,7 +18,7 @@ restart the :program:`puppetserver` process without the connection.
    # /etc/puppetlabs/puppet (the default).
    mv /etc/puppetlabs/puppet/routes.yaml /etc/puppetlabs/puppet/routes.yaml.backup
 
-   puppet config set --section master storeconfigs false
+   puppet config set --section server storeconfigs false
    puppet config set --section main storeconfigs false
 
    puppet resource service puppetserver ensure=stopped

docs/HOWTO/20_Puppet/ENC_setup.rst

@@ -21,7 +21,7 @@ To use this script for your ENC, do the following as ``root``:
 
 #. Configure Puppet to use this script as an ENC
 
-   Set the following in the :code:`[master]` section of :file:`/etc/puppetlabs/puppet/puppet.conf`:
+   Set the following in the :code:`[server]` section of :file:`/etc/puppetlabs/puppet/puppet.conf`:
 
    a. Add or change the line :code:`node_terminus` to :code:`exec`.
    b. Set the :code:`external_nodes` entry to :file:`/usr/local/bin/set_environment`.
@@ -31,7 +31,7 @@ To use this script for your ENC, do the following as ``root``:
    .. code-block:: ini
 
       ...
-      [master]
+      [server]
       ...
       node_terminus = exec
       external_nodes = /usr/local/bin/set_environment
@@ -51,7 +51,7 @@ To use this script for your ENC, do the following as ``root``:
 
    .. code-block:: yaml
 
-      # The puppetmaster will use the production environment
+      # The puppet server will use the production environment
       'puppet.my.domain':            'production'
 
       # Any node in my.domain whose FQDN begins with test will use the test environment

docs/HOWTO/20_Puppet/Puppetmaster_Backup.rst

@@ -3,26 +3,26 @@
 HOWTO Back up the Puppet Server
 ===============================
 
-This section details the steps required to back up the Puppet master.
+This section details the steps required to back up the :term:`Puppet Server`.
 
 .. NOTE::
 
-   A default SIMP installation can use Git as a rudimentary method to back up
-   the Puppet server. If a different method is preferred, the user must install
-   and configure it first.
+   A default SIMP installation can use :term:`Git` as a rudimentary method to
+   back up the Puppet Server. If a different method is preferred, the user must
+   install and configure it first.
 
 #. Backup :file:`/etc/puppetlabs/puppet/ssl`
 #. Backup :file:`/etc/puppetlabs/puppet`
 #. Backup :file:`/var/simp`
-#. Backup :file:`\`puppet config --section master print vardir\`/simp`
+#. Backup :file:`\`puppet config --section server print vardir\`/simp`
 #. *Optional:* Backup :file:`/var/www`
 
 
 **Simple Full Backup Command**
 
 .. code-block:: bash
 
-   # tar --selinux --xattrs -czpvf simp_backup-$(date +%Y-%m-%d).tar.gz /etc/puppetlabs /var/simp `puppet config --section master print vardir`/simp /var/www /var/simp
+   # tar --selinux --xattrs -czpvf simp_backup-$(date +%Y-%m-%d).tar.gz /etc/puppetlabs /var/simp `puppet config --section server print vardir`/simp /var/www /var/simp
 
 **Simple Full Restore Command**
 
@@ -34,4 +34,4 @@ This section details the steps required to back up the Puppet master.
 .. NOTE::
 
    This only backs up data that is managed/owned by Puppet. It will not backup any
-   application-centric data (such as the contents of LDAP).
+   application-centric data (such as the contents of :term:`LDAP`).

docs/HOWTO/90_Misc/Kerberos.rst

@@ -107,7 +107,7 @@ Propagate the Keytabs
 
 Move all of the resulting keytab files SECURELY to
 ``/var/simp/environments/<client_environment>/site_files/krb5_files/keytabs/<fqdn>``
-on the Puppet master as appropriate for each file.
+on the :term:`Puppet Server` as appropriate for each file.
 
 .. NOTE::
 

docs/HOWTO/90_Misc/SNMPD.rst

@@ -2,7 +2,7 @@ HOWTO Configure SNMPD
 =====================
 
 This document details how to use the ``simp-simp_snmpd`` Puppet profile module
-to configure the SNMP daemon.
+to configure the :term:`SNMP` daemon.
 
 Simple instructions to configure the snmpd daemon using the
 ``simp-simp_snmpd`` profile module are described in its README file.
@@ -87,16 +87,16 @@ The profile module, by default, installs two users:
 * ``snmp_rw`` is configured for read/write access to everything
 
 User passwords are auto-generated using ``simplib::passgen()`` and stored on
-the Puppet master in a sub-directory in the :term:`SIMP Writable Environment`:
+the :term:`SIMP Server` in a sub-directory in the :term:`SIMP Writable Environment`:
 
 ``/opt/puppetlabs/server/data/puppetserver/simp/environments/production/simp_autofile/gen_passwd``.
 
 Access is configured by ``/etc/snmp/simp_snmpd.d/access.conf``
 
 * To create the ``access.conf`` file, the profile modules uses a set of hashes.
 * The default hashes are in the ``data/common.yaml`` file.
-* These hashes are merged with any hash you defined in the Hiera files on the
-  Puppet master.  Merging is described in
+* These hashes are merged with any hash you defined in the :term:`Hiera` files on the
+  :term:`Puppet Server`. Merging is described in
   `Puppet docs <https://puppet.com/docs/puppet/5.5/hiera_merging.html>`_
 * To remove something from the default hash add the name of object with no keys
 

docs/changelogs/6.5.0_Changelog.rst

@@ -2308,6 +2308,5 @@ the following:
 
 
 .. _submit an issue: https://simp-project.atlassian.net
-.. _simp-project.com: https://simp-project.com
+.. _simp-project.com: https://www.simp-project.com
 .. _packagecloud: https://packagecloud.io/simp-project
-

docs/contributors_guide/Testing_on_FIPS_Systems.rst

@@ -56,7 +56,7 @@ section:
    end
 
 .. _Bundler: https://bundler.io/
-.. _fix: https://github.com/rubygems/bundler/issues/5440
-.. _new bug: https://github.com/rubygems/bundler/issues/5584
+.. _fix: https://github.com/rubygems/bundler/pull/5440
+.. _new bug: https://github.com/rubygems/bundler/pull/5584
 .. _original bug: https://github.com/rubygems/bundler/issues/4989
 .. _some issues: https://github.com/rubygems/bundler/issues/4989#issuecomment-280503064

docs/contributors_guide/documentation_custom_roles.csv

@@ -10,4 +10,4 @@ Jira issues|:jira:`SIMP-8464`|``:jira:`SIMP-8464```| Auto-links to (SIMP project
 Literal text|``keyword``|````keyword````|ReST's basic markup for fixed-width text.  Only use this if there isn't an appropriate role.|inline
 Internal hyperlinks| :ref:`changelogs` | ``:ref:`changelogs```| ``:ref:`` crosslinks are actually built-in roles, but we'll group them here |inline
 Glossary terms|:term:`SIMP`|``:term:`SIMP```|Automatically creates internal hyperlink to term in Glossary|built-in
-External hyperlinks| `SIMP website <https://simp-project.com>`_ |```SIMP website <https://simp-project.com>`_``| External hyperlinks are decorated with a special icon|inline
+External hyperlinks| `SIMP website <https://www.simp-project.com>`_ |```SIMP website <https://www.simp-project.com>`_``| External hyperlinks are decorated with a special icon|inline

docs/contributors_guide/maintenance/other_iso_related_project_release_procedures/Pre_Release_Checklist.rst

@@ -174,7 +174,7 @@ do the following:
       If the component requires updated dependencies, those RPMs will
       have to be built and installed at the same time.
 
-#. Verify the ``puppet agent`` runs succeed on the Puppet master
+#. Verify the ``puppet agent`` runs succeed on the :term:`Puppet Server`
 
    * login as root
    * execute ``puppet agent -t``

docs/glossary.rst

@@ -87,6 +87,12 @@ Glossary of Terms
    Certificate Authority
       An entity that issues :term:`X.509` digital certificates.
 
+   CRL
+   Certificate Revocation List
+      A list of digitical certificates that have been revoked by the :term:`CA`.
+
+      Source: `Wikipedia: Certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`__
+
    Class
    Classes
    Puppet Class
@@ -144,7 +150,7 @@ Glossary of Terms
    Code Manager
       [Puppet] Code Manager automates the management and deployment of
       your :term:`Puppet` code. Push code updates to your source control repo,
-      and then Puppet syncs the code to your masters, so that all your servers
+      and then Puppet syncs the code to your servers, so that all your servers
       start running the new code at the same time, without interrupting agent
       runs.
 
@@ -729,18 +735,13 @@ Glossary of Terms
    Puppetfile
       A Ruby file that contains references to :term:`Puppet modules`.
 
-      See the Puppetfile spec: https://github.com/puppetlabs/r10k/blob/master/doc/puppetfile.mkd
+      See the Puppetfile spec: https://github.com/puppetlabs/r10k/blob/main/doc/puppetfile.mkd
 
    PuppetForge
       An official repository for Puppet modules
 
       See: https://forge.puppet.com/
 
-   Puppet Master
-      For the purposes of this document, this is the Server upon which the
-      :term:`puppetserver` process is running and to which your clients
-      connect.
-
    Puppet Module
    Puppet Modules
       A self-contained bundle of code and data able to be processed by the
@@ -761,11 +762,9 @@ Glossary of Terms
 
    Puppetserver
    Puppet Server
-      An application that runs on the Java Virtual Machine (JVM) and provides
-      the same services as the classic Puppet master application. It mostly
-      does this by running the existing Puppet master code in several JRuby
-      interpreters, but it replaces some parts of the classic application with
-      new services written in Clojure.
+      An application that runs on the Java Virtual Machine (JVM) and provides a
+      puppet compiler service by running several JRuby interpreters running the
+      Puppet compiler through a Clojure-based service.
 
       Source: `Puppet's Services: Puppet Server <https://puppet.com/docs/puppetserver/latest/services_master_puppetserver.html>`__
 
@@ -953,7 +952,7 @@ Glossary of Terms
       The first server that is built in a SIMP environment and the server that
       is expected to be the nexus of control for the managed infrastructure.
 
-      See: :term:`Puppet Master`
+      See: :term:`Puppet Server`
 
    SIMP Writable Environment
    Writable Environment
@@ -998,6 +997,13 @@ Glossary of Terms
 
          echo "${env_path}/${env}/modules/site"
 
+   SNMP
+   Simple Network Management Protocol
+      A protocl for collecting and organizing information about managed devices
+      on IP networks.
+
+      Source: `Wikipedia: Simple Network Management Protocol <https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol>`__
+
    Spectre
       A vulnerability that affects modern microprocessors that perform branch
       prediction.

docs/security_conop/Operational_Security.rst

@@ -15,9 +15,9 @@ Baseline Configurations
 SIMP baselines include configuration settings and Puppet modules.  Currently,
 baselines are maintained for both Red Hat/CentOS 6.x, and Red Hat/CentOS 7.x.
 Each configuration item that is managed by a Puppet module has an RPM installed
-on the Puppet Master in the form of ``pupmod-name-x.x.x-x``. This process
+on the :term:`Puppet Server` in the form of ``pupmod-name-x.x.x-x``. This process
 allows for one main SIMP baseline to be maintained and modules to be upgraded
-easily. An overall SIMP RPM is also installed on the Puppet Master, which
+easily. An overall SIMP RPM is also installed on the Puppet Server, which
 denotes the version number of SIMP that is installed.
 [:ref:`CM-2`, :ref:`CM-2 (2)`, :ref:`CM-2 (3)`, :ref:`CM-6`]
 
@@ -103,8 +103,8 @@ any file managed by Puppet). In the event that a managed file is changed
 locally, Puppet will revert the file back to its original state.  It is
 important to note that this is a function of Puppet and is intended to be more
 of a configuration management feature rather than a security feature. If a
-Puppet client has been compromised, the Puppet Master may not have the ability
-to retake control over that client.  However, the Puppet Master can configure
+Puppet client has been compromised, the Puppet Server may not have the ability
+to retake control over that client.  However, the Puppet Server can configure
 all other nodes to deny traffic from the compromised node if they are
 configured by the administrator to do so. There are additional configuration
 files that are checked by AIDE, which is triggered by a cron job. AIDE logs any

docs/security_conop/System_Management.rst

@@ -24,12 +24,12 @@ describes the known areas in SIMP.
   - * Risk
     * Possible Mitigations
   - * **Disabling Puppet**: This can cause the clients to be out of sync with
-      the Puppet Master.
+      the :term:`Puppet Server`.
     * SIMP attempts to force a break on any locks and restart Puppet on all
       clients after a time of 4*runinterval (30 minutes by default).
       Implementations should ensure that further steps have not been taken to
       disable Puppet and should monitor their logs. Administrators can use the
-      puppetlast command on the Puppet Master to detect servers that have not
+      puppetlast command on the Puppet Server to detect servers that have not
       checked in within a reasonable time period.
   - * **Out of Date Patches**: SIMP can be built with the RPMs from CentOS or
       Red Hat. Those RPMs should be assumed out of date at the time a system is

docs/security_conop/Technical_Security.rst

@@ -186,7 +186,7 @@ Default Server Ports
 =========== ========= ========== ========= ======= =======================================================================
 Application Direction Protocol   Transport Ports   Comment
 =========== ========= ========== ========= ======= =======================================================================
-Puppet      Localhost HTTP       TCP       8140    The port upon which the Puppet master listens for client connections via Apache
+Puppet      Localhost HTTP       TCP       8140    The port upon which the :term:`Puppet Server` listens for client connections via Apache
 Puppet CA   In        HTTPS      TCP       8141    This is used to ensure that Apache can verify all certificates from external systems properly prior to allowing access to Puppet.
 Apache/YUM  In        HTTP       TCP       443     This is used for YUM and is encrypted using https.
 DHCPD       In        DHCP/BOOTP TCP/UDP   546,547 DHCP pooling is disabled by default and should only be used if the implementation requires the use of this protocol.
@@ -509,9 +509,9 @@ the log server over a TLS protected link.
 Time Synchronization
 --------------------
 
-Each SIMP client (including the Puppet Master) has ``ntpd`` enabled by default.
+Each SIMP client (including the Puppet Server) has ``ntpd`` enabled by default.
 Part of the installation directs the clients to a time server.  If no servers
-are available, the SIMP clients can use the Puppet Master as the central time
+are available, the SIMP clients can use the Puppet Server as the central time
 source. Audit logs receive their time stamp from the local server's system
 clock; therefore, the SIMP client must be connected to a central time source
 for timestamps in audit logs to be accurate.

docs/security_mapping/components/apache/automated_central_management_application_verification/control.rst

@@ -1,8 +1,8 @@
 Automated Central Management / Application / Verification
 ---------------------------------------------------------
 
-SIMP uses rsync (over stunnel) to keep files in ``/var/www`` synchronized between
+SIMP uses `rsync` (over `stunnel`) to keep files in ``/var/www`` synchronized between
 all web servers.  Any files that need to be the same on all web servers are
-then managed from the puppet master.
+then managed from the :term:`Puppet Server`.
 
 References: :ref:`CM-7 (1)`

docs/security_mapping/components/apache/transmission_confidentiality_and_integrity/control.rst

@@ -1,9 +1,9 @@
 Transmission Confidentiality and Integrity
 ------------------------------------------
 
-The SIMP server/puppet master has an SSL enabled Apache web server running on
-port 443.  The protocols are limited to TLSv1, TLSv1.1, and TLSv1.2.  If the
-web client does not support those protocols, the connection will be rejected.
-The certificates are in the ``/etc/pki/simp_apps/simp_apache/x509`` directory.
+The :term:`SIMP Server` has a :term:`TLS` enabled Apache web server running on
+port 443.  The protocols are limited to TLSv1.2.  If the web client does not
+support those protocols, the connection will be rejected.  The certificates are
+in the ``/etc/pki/simp_apps/simp_apache/x509`` directory.
 
 References: :ref:`SC-8`

docs/security_mapping/components/named/automated_central_management_application_verification/control.rst

@@ -1,7 +1,7 @@
 Automated Central Management / Application / Verification
 ---------------------------------------------------------
 
-Named configuration files are synchronized between the puppet master and the
-named servers using rsync.
+`Named` configuration files are synchronized between the :term:`Puppet Server`
+and the :term:`DNS` servers using `rsync`.
 
 References: :ref:`CM-7 (1)`

docs/security_mapping/components/pam/least_privilege/control.rst

@@ -5,7 +5,7 @@ SIMP uses the access conf file to identify which accounts can login to a system.
 After all other identification and authentication checks have passed, the pam
 access.conf file is checked to ensure the user is allowed to login.  SIMP
 allows ``root`` and the ``administrators`` group to login to all systems and the
-``simp`` user to login to the puppet master.  All other users must be explicitly
-added to the access.conf file using the SIMP pam module.
+``simp`` user to login to the :term:`Puppet Server`. All other users must be
+explicitly added to the ``access.conf`` file using the SIMP `pam` module.
 
 References: :ref:`AC-6`