- Security Compliance Management 3.1.0Default Desired OS Compliance, Disaster Recovery Instructions, New Tutorials, Updated Assessor & Benchmark Support
- Puppet Enterprise 2023.7New CI/CD and Compliance Consoles & More
- Security Compliance Management 3.0.0New Name, New Installer, Updated OS Benchmark Support & More
- Security Compliance Enforcement for Windows and Linux 2.0.0New Name, More OS Support, Updated Benchmarks & More
- Comply 2.19.0New API Endpoints, Updated Benchmarks + More
- Continuous Delivery for Puppet Enterprise 5.3 and 4.29Activity Report + APIs for Automation
- PE 2023.6 (STS) & 2021.7.7 (LTS)New Status Page, 100+ Concurrent Plans + More
- CEM for Linux 1.9.0CIS Benchmark Support for RHEL 9 + Oracle Linux 9
- Comply 2.18.0New API, Assessor + Benchmarks
- CD4PE 4.28.0Continuous Delivery for Puppet Enterprise
- Puppet Comply 2.17.0100k Node Count, Scanner Updates + More
- CEM for Linux 1.8.0CIS Benchmark Support for Rocky Linux 8
- CD4PE 4.27.1 + 5.1.2Job Run Error Corrections
- CD4PE 4.27.0Login Error Correction
- PE 2023.4 (STS) & 2021.7.5 (LTS)Puppet 8, Cert Management + More Great Features
- CEM for Linux 1.7.0STIG Benchmark Support for RHEL 7 + 8
- Puppet Comply 2.16.0Node Count + Updated Assessor
- CD4PE 5.0.0New Bolt-Based Installer
- CEM for Windows 1.5.0Compliance Enforcement Modules
- CD4PE 4.26.0Continuous Delivery for Puppet Enterprise
- Puppet Comply 2.15.0Scalability + Benchmark Updates
- CD4PE 4.25.0Continuous Delivery for Puppet Enterprise
- Puppet Comply 2.14.0RBAC, Node Count + More
- CEM for Windows 1.4.0Compliance Enforcement Modules
- Puppet Enterprise 2023.1 & 2021.7.3
- Puppet Comply 2.13.0
- Puppet 8Helpful Updates to Puppet's Source Code
- Puppet Enterprise 2023.0
- Puppet Enterprise 2021.7.2 (LTS)
- Puppet 7.0.0
- CD4PE 4.11.0Continuous Delivery for Puppet Enterprise
- Puppet Report Viewer 3.1
- Puppet Enterprise 2021.6
- Puppet Enterprise 2021.5
- Puppet Enterprise 2021.4
- Puppet Enterprise 2021.3
- Puppet Enterprise 2021.2
- Puppet Enterprise 2021.1
- Puppet Enterprise 2019.8.11 (LTS)
- Puppet Enterprise 2019.8.10 (LTS)
- Puppet Enterprise 2019.8.9 (LTS)
- Puppet Enterprise 2019.8.8 (LTS)
- Puppet Enterprise 2019.8.7 (LTS)
- Puppet Enterprise 2019.8.6 (LTS)
- Puppet Enterprise 2019.8.5 (LTS)
- Puppet Enterprise 2019.8.4 (LTS)
- Puppet Enterprise 2019.8.3 (LTS)
- Puppet Enterprise 2019.8.2 (LTS)
- Puppet Enterprise 2019.8.1 (LTS)
- Puppet Enterprise 2019.8 (LTS)
- Puppet Enterprise 2019.7
- Puppet Enterprise 2019.6
- Puppet Enterprise 2019.5
- Puppet Enterprise 2019.4
- Puppet Enterprise 2019.3
- Puppet Enterprise 2019.2
- Puppet Enterprise 2019.1 (STS)
- Puppet Enterprise 2019.0 (STS)
- Puppet Enterprise 2018.1.8 (LTS)
- Puppet Enterprise 2018.1.5 (LTS)
- Puppet Enterprise 2018.1.0 (LTS)
- Puppet Enterprise 2017.3 (STS)
- Puppet Enterprise 2017.2 (STS)
- Puppet Enterprise 2017.1 (STS)
RELEASE NOTES DEMO PUPPET ENTERPRISE
June 27, 2024
With this release of Security Compliance Management (formerly Puppet Comply), Puppet Enterprise users can now set their desired compliance defaults for each operating system (OS), saving valuable time when adding new nodes to a common OS.
We’ve added instructions for performing data backups and a guided tutorial for conducting ad hoc scans using the REST API available with Security Compliance Management. This release also includes CIS Benchmark updates, fixes for several known issues, and security updates.
New in this release:
- Desired compliance can be set for operating systems. Any node added to that OS will automatically be assigned the default benchmark and profile you set for that OS.
- Added instructions on data backup: Security Compliance Management now includes instructions for backing up your data to make it easier to restore systems in a disaster recovery scenario.
- REST API tutorial: A new tutorial guides users through running an ad hoc scan in Security Compliance Management using the REST API added in 2.18.0.
- journald logging instructions: Added instructions on how to access relevant log files with the journald logging driver.
- Inclusion of CIS-CAT® Pro Assessor v4.42.0 (released May 30, 2024).
- Security Compliance Management is regularly updated with the latest version of the CIS-CAT Pro Assessor, which assesses system compliance with CIS Benchmarks to generate actionable insights.
- Added support for the latest CIS Benchmarks for the following operating systems:
- Debian Linux 12 Benchmark v1.0.1
- Microsoft Windows 11 Stand-alone Benchmark v3.0.0
- Microsoft Windows Server 2019 Benchmark v3.0.1
Issues resolved in this release:
- Fixed an issue that could prevent existing scheduled scans from running after migrating from Security Compliance Management version 2.x to 3.x.
- Fixed an issue where the search box on the exceptions page wouldn’t accept input.
- Fixed an issue that was causing macOS nodes to be listed as Darwin on the Inventory page, which prevented the desired compliance from being set for those nodes.
Security fixes in this release:
- Resolved the following CVEs:
- Updated braces to address CVE-2024-4068
- Updated KeyCloak to address CVE-2024-2961, CVE-2024-33599, CVE-2024-2700, CVE-2024-1132, CVE-2024-1249, CVE-2024-2419, CVE-2024-3656, GHSA-69fp-7c8p-crjr
- Updated oauth2-proxy to address CVE-2023-5363
May 21, 2024
In today’s operating reality, organizations need more value from the tools they’re already using. This release adds more features and functionality to Puppet Enterprise to help users do more with their infrastructure, faster and more securely.
With the release of Puppet Enterprise 2023.7, the inclusion of Continuous Delivery lets customers build, test, and deploy Puppet code. Security Compliance Management provides compliance scanning, assessment, and monitoring capabilities within Puppet, using Puppet infrastructure as code to measure security and compliance posture against custom policies and the integrated CIS-CAT® Pro Assessor for maximum compliance visibility.
Additionally, Puppet Enterprise 2023.7 adds previews of premium features to the Puppet Enterprise Console. Get a sneak peek at Impact Analysis (which lets you preview the impact of your next code change on existing configurations before you merge) and Security Compliance Enforcement (policy as code for correcting drift and enforcing desired state configurations hardened against CIS Benchmarks and DISA STIGs) and learn more with new links in the Puppet Enterprise Console.
Puppet Enterprise 2023.7 also includes additional agent support, bug fixes, and security updates to ensure smoother operations, consistent infrastructure uptime, and maximum usability of Puppet Enterprise.
New in this release:
- Security Compliance Management is now included with Puppet Enterprise, adding compliance monitoring and assessment insights as part of the same Puppet Enterprise license.
- Continuous Delivery is now included with Puppet Enterprise, adding CI/CD capabilities that let you build, test, promote, and deploy Puppet code and integrate with your current pipelines as part of the same Puppet Enterprise license.
- Security Compliance Management and Continuous Delivery can be accessed from Puppet Enterprise. Users can launch the new consoles by clicking quick links in the Puppet Enterprise console.
- Added agent support for the following operating systems:
- Amazon Linux 2023 amd64
- Amazon Linux 2023 aarch64
- Debian 11 aarch64
- Debian 12 amd64
- Debian 12 aarch64
- macOS 14 ARM
- macOS 14 x86_64
- FIPS 140-2 compliant Red Hat Enterprise Linux (RHEL) 9 x86_64
Issues resolved in this release:
- Fixed an issue where promoting a replica using the disaster recovery workflow could lead to file sync corruption and code deployment failures.
- Fixed an issue where the
recover_configuration
cron job could sometimes cause a Puppet server restart. - Included REXML Ruby gem, correcting issues for modules reliant on XML interactions with the REXML library.
- Fixed an issue where pinning a node resulted in the pinned node being incorrectly displayed in the main rules section when a node group was set to match any rule.
- Added use of the full Puppet binary path for backup and restore commands, eliminating certain failures during backup commands (e.g., running the backup command from a cron job).
Security fixes in this release:
- Addressed the following CVEs:
- CVE-2024-22871
- CVE-2024-1597
- CVE-2024-25710
- CVE-2024-26308
- CVE-2023-42503
- CVE-2024-46218
RELEASE NOTES DEMO PUPPET ENTERPRISE
May 7, 2024
Starting with 3.0.0, Puppet Comply is now Security Compliance Management, and it’s included with Puppet Enterprise! Access it through the Security Compliance Management Console, exclusively in Puppet Enterprise to instantly gain valuable insight into the state of security of your Puppet estate.
Security Compliance Management retains all key features of Puppet Comply, including compliance assessment, monitoring, and reporting for configurations in your Puppet-managed infrastructure. Maintained and supported by Puppet, Security Compliance Management receives regular updates, just like Comply.
Automatic enforcement and remediation of hardened security baseline configurations is available in Security Compliance Enforcement (formerly Compliance Enforcement Modules), available as a premium feature for Open Source Puppet and Puppet Enterprise.
This release includes the latest CIS-CAT® Pro Assessor, support for the latest CIS Benchmarks for key operating systems, fixes for various issues, and resolutions for security vulnerabilities in third-party dependencies.
New in this release:
- Puppet Comply is now Security Compliance Management
- Security Compliance Management is now included in the full Puppet Enterprise suite
- New installer wizard: The new Puppet Bolt-based installer for Security Compliance Management provides an easy wizard for installing, upgrading, and configuring Security Compliance Management in an agentless fashion via SSH.
- Inclusion of CIS-CAT® Pro Assessor v4.41.0 (released Apr. 25, 2024).
- Security Compliance Management is regularly updated with the latest version of the CIS-CAT Pro Assessor, which assesses system compliance with CIS Benchmarks to generate actionable insights.
- Added support for the latest CIS Benchmarks for the following operating systems:
- Debian Linux 11 Benchmark v2.0.0
- Microsoft Windows 10 Stand-alone Benchmark v3.0.0
- Microsoft Windows Server 2016 Benchmark v3.0.0
- Microsoft Windows Server 2019 Benchmark v3.0.0
- Microsoft Windows Server 2022 Benchmark v3.0.0
- Ubuntu Linux 18.04 LTS Benchmark v2.2.0
- Ubuntu Linux 22.04 LTS Benchmark v2.0.0
Issues resolved in this release:
- Fixed an issue where users could not change the desired compliance after changing the OS on a node.
Security fixes in this release:
- Resolved security vulnerabilities present in embedded, third-party dependencies of the CIS-CAT Pro Assessor v4.41.0:
- PostgreSQL updated to v42.7.2.
- xmlsec updated to v4.0.1.
- cxf-core-updated to v3.5.8.
- bouncycastle updated to v1.78.
WINDOWS RELEASE NOTES LINUX RELEASE NOTES
May 7, 2024
New name, same great enforcement! Starting with 2.0.0, Compliance Enforcement Modules (CEM) is now Security Compliance Enforcement. It’s still a premium feature for Open Source Puppet and Puppet Enterprise that enforces secure configurations aligned to CIS Benchmarks and DISA STIGs — and it’s still created and supported by Puppet.
But the name’s not the only thing that’s changed. Security Compliance Enforcement 2.0.0 for Windows and Linux includes important updates to supported operating systems (including support for Ubuntu 20.04) and bug fixes to keep your infrastructure configurations aligned to security recommendations.
As part of the name change, the modules are now available on the Puppet Forge as sce_linux
and sce_windows
. If you have an active subscription to the Compliance Enforcement Modules (CEM), you are automatically granted access to the Security Compliance Enforcement modules.
New in these releases:
Security Compliance Enforcement for Linux 2.0.0
- Compliance Enforcement/Compliance Enforcement Modules/CEM for Linux is now Security Compliance Enforcement for Linux
- Added support for the latest CIS Benchmarks for the following operating systems:
- Red Hat Enterprise Linux 8 (CIS Benchmark v3.0.0 Levels 1 and 2)
- Oracle Enterprise Linux 8 (CIS Benchmark v3.0.0 Levels 1 and 2)
- Alma Linux 8 (CIS Benchmark v3.0.0 Levels 1 and 2)
- Rocky Linux 8 (CIS Benchmark v2.0.0 Levels 1 and 2)
- Ubuntu 20.04 (CIS Benchmark v2.0.1 Level 1)
Security Compliance Enforcement for Windows 2.0.0
- Compliance Enforcement/Compliance Enforcement Modules/CEM for Windows is now Security Compliance Enforcement for Windows
Security fixes in these releases:
- Security Compliance Enforcement for Linux and Security Compliance Enforcement for Windows now support the latest versions of their respective Puppet module dependencies.
- Several bug fixes in both Security Compliance Enforcement for Linux and Security Compliance Enforcement for Windows.
March 14, 2024
Secure enterprise IT relies on simple, sensible access to valuable data on your security and compliance posture. In the previous release, we introduced a new REST API to help users retrieve and use data from Puppet Comply. With 2.19.0, we're making those powerful insights even more accessible and actionable with two new API endpoints for Export and Inventory functions.
This release also includes an update to the CIS-CAT Pro® Assessor embedded in Puppet Comply, updated benchmark support for enterprise Windows, and regular fixes for known security vulnerabilities.
New in this release:
- Additions to the Comply API. Improved accessibility and efficiency of Comply functions by adding two new endpoints to the Comply API.
- Exports API: Create, retrieve, download, and delete exports of data from Puppet Comply.
- Inventory API: Initiate a Puppet Enterprise inventory sync.
- Inclusion of CIS-CAT Pro Assessor v4.39.0 (released Feb. 28, 2024).
- Comply is regularly updated with the latest version of the CIS-CAT Pro Assessor, which assesses system compliance with CIS Benchmarks to generate actionable insights.
- Updated support for CIS Benchmarks:
- Microsoft Windows 10 Enterprise v3.0.0
- Microsoft Windows 11 Enterprise v3.0.0
Security fixes in this release:
- Resolved security vulnerabilities present in embedded, third-party dependencies of the CIS-CAT Pro Assessor v4.39.0.
commons-compress
updated to v1.26.0
- Resolved CVE-2023-26159.
- Upgraded
follow-redirects-1.15.2
dependency tofollow-redirects-1.15.4
- Upgraded
DEMO PUPPET RELEASE NOTES 5.3 RELEASE NOTES 4.29
Feb. 8, 2024
We’re thrilled to share a new release for Continuous Delivery for Puppet Enterprise that will help you gain greater control of pipeline creation, as well as a new reporting function that will show the impact of Puppet across your organization. We’ve listened to your feedback to improve functionality and visibility in this latest release.
Watch: Introducing Activity Report in Continuous Delivery for Puppet Enterprise
New for this release:
- APIs for Automation: You wanted to automate end-to-end workflows, and now public APIs will allow you to automate connecting your Continuous Delivery for Puppet Enterprise installation to change management tools (e.g. Remedy). Create new pipelines and edit existing ones in your workspace — easily enabling you to add modules and repositories.
- Activity Report: We’ve added a new activity report that shows the value Puppet Enterprise is providing to your organization across all instances. You can now specify the time saved per task and per plan, which will help visualize the value Puppet is providing for key workflows.
- Personal access token management. You can now create authentication tokens to allow a user to enter their credentials once, then receive an alphanumeric token to access different services or parts of the system infrastructure. To manage personal access tokens, see Manage personal access tokens.
- OpenAPI support. You can now fetch data and automate your workflows with the Continuous Delivery for Puppet Enterprise REST API. To get started using Continuous Delivery for Puppet Enterprise public APIs, see REST API.
- Value reporting. You can now view activity values across all the Puppet Enterprise (PE) instances integrated within a workspace in the Activity report. To view your activity in Continuous Delivery for Puppet Enterprise, see Activity reporting.
- Refreshed Continuous Delivery for Puppet Enterprise pipelines UI. The Continuous Delivery for Puppet Enterprise pipelines pages have a refreshed appearance.
- Generate new SSL certificates. Added a cd4peadm::regen_certificates plan to generate new SSL certificates for the app, using the current configuration. After running this plan, usecd4peadm::apply_configuration to upload the new certificates to Continuous Delivery for Puppet Enterprise.
Security fixes in this release:
- CVE-2023-39325. Updated several direct and indirect dependencies to address this vulnerability.
STS RELEASE NOTES LTS RELEASE NOTES DEMO PUPPET
Feb. 6, 2024
You rely on your infrastructure to drive performance, security, and time to value. Puppet Enterprise 2023.6 (STS) and 2021.7.7 (LTS) focus on performance to deliver faster, more efficient automation workflows with a host of updates and enhancements.
Puppet users can expect enhanced increased responsiveness that enables them to meet the demands of modern IT operations faster than before. These releases also improve scalability to ensure that automation remains robust and reliable, even in large IT environments increasing the number of concurrent plans that can run.
Updates in these releases:
PE 2023.6 (STS)
- Identify operational issues affecting infrastructure nodes: The PE console now includes an Operational status page showing the result of the latest checks performed by the
pe_status_check
module. Issues requiring your attention are listed under the affected infrastructure nodes. - Run 100+ plans concurrently: PE 2023.6 introduces the
pe-plan-runner
service, which runs on the primary server by default, allowing concurrent execution of up to 100 plans.pe-plan-runner
also has the potential for further scaling based on available memory on the primary server. - Include or exclude catalog resource edges in catalogs sent to PuppetDB.
- A new guided workflow for configuring and running task jobs.
- Specify ciphers to use when establishing connections to configured LDAP servers.
- Added agent support for AIX 7.3.
PE 2021.7.7 (LTS)
- Added agent support for AIX 7.3.
Issues resolved in these releases:
PE 2023.6 (STS)
- Fixed issues where restoring PE from a backup could fail when
puppet
agent was running, if lockless code deployments were enabled, or when setting theclassifier_host
parameter. - Fixed an issue where upgrading the agent to Puppet 8 on FIPS-compliant RHEL 7 or 8 could cause the puppet service to stop unexpectedly.
PE 2021.7.7 (LTS)
- Fixed issues where restoring PE from a backup could fail when puppet agent was running, if lockless code deployments were enabled, or when setting the
classifier_host
parameter.
Security fixes in these releases:
PE 2023.6 (STS) & PE 2021.7.7 (LTS)
- Critical updates to Java, Postgres, and logback.
- Addressing CVE-2023-6378, CVE-2023-6378, CVE-2023-40167, CVE-2023-36479, CVE-2023-41900, CVE-2023-5869, CVE-2024-20952, CVE-2024-20918, CVE-2023-44487, CVE-2023-5072, CVE-2024-20932
RELEASE NOTES DEMO COMPLY + CEM
Puppet is excited to announce the immediate availability of Puppet CEM for Linux v1.9.0, featuring valuable added capabilities for enterprise customers.
Configuration drift is often cited by experts as a leading cause of security incidents and failed audits. Puppet’s Compliance Enforcement Modules (CEM) identify and quickly resolve configuration drift within infrastructure using policy-as-code (PaC) and are available for numerous editions of Windows and Linux.
CEM for Linux v1.9.0 incorporates support for the Center for Internet Security (CIS) benchmarks for two additional operating systems: Red Hat Enterprise Linux (RHEL) 9 and Oracle Linux 9, to ensure that these popular operating systems remain configured according to security policy. Both Level 1 and Level 2 benchmarks are supported.
CIS Level 1 benchmark profiles cover base-level configurations that are easier to implement and have minimal impact on business functionality. Level 2 benchmark profiles are intended for high-security environments and require more coordination and planning to implement with minimal business disruption.
Organizational efficiency gets a boost thanks to an improved auditing process which permits running a single Puppet Bolt® plan that includes up to 40 audit tasks to verify the configuration on one or more specified nodes.
Added
- Introduced support for the RHEL 9 operating system. You can now enforce the Center for Internet Security (CIS) RHEL 9 Benchmarks, Levels 1 and 2.
- Introduced support for the Oracle Linux 9 operating system. You can now enforce the Center for Internet Security (CIS) Oracle Linux 9 Benchmarks, Levels 1 and 2.
- The Bolt plan, run_audit, can be run with up to 40 audit tasks on one or more specified nodes to verify their configuration. The Bolt log file provides a list of audited controls and detailed results.
Changed
To help ensure compatibility between CEM for Linux and Puppet 8, the range of supported versions for the Puppet Labs® firewall module was changed. The firewall module must be at version 5.0 or later, but earlier than 6.0.
RELEASE NOTES DEMO COMPLY + CEM
Dec. 13, 2023
With the debut of Puppet Comply 2.18.0, Puppet is thrilled to announce the immediate availability of a powerful REST API for Puppet Comply. This valuable new interface allows users to quickly retrieve data at scale from Comply to share among groups and enrich other tools in the stack.
The new API leverages Comply’s native scalability to support data extraction for up to 100,000 nodes, enabling simpler enterprise compliance reporting at the summary and detail levels. Puppet’s open, integrated approach ensures data consistency across teams and tech to unlock productivity through smoother collaboration. No matter how you manage compliance, Comply’s new API enables the transparency, accountability, and responsiveness auditors require – and creates a single window of deep compliance visibility.
Additionally, an updated CIS-CAT Pro Assessor and no fewer than 10 updated Center for Internet Security (CIS) Benchmarks help Comply users stay abreast of the latest security standards across operating systems. Updates for AlmaLinux, macOS 11 and 12, Oracle Linux, and RHEL 8, along with a brand-new benchmark for macOS 13, round out the growing list of supported CIS Benchmarks in Comply.
New in this release:
- Added a RESTful API for Puppet Comply.
- Included the CIS-CAT Pro Assessor v4.36.0 (released Nov. 2023).
Benchmarks updated in this release:
- CIS AlmaLinux OS 8 Benchmark v3.0.0
- CIS Apple macOS 11.0 Big Sur Benchmark v4.0.0
- CIS Apple macOS 11.0 Big Sur Benchmark v4.0.0
- CIS Apple macOS 12.0 Monterey Benchmark v3.0.0
- CIS Microsoft Windows Server 2012 (non-R2) Benchmark v3.0.0
- CIS Microsoft Windows Server 2012 R2 Benchmark v3.0.0
- CIS Microsoft Windows Server 2016 STIG Benchmark v2.0.
- CIS Oracle Linux 8 Benchmark v3.0.0
- CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0
- CIS Rocky Linux 8 Benchmark v2.0.0
Benchmarks added in this release:
- CIS Apple macOS 13.0 Ventura Benchmark v2.0.0
Benchmarks removed in this release:
- CIS Apple macOS 10.15 Catalina Benchmark v3.0.0
Issues resolved in this release:
- Node results page shows compliance score without exceptions.
- Security fixes.
Nov. 30, 2023
This release of Continuous Delivery for Puppet Enterprise (CD4PE) touts performance improvements and enhancements to Impact Analysis, a key feature that enables a powerful added layer of visibility to help you preview the potential impact of changes to your code before deploying.
New in this release:
- Impact Analysis enhancements: It is now possible to filter the number of nodes running impact analysis by a percentage of the total nodes affected to reduce bottlenecks for customers with large installs.
Issues resolved in this release:
- Fixed an issue in the node table so that fact charts show the correct number of nodes with filters applied.
Security fixes in this release:
- CVE-2023-36478: CD4PE is not vulnerable to this CVE, but it now runs the updated version of Jetty that addresses this vulnerability.
RELEASE NOTES DEMO COMPLY + CEM
Nov. 2, 2023
Comply receives another boost in supported node count with support for a maximum of 100,000 nodes. The latest CIS-CAT Pro® Assessor from The Center for Internet Security (CIS) has been integrated, with updates to Ubuntu Linux benchmarks and removal of several older benchmarks. The CIS-CAT Pro Assessor for MacOS now contains embedded Java.
New in this release:
- Scalability improvements for enterprise-grade compliance management.
- Node count increased to 100,000.
- Embedded JRE for MacOS eliminates the need for a separate Java install.
- Included the CIS-CAT Pro Assessor v4.34.0.
- Updated support for CIS Benchmarks for Ubuntu Linux 20.04 LTS Benchmark v2.0.1.
- Removed support for older CIS Benchmarks.
Issues resolved in this release:
- Resolved several reported issues.
RELEASE NOTES DEMO COMPLY + CEM
Oct. 24, 2023
The latest release of CEM for Linux features brand-new support for enforcing Level 1 and Level 2 CIS Benchmarks for Rocky Linux 8.
Additionally, support for RHEL 8, AlmaLinux 8, and Oracle Linux 8 systems is now enhanced with the addition of several additional important security controls, including ensuring that the Linux talk and remote shell (rsh) clients are not installed, and automatically locking inactive user accounts within 30 days of password expiration. Not to be left out, Oracle Linux 7 now benefits from the added security of no fewer than 5 additional controls!
New in this release:
- CIS Benchmarks (L1 & L2) are now enforceable on Rocky Linux 8.
- The following Red Hat Enterprise Linux (RHEL) 8, AlmaLinux 8, and Oracle Linux 8 systems controls can now be enforced(see release notes for additional control details):
- Control 2.3.2
- Control 2.3.3
- Control 5.6.1.4
- The following Oracle Linux 7 systems controls can now be enforced (see release notes for additional control details):
- Control 1.4.1
- Control 1.4.2
- Control 1.6.1.2
- Control 4.1.1.3
- Control 4.1.2.4
Issues resolved in this release:
- Fixed an issue related to data protection in log files. The CIS Oracle Linux 8 Benchmark v2.0.0 now ensures access permissions are also enforced for log files that are hidden.
4.27.1 RELEASE NOTES 5.1.2 RELEASE NOTES DEMO CD4PE
Oct. 11, 2023
This dual release of CD4PE removes barriers to efficiency by correcting an issue that could cause jobs to fail in the first stage of the pipeline.
Issues resolved in these releases:
- Corrected an issue in which CD4PE jobs had a chance of failing if run in the first stage of the pipeline (following a series of changes in a previous version that added additional context to the job environment).
Oct. 4, 2023
This release corrects an issue that could cause login errors, improving the user experience for CD4PE users.
Issues resolved in this release:
- Fixed an issue that could create login errors for LDAP users when deleting a workspace.
STS RELEASE NOTES LTS RELEASE NOTES DEMO PE 2023.4
STS: Oct. 3, 2023
LTS: Sept. 2023
Your increasingly complex IT environment needs to move faster than ever, so we’ve updated Puppet to ensure your IT operations teams can keep pace to drive better performance and scale your enterprise infrastructure. The 2023.4 release of our leading-edge PE release stream (also referred to as STS) includes powerful new improvements that will help you increase operational efficiency by maximizing resources and streamlining processes.
New in these releases:
PE 2023.4 (STS)
- Puppet 8: PE 2023.4 includes Puppet 8, the eighth full release of Puppet’s open source code. Puppet 8 includes updates to configuration reporting, protections for user inputs, and more. Additionally, access to the latest OS versions like OpenSSL 3 and Ruby 3.2 will improve performance and add additional security.
- Effortless certificates management: Auto-renewal alleviates the challenge of manually reinstating expired certificates across your IT.
Watch Certificate Management in Action in PE 2023.4
- Orchestrator enhancements: Improvements to the Orchestrator constrain task concurrency to individual jobs rather than sharing across jobs, allowing independent jobs to start execution without latency.
- PuppetDB efficiency improvements: PuppetDB will make sure reports run smarter with optimized indexes, increasing speed and efficiency.
- New OS support for primary and secondary: MacOS 13 (ARM and x86_64) Agents, Ubuntu 22.04 & RHEL 9 Primary
- Enhanced UI: Edit scheduled plans effortlessly with a simplified interface.
- More enhancements: This release includes several changes designed to increase efficiency and usability.
PE 2021.7.5 (LTS)
- Classifier service flags unmappable legacy facts in node group rules: PE 2021.7.5 generates warning messages to flag uses of certain legacy facts that don’t map to equivalent structured facts in Puppet 8.
- New OS support for primary and secondary: MacOS 13 (ARM and x86_64) Agents, Ubuntu 22.04 and RHEL 9 Primary
- Customizable HTTP-client limits in Orchestrator: Specify connection limit parameters to match infrastructure requirements.
- Configurable socket timeout in Orchestrator: Specify the maximum time before socket timeout by changing the default value.
- Improved error logging for the puppet backup command: In PE 2021.7.5, descriptive error messages will display in the terminal and log file, instead of generic messages displayed in previous releases.
- Added primary server platforms: RHEL 9 x86_64, Ubuntu 22.04 amd64
- Added agent platforms: macOS 13 ARM and x86_64
- Added client tools platforms: macOS 13 ARM and x86_64
- Added patch management platforms: RHEL 9 x86_64
- Removed agent platforms: CentOS 7 aarch64, macOS 10.15, Oracle Linux 7 aarch64, Red Hat 7 aarch64, Scientific Linux 7 aarch64
- Removed client tool platform: macOS 10.15
Issues resolved in these releases:
PE 2023.4 (STS)
- Fixed an issue in which installing a Windows agent through the console could fail when the Test Connections checkbox was selected.
PE 2021.7.5 (LTS)
- Fixed an issue in which installing a Windows agent through the console could fail when the Test Connections checkbox was selected.
Security fixes in these releases:
PE 2023.4
- Addressed CVE-2023-5255.
RELEASE NOTES DEMO COMPLY + CEM
Sept. 28, 2023
Keep your configurations consistent and compliant at scale with regular updates to Compliance Enforcement Modules (CEM), available in Puppet Comply. This release features updated support for STIG benchmarks for Red Hat Enterprise Linux (RHEL) 7 and 8 along with a slew of updates to improve the user experience.
New in this release:
- Updated support for STIG benchmark to Version 3 Release 12 (V3R12) for RHEL 7.
- Updated support for STIG benchmark to Version 1 Release 11 (V1R11) for RHEL 8.
Issues resolved in this release:
- Regular bug fixes (see full release notes above).
RELEASE NOTES DEMO COMPLY + CEM
Sept. 21, 2023
Large enterprises continue to receive attention from the Comply engineering team. To give IT teams an even broader degree of decision-making power over their infrastructure compliance, Comply 2.16.0 features dramatic increases to supported node count, continuing a trend from recent Comply releases.
Comply 2.16.0 also integrates the latest CIS-CAT Pro® Assessor from The Center for Internet Security (CIS), with updates to Ubuntu Linux and Debian Linux benchmarks.
New in this release:
- Scalability improvements for enterprise-grade compliance management.
- Node count increased to 75,000.
- Updated support for CIS Benchmarks.
- Included the CIS-CAT Pro Assessor v4.33.0.
- Resolved several reported issues.
Sept. 8, 2023
Streamline Puppet code testing even further with a new installation method based on Bolt, fully supported by Puppet. New to CD4PE 5.0.0, the lightweight installer helps users reduce TTV with a familiar workflow, improved supportability and a seamless install process that doesn’t involve Kubernetes administration. With the new CD4PE installer, your team can start using CD4PE faster than ever, keep driving value with a streamlined upgrade path, and save time with easier license management and troubleshooting.
CD4PE 5.x series replaces Puppet Application Manager with Puppet Bolt for installation and management. Users must migrate 4.x series data (including the database, object store, and configuration settings) to the new installation. For migration instructions, visit Docs.
New in this release:
- New Bolt-based installer and administration platform. In the CD4PE 5.x platform, Puppet Bolt, an open-source agentless automation tool fully supported by Puppet, is now used to manage an automated plan for installing CD4PE. The replacement enables a significantly streamlined experience for installation, upgrades, license management, troubleshooting, and more.
Removed in this release:
- Deprecated support for Puppet Application Manager. In CD4PE 5.0.0, Puppet Application Manager has been replaced by Puppet Bolt for installation and management.
RELEASE NOTES DEMO COMPLY + CEM
Aug. 22, 2023
Staying aligned with the most up-to-date benchmarks from the Center for Internet Security (CIS) is the best way to ensure that you’re benefitting from the latest security recommendations.
Puppet’s Compliance Enforcement Modules (CEM) simplify the task of keeping your Puppet Enterprise-managed nodes in continuous compliance with recent benchmark releases for popular versions of Microsoft Windows and Linux.
New in this release:
- Added enforcement for the Center for Internet Security (CIS) Benchmark v2.0.0 for the following Windows operating systems:
- Microsoft Windows 10 Enterprise
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Enhanced upgrade documentation to ensure a smooth transition to version 1.5.0.
Aug. 2023
A series of UI updates in Continuous Delivery for Puppet Enterprise 4.26.0 make it easier to find what you need to test and deliver your Puppet code faster and with greater accuracy. In addition, a security fix addresses a CVE related to the Okio client when handling a GZIP archive to improve the usability and reliability of CD4PE.
New in this release:
- Refreshed the “Control Repos” and “Modules” pages.
- Modernized the UI for easier, more intuitive navigation.
- Large object data store is now using PostgreSQL.
Security fixes:
- Upgraded okio-jvn to version 3.4.0 to address CVE-2023-3635.
Aug. 10, 2023
Compliance scalability continues to be a challenge for enterprise organizations, which means it's a major focus for the Comply engineering team. Following the notable increases to supported node count in 2.14.0, Comply 2.15.0 has also now dramatically improved export functionality to allow users to export raw data results for up to 50,000 nodes.
Leaning into our valued partnership with the Center for Internet Security (CIS), Comply 2.15.0 also integrates the CIS-CAT Pro® Assessor v4.32.0 with updates to MacOS benchmarks.
New in this release:
- Scalability improvements for enterprise-grade compliance management.
- Raw data export support increased to 50,000 nodes.
- Updated support for CIS Benchmarks.
- Included the CIS-CAT Pro Assessor v4.32.0 (July 2023) with benchmark coverage for Apple macOS 11 v3.1.0 and 12 v2.1.0.
- Resolved several reported issues.
Issues resolved in this release:
- Fixed an issue where inventory sync made paging requests without ordering, leading to ingest retrieving fewer hosts than expected. Also improved database efficiency and accuracy.
- Fixed an issue where filters in the 'Compliance over time' chart could display missing days.
- Fixed an issue where discrepancies appeared between active exceptions counts on the Comply dashboard and the exceptions page.
When it comes to code delivery, usability is key to saving time and reducing headaches. A new series of UX updates – including message updates and a refresh of some of the most user-facing pages in CD4PE – make it easier than ever for teams to work together to integrate and deliver great Puppet code. Additionally, a slew of issue fixes and security updates make sure you can keep working in CD4PE with confidence.
New in this release:
- Refreshed the “Create Account” and “Forgot Password” pages in CD4PE.
- Modernized the UI for easier, more intuitive navigation.
Issues resolved in this release:
- CD4PE default pipeline impact analysis fails with a non-actionable error message: Updated the error message to make it more descriptive and useful when a pipeline with no deployment stage fails the impact analysis stage.
- GetJobInstanceV1 returns control repo display name for GitLab: Fixed an issue where links to a GitLab source control repository from the Job details screen wouldn't work if the control repo/module name did not match the GitLab repo name.
Security fixes:
- Upgraded gin-gonic to version 1.9.1 to address CVE-2023-29401.
- Upgraded guava to version 32.0.0-android to address CVE-2023-2976.
The refreshed "Create user account" page in CD4PE 4.25.0.
RELEASE NOTES DEMO PUPPET COMPLY
One of the most frequently requested features for Puppet Comply has been to support different user roles. Comply 2.14.0 adds role-based access control, enabling you to designate three roles based on access need. We also increased node support in this release so you can confidently stretch your compliant infrastructure even further.
We also updated integration with the latest CIS-CAT Pro Assessor and numerous benchmarks, and resolved a few vulnerabilities in this release.
- Identity and access management
- RBAC integration with three default roles: Admin, operator, and viewer
- Support for importing from LDAP
- Scalability improvements for enterprise-grade compliance management
- Node count increased to 50,000
- Updated support for numerous CIS Benchmarks
- Included the CIS-CAT Pro Assessor v4.30.0
- Addressed multiple CVEs
- Resolved an issue when scanning a node in the Darwin family (Mac OS X/macOS)
RELEASE NOTES DEMO COMPLY + CEM
With CEM for Windows, you can bring your Puppet Enterprise-managed nodes into compliance with the CIS Benchmark for Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows 10. The expanded support in CEM for Windows 1.4, coupled with the existing broad coverage in CEM for Linux, allows you to enforce CIS Benchmark compliance across your Windows and Linux infrastructure.
- Added enforcement for the Center for Internet Security (CIS) Microsoft Windows Server 2022 Benchmark v2.0.0
- cem_windows no longer supports the use of legacy configuration as of this update. cem_windows is no longer compatible with configurations that were used before v1.1.0. Please update any legacy configuration to the current standard of configuring cem_windows
These patch releases include fixes and performance upgrades for existing features.
These releases represent the latest updates in the Puppet Enterprise (PE) 2023 and 2021 streams, following the releases of PE 2023.0 and PE 2021.7.2 LTS in January 2023. These new, backward-compatible releases contain fixes and performance upgrades for existing features and functionality.
For a detailed list of enhancements and fixes in PE 2023.1, see the PE 2023.1 release notes.
For a detailed list of enhancements and fixes in PE 2021.7.3, see the PE 2021.7.3 release notes.
For security and vulnerability announcements, see CVE Content.
Performance enhancements in these releases:
- Improved performance when querying PuppetDB
- Improved performance for several functions in the Puppet language
- More reliable warnings when updating Puppet Server
Deprecation of Pure JavaScript Open Notation (PSON) for serializing data in Puppet 7
Resolved issues in these releases:
- Tasks page is available following a software update
- Enabling the lockless code deploy feature no longer causes performance issues in PuppetDB catalog compilation
- Performance issue with Puppet agent runtimes is resolved
- Certificates and keys can be backed up and restored by specifying the certs scope
- Updates implemented to help users enter valid URLs
- Timeouts can be specified for SAML authentication
- User-defined temporary directory is honored during PE restore operations
- Issue that caused an unexpected increase in CPU usage is resolved
Additional issues resolved in PE 2023.1, related to new features in 2023.0:
- Scheduled task jobs run successfully without a defined timeout
- Timeout and concurrency values for scheduled tasks can be viewed and edited in the console
- When tasks are rerun in the console, timeout and concurrency attributes are preserved
- Access rights for remote users can be revoked and reinstated from the console
Security fixes in both releases:
- CVE-2023-1894
- CVE-2023-26048
Effective compliance requires good visibility. Comply’s dashboard has received significant enhancements in 2.13.0, bringing new clarity to your compliance standing. Compliance statistics are reported on servers that live on-prem or in the cloud. Search and subset node views based on server attributes, such as name or operating system, and drill down to key focus areas to quickly identify areas where action is needed.
As always, we called upon our unique partnership with the Center for Internet Security (CIS) to power Comply with the latest CIS-CAT Pro Assessor (v4.28.0), and we’ve incorporated the latest benchmarks and standards so your compliance has the most up-to-date expert standards built in.
We even had time to fix a couple of nagging little bugs from prior releases, address a few CVEs, and boost performance.
- Redesigned dashboard with new graphs, node count and exceptions, and accessible action steps
- Improved performance and scalability
- Included the CIS-CAT Pro Assessor v4.28.0
- Updated benchmark support
- Resolved multiple vulnerabilities
RELEASE NOTES UPGRADE START PE TRIAL
April 2023
Puppet powers better infrastructure in thousands of organizations worldwide – and changes to Puppet source code always target better efficiency, scalability, and usability. Puppet 8 is the biggest update to Puppet since Puppet 7’s first release in November 2020. Along with a host of behind-the-scenes updates, Puppet 8 adds brand-new features that ensure better security, reliability, and performance, like automatic certificate renewal and an error-proof Strict Mode.
Puppet 8 is included in all Puppet Enterprise releases since PE 2023.4 (STS) and PE 2021.7.5 (LTS).
New in this release:
- Updates to certificate management: Automatic certificate renewal addresses a huge IT ops pain point. With customizable automatic certificate management, Puppet 8 reduces the toil of managing certificates across large fleets, enabling faster security fixes and continuous compliance across your infrastructure.
- Ruby 3.2 and OpenSSL 3: With Puppet 8, Puppet is now on the latest branch of Ruby 3.2 and OpenSSL 3, reducing vulnerability scanning concerns.
- Strict Mode: Puppet 8 introduces Strict Mode, which throws an error rather than allowing incorrectly passed changes (like typos). Strict Mode helps avoid both costly mistakes and unauthorized attempts to reassign variables.
- Default exclusion of unchanged resources from reporting: Unchanged resources will no longer appear in reporting by default, reducing the amount of digging needed to get to actionable insights from each Puppet run.
- Dropping Hiera 3: Removing Hiera 3 trims down the Puppet 8 install for better efficiency and performance.
- If you rely on a Hiera 3 backend, you must convert your backend to Hiera 5.
- Default lazy evaluation of deferred functions: Operate with greater mobility and security when accessing something you don’t want passed through the Puppet infrastructure nodes (e.g., vault secrets).
Watch Certificate Management in Action
Puppet 2023.0 is the latest release following 2021.7, now using updated versioning. It’s a backward-compatible release that contains enhancements and resolved issues from our previous major release.
Here are the highlights of Puppet Enterprise 2023.0:
- NIST compliance: Puppet 2023.0 ensures that sensitive information is cleared when a session times out. You can customize the timeout to specify a default value and issue a confirmation message. In this way, you reduce compliance risk for InfoSecOps and administrators. This feature is designed for compliance with National Institute of Standards and Technology (NIST) guidelines.
- Authenticate users in multiple Lightweight Directory Access Protocol (LDAP) domains: Use a prioritized list of LDAP servers to get credentials. In this way, you reduce compliance risk and increase operational efficiency for administrators.
- Streamlined user interface for tasks and plans: Increase observability, throughput, fault tolerance, and operational efficiency with new job and task queue status, task concurrency fine-tuning, default job timeouts, and the capability to stop stalled jobs. View and edit task parameters, targets, and other details. The new functionality is designed to benefit users, operators, and managers.
- Scalability performance improvements to deploy and manage more nodes: Increase operational efficiency and accelerate time to value with new orchestrator task concurrency defaults and improvements. Reporting, database performance, and agent certificate regeneration improvements are provided as well to benefit all users.
Component Updates
- Java 17
Deprecations
Removed primary server platforms:
- CentOS 8
Removed agent platforms:
- CentOS 8
- Debian 9
- Fedora 32
- Fedora 34
- Ubuntu 16.04
Removed patch management platforms:
- Debian 9
- Fedora 34
- Inclusion of Facter 4
- Inclusion of Ruby 2.7
- Definition of locations for storing sensitive data
- Removal of harmful terminology from the Puppet platform
- Removal of several Win32 gems to consolidate Windows functionalities
- Environment and Fact caching
- Iterable data type supplants Enumerable data type
- Removal of legacy code
- Added Postgres 11+ requirement
- PuppetDB migration to new HTTP client
- New and revamped filters support more advanced queries
- Target specific sets of infrastructure data with compound filters
- New tracked metrics for Puppet Server, PuppetDB, and Orchestrator
- Performance and workload metrics allow for better troubleshooting of performance issues
- Replaced default dashboards to visualize new metrics
- Lockless code deploy, stable since version 2021.2, is now no longer an experimental feature, preventing code deploys from blocking catalog compilation
- PE orchestrator plans and code deployments can now be run concurrently without interruption
- Primary server support: FIPS-compliant RHEL 8, SLES 15, Ubuntu 20.04; Client support: macOS 12 (x86); TLS 1.3 support added
- Optimized disk utilization for HA deployments
- Amazon Linux 2 support for primary server deployment
- Patch management available for Amazon Linux 2 managed nodes
- Modify Role-Based Access Control (RBAC) parameters via API
- Sequential patching option allows for systems in a patch group to reboot one at a time rather than simultaneously
- PuppetDB best-practices-based maintenance tasks are enabled by default
- Code manager now supports authentication to custom servers
- Puppet metrics collector module is now included in PE, which collects Puppet metrics by default and gives insight into infrastructure performance
- PE_databases module is now included in PE and provides tuning, maintenance, and backups for PE PostgresSQL
- Export data in shareable format from task runs to CSV
- Platform support for Puppet agent additions: macOS, Red Hat Enterprise Linux 8 ppc64le, Ubuntu 20.04. aarch64, Fedora 34
- Resolved critical CVE-2021-27021
- Setup single sign-on (SSO) and multi-factor authentication (MFA) with SAML 2.0 support
- Added password complexity requirements for additional application security
- Orchestrate pre and post patching steps including: health checks, pre and post command hooks and server reboots, all with a patching Plan,
- Save custom defaults for the Value Report to tailor reporting needs
- Query performance updates to PuppetDB
- Puppet 2021.1 ships with Puppet 7
- Lockless code deploy, stable since version 2019.8.6, is now no longer an experimental feature, preventing code deploys from blocking catalog compilation
- PE orchestrator plans and code deployments can now be run concurrently without interruption
- Primary server support: FIPS-compliant RHEL 8, SLES 15, Ubuntu 20.04; Client support: macOS 12 (x86); TLS 1.3 support added
- Patch management available for Amazon Linux 2 managed nodes
- Optimized disk utilization for HA deployments
- Sequential patching option allows for systems in a patch group to reboot one at a time rather than simultaneously
- PE support script enhancements
- PuppetDB maintenance module installed by default
- Code Manager deployment performance improvements
- Update Certificate Revocation List (CRL) via API
- Export results of task jobs to CSV
- Customize values used to derive value report results
- Configurable Certificate Revocation List (CRL) auto-refresh interval
- New patching plan that includes pre- and post-patching health checks to reduce manual steps during the patching process.
- Performance improvements to PuppetDB.
- Updates the PostgreSQL version to address security vulnerabilities
- Harmful terminology deprecations and removals
- Plans in PE improvements including scheduling plans and sensitive parameter support
- Patching improvements including the ability to re-run tasks or jobs on failed nodes and know the patch status per node after patching task
- Activity Service improvements that report on all activities done in the console
- Installer upgrade improvements
- Notification of CA certificates when they are close to expiring from the PE Console
- PE Value Report builds on the value API in PE 2019.8.1 and gathers real-time data and calculates time reclaimed per automation type.
- This version was never released.
- Value reporting API reports details about automated changes that PE makes to nodes, and provides an estimate of time freed by each type of change based on intelligent defaults or values you provide.
- Console navigation and workflow improvements including new sections and renamed pages
- Select plan parameters that are boolean or enum types from a drop down menu in the Value field.
- Updates to metrics endpoints are now controlled by trapperkeeper-authorization and configured in the Puppet Serverauth.conf file.
- Integrate existing Puppet code into plans
- Patch systems with Puppet, allowing organizations to consolidate tooling
- Use less hardware with PE performance improvements
- Seamlessly scale up and bring more nodes under management
- Onboard new team members to a streamlined, modern product UI
- Improvements to plan functionality in Puppet Enterprise (parameters exposed in PE console)
- Improved PE architecture with horizontally scaled PuppetDB on compilers
- Improved speed and reliability for provisioning a PE replica
- Upgrade all compilers with a single command
- This version was never released
- Resolved a high-severity vulnerability CVE-2020-7943
- Puppet Enterprise console enhancements
- Inventory page revamp (each installation type has a button that links to its own page, more help icons and definitions)
- Plans event view in the Job details page now displays an output message for each plan run
- Two new API endpoints for Code Manager provide greater flexibility in deploying modules
- Custom PQL queries in the console for running Puppet and tasks
- New Run drop down menu so you can run Puppet or a task for the nodes listed on the current page
- Ability to select code environment for tasks and plans (other than “production”)
- Support for managing network devices with Puppet Enterprise
- Support for running plans from console and CLI
- Agent installation from the console (via Inventory option)
- Schedule recurring tasks via Puppet Enterprise console
- Add nodes without agents to Puppet Enterprise (new Inventory option on the console)
- Agentless tasks via SSH (Linux) (2019.0.0)
- Agentless tasks via WinRM (Windows) (2019.0.1)
- Express installation (2019.0.2)
- Continuous Delivery for Puppet Enterprise console installation (module via console)
- Schedule tasks in Puppet Enterprise console
- Role-based access to tasks
- Puppet Discovery (retired)
- Hiera overrides in the console (set parameters on node groups without declaring the class)
- Ad-hoc tasks (run tasks from the console, on the command line, or by the orchestrator API)
- AWS OpsWorks for Puppet Enterprise (offers cloud-focused workflows and managed service capabilities for running Puppet Enterprise on AWS)
- Orchestrator in the console (create node lists, either static or using Puppet Query Language, on which to run Puppet)
- Packages inventory in the console
- Hiera 5
- Improved performance
- True environment- and module-level data