ryanycoleman/a_puppet.sh

## a_puppet.sh
/opt/puppet/bin/puppet module install herculesteam-augeasproviders_apache
/opt/puppet/bin/puppet apply puppetmaster.pp
/opt/puppet/bin/puppet apply puppetdashboard.pp
/opt/puppet/bin/puppet apply jetty.pp

## jetty.pp
ini_setting { 'jetty ssl-protocols':
  ensure  => present,
  path    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
  section => 'jetty',
  setting => 'ssl-protocols',
  value   => 'TLSv1, TLSv1.1, TLSv1.2',
  notify  => Service['pe-puppetdb'],
}

service { 'pe-puppetdb':
  ensure => running,
}

## mco.sh
# MCO Remediation requires modification to included module.
# See http://puppetlabs.com/blog/impact-assessment-sslv3-vulnerability-poodle-attack for details.
#
# ActiveMQ/Mcollective
# Note: This is adding an explicit set of enabled protocols with these entries
# After this is applied, activemq.xml should contain:
#
if [ -f /opt/puppet/share/puppet/modules/pe_mcollective/templates/activemq.xml.erb ] ; then
   sed -i -e 's|uri="<%= @openwire_activemq_protocol %>://0.0.0.0:61616"/|uri="<%= @openwire_activemq_protocol %>://0.0.0.0:61616?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/|g' -e 's|uri="<%= @stomp_activemq_protocol %>://0.0.0.0:<%= @stomp_port %>"/|uri="<%= @stomp_activemq_protocol %>://0.0.0.0:<%= @stomp_port %>?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/|g' /opt/puppet/share/puppet/modules/pe_mcollective/templates/activemq.xml.erb
fi

## puppetdashboard.pp
apache_directive { 'puppetdashboard.conf':
  ensure  => present,
  name    => 'SSLProtocol',
  args    => ['ALL', '-SSLv2', '-SSLv3'],
  target  => '/etc/puppetlabs/httpd/conf.d/puppetdashboard.conf',
  context => 'VirtualHost',
  notify  => Service['pe-httpd'],
}

service { 'pe-httpd':
  ensure => running,
}

## puppetmaster.pp
apache_directive { 'puppetmaster.conf':
  ensure  => present,
  name    => 'SSLProtocol',
  args    => ['ALL', '-SSLv2', '-SSLv3'],
  target  => '/etc/puppetlabs/httpd/conf.d/puppetmaster.conf',
  context => 'VirtualHost',
  notify  => Service['pe-httpd'],
}

service { 'pe-httpd':
  ensure => running,
}

## quickstart.txt
# read each .pp file, then run with root on your Puppet Enterprise Master(s)
git clone https://gist.github.com/ryanycoleman/89ae103d82c9f767a4a1
cd 89ae103d82c9f767a4a1
sudo sh a_puppet.sh
sudo sh mco.sh
sudo /opt/puppet/bin/puppet agent -t
	/opt/puppet/bin/puppet module install herculesteam-augeasproviders_apache
	/opt/puppet/bin/puppet apply puppetmaster.pp
	/opt/puppet/bin/puppet apply puppetdashboard.pp
	/opt/puppet/bin/puppet apply jetty.pp
	ini_setting { 'jetty ssl-protocols':
	ensure => present,
	path => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
	section => 'jetty',
	setting => 'ssl-protocols',
	value => 'TLSv1, TLSv1.1, TLSv1.2',
	notify => Service['pe-puppetdb'],
	}

	service { 'pe-puppetdb':
	ensure => running,
	}
	# MCO Remediation requires modification to included module.
	# See http://puppetlabs.com/blog/impact-assessment-sslv3-vulnerability-poodle-attack for details.
	#
	# ActiveMQ/Mcollective
	# Note: This is adding an explicit set of enabled protocols with these entries
	# After this is applied, activemq.xml should contain:
	#
	if [ -f /opt/puppet/share/puppet/modules/pe_mcollective/templates/activemq.xml.erb ] ; then
	sed -i -e 's\|uri="<%= @openwire_activemq_protocol %>://0.0.0.0:61616"/\|uri="<%= @openwire_activemq_protocol %>://0.0.0.0:61616?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/\|g' -e 's\|uri="<%= @stomp_activemq_protocol %>://0.0.0.0:<%= @stomp_port %>"/\|uri="<%= @stomp_activemq_protocol %>://0.0.0.0:<%= @stomp_port %>?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/\|g' /opt/puppet/share/puppet/modules/pe_mcollective/templates/activemq.xml.erb
	fi
	apache_directive { 'puppetdashboard.conf':
	ensure => present,
	name => 'SSLProtocol',
	args => ['ALL', '-SSLv2', '-SSLv3'],
	target => '/etc/puppetlabs/httpd/conf.d/puppetdashboard.conf',
	context => 'VirtualHost',
	notify => Service['pe-httpd'],
	}

	service { 'pe-httpd':
	ensure => running,
	}
	apache_directive { 'puppetmaster.conf':
	ensure => present,
	name => 'SSLProtocol',
	args => ['ALL', '-SSLv2', '-SSLv3'],
	target => '/etc/puppetlabs/httpd/conf.d/puppetmaster.conf',
	context => 'VirtualHost',
	notify => Service['pe-httpd'],
	}

	service { 'pe-httpd':
	ensure => running,
	}
	# read each .pp file, then run with root on your Puppet Enterprise Master(s)
	git clone https://gist.github.com/ryanycoleman/89ae103d82c9f767a4a1
	cd 89ae103d82c9f767a4a1
	sudo sh a_puppet.sh
	sudo sh mco.sh
	sudo /opt/puppet/bin/puppet agent -t