Watchmaker

**Summary**:

* ash-linux-formula
* Updates the EL7 stig baseline to manage the FIPS state. The state
defaults to `enabled` but can be overridden via a pillar or grain,
`ash-linux:lookup:fips-state`. The grain takes precedence over the
pillar. Valid values are `enabled` or `disabled`
* ash-windows-formula
* Updates the STIG baselines for Windows Server 2016 member servers and
domain controllers with SCAP content from the DISA v1r1 SCAP benchmark
release
* join-domain-formula
* Fixes an issue when joining Windows 2016 servers to a domain, where the
Set-DnsSearchSuffix.ps1 helper would fail because the builtin
PowerShell version does not work when `$null` is used in a ValidateSet.
The equivalent value must now be passed as the string, `"null"`
* scap-formula
* Adds SCAP content for the Window Server 2016 SCAP v1r1 Benchmark

**Summary**:

* [[Issue 341][341]][[PR 342][342]] Manages selinux around salt state
execution. In some non-interactive execution scenarios, if selinux is
enforcing it can interfere with the execution of privileged commands (that
otherwise work fine when executed interactively). Watchmaker now detects if
selinux is enforcing and temporarily sets it to permissive for the duration
of the salt state execution

[342]: https://github.com/plus3it/watchmaker/pull/342
[341]: https://github.com/plus3it/watchmaker/issues/341

**Summary**:

* [[Issue 331][331]][[PR 332][332]] Writes the `role` grain to the key
expected by the ash-windows formula. Fixes usage of the `--ash-role` option
in the salt worker
* [[Issue 329][329]][[PR 330][330]] Outputs watchmaker version at the debug
log level
* [[Issue 322][322]][[PR 323][323]][[PR 324][324]] Fixes py2/py3
compatibility bug in how the yum worker handles file opening to check the
Linux distro
* [[Issue 316][316]][[PR 320][320]] Improves logging when salt state
execution fails due to failed a state. The salt output is now returned to
the salt worker, which processes the output, identifies the failed state,
and raises an exception with the state failure
* join-domain-formula
* (Linux) Reworks the pbis config states to make the logged output more
readable

[332]: https://github.com/plus3it/watchmaker/pull/332
[331]: https://github.com/plus3it/watchmaker/issues/331
[330]: https://github.com/plus3it/watchmaker/pull/330
[329]: https://github.com/plus3it/watchmaker/issues/329
[324]: https://github.com/plus3it/watchmaker/pull/324
[323]: https://github.com/plus3it/watchmaker/pull/323
[322]: https://github.com/plus3it/watchmaker/issues/322
[320]: https://github.com/plus3it/watchmaker/pull/320
[316]: https://github.com/plus3it/watchmaker/issues/316

**Summary**:

* join-domain-formula
* (Linux) Ignores a bad exit code from pbis config utility. The utility
will return exit code 5 when modifying the NssEnumerationEnabled
setting, but still sets the requested value. This exit code is now
ignored

**Summary**:

* name-computer-formula
* (Linux) Uses an alternate method of working around a bad code-path in
salt that does not handle quoted values in /etc/sysconfig/network.

**Summary**:

* [[PR 301][301]] Sets the grains for admin_groups and admin_users so the
keys are named as expected by the join-domain formula
* ash-linux-formula
* Adds a custom module that lists users from the shadow file
* Gets local users from the shadow file rather than `user.list_users`.
Prevents a domain-joined system from attempting to iterate over all
domain users (and potentially deadlocking on especially large domains)
* join-domain-formula
* Modifies PBIS install method to use RPMs directly, rather than the
SHAR installer
* Updates approaches to checking for collisions and current join status
to better handle various scenarios: not joined, no collision; not
joined, collision; joined, computer object present; joined, computer
object missing
* Disables NSS enumeration to prevent PBIS from querying user info from
the domain for every call to getent (or equivalents); domain-based
user authentication still works fine
* name-computer-formula
* (Linux) Does not attempt to retain network settings, to avoid a bug in
salt; will be revisited when a patched salt version has been released

[301]: https://github.com/plus3it/watchmaker/pull/301