Issue on CIS 1.2.1
Closed this issue · 8 comments
Describe the Issue
Running on minimal version so I ran the following to fix.
yum install gnupg2 --allowerasing -y
Script is failing on CIS 1.2.1
- name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false
failed_when: false
register: os_gpg_key_check
when: os_installed_pub_keys.rc == 0
Expected Behavior
This should be mark as correct since the newest version is installed.
Actual Behavior
It is marked as failed. This was working before, I suspect Amazon changed the key signature.
rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" gpg-pubkey-d832c631-63977702
package gpg-pubkey-d832c631-63977702 is not installed
I ran with another key.
rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" gpg-pubkey-d832c631-63920d79
Amazon Linux amazon-linux@amazon.com d832c631
Control(s) Affected
What controls are being affected by the issue
Environment (please complete the following information):
- branch being used: master
- Ansible Version: ansible [core 2.15.5]
- Host Python Version: 3.9.16
- Ansible Server Python Version: 3.9.16
- Additional Details: Ec2 instance
Additional Notes
Anything additional goes here
Possible Solution
Change the query to do gpg-pubkey instead of a specific number
rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" gpg-pubkey
Amazon Linux amazon-linux@amazon.com d832c631
Maybe this is more of a clarity of text issue than an issue with item 1.2.1 ?
To quote the CIS Amazon Linux 2023 Benchmark v1.0:
Take care to set this value to false (default) for particular repositories that do not support it.
Currently, that includes the AL2023 repositories that do not support it. Since the CIS Benchmark for AL2023 does take care to indicate that it should only be set for repositories that support it, it doesn't conflict with 1.2.1 to not have repository metadata signed.
HI @ssarkar9
Thank you for taking the time to raise this issue, apologies for the time taking to respond, subscribers and other projects take priority im afraid.
Reading through the thread it appears;
1/ the gpg key details as found in vars/main.yml are no longer correct - these will need to be updated
The second thread appears to be more around 1.2.4 and gpg check for a repo.
2/ the repo_gpgcheck is indeed listed as known error, many repositories do not allow repo_gpg but only the package gpg themselves.. This is a case of understanding your systems and capabilities as some, do, some did and some just dont support this ( This is across all the repos we maintain).
Will look to raise item one as the actual issue. Please let me know if my understanding of your issue is correct.
many thanks
uk-bolly
When I am running galaxy roles of amazon-cis benchmark for amazon linux 2023 ,I had this error
Do we have a solution or workaround for this ?
Using packer to build and ansible to configure
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys] ***
amazon-ebs.amazon_ami: ok: [default]
amazon-ebs.amazon_ami:
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys] ***
amazon-ebs.amazon_ami: skipping: [default]
amazon-ebs.amazon_ami:
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail] ***
amazon-ebs.amazon_ami: fatal: [default]: FAILED! => {"changed": false, "msg": "Installed GPG Keys do not meet expected values or expected keys are not installed"}
amazon-ebs.amazon_ami:
amazon-ebs.amazon_ami: PLAY RECAP *********************************************************************
amazon-ebs.amazon_ami: default : ok=96 changed=34 unreachable=0 failed=1 skipped=22 rescued=0 ignored=0
amazon-ebs.amazon_ami:
When I am running galaxy roles of amazon-cis benchmark for amazon linux 2023 ,I had this error Do we have a solution or workaround for this ?
Using packer to build and ansible to configure
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys] *** amazon-ebs.amazon_ami: ok: [default] amazon-ebs.amazon_ami: amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys] *** amazon-ebs.amazon_ami: skipping: [default] amazon-ebs.amazon_ami: amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail] *** amazon-ebs.amazon_ami: fatal: [default]: FAILED! => {"changed": false, "msg": "Installed GPG Keys do not meet expected values or expected keys are not installed"} amazon-ebs.amazon_ami: amazon-ebs.amazon_ami: PLAY RECAP ********************************************************************* amazon-ebs.amazon_ami: default : ok=96 changed=34 unreachable=0 failed=1 skipped=22 rescued=0 ignored=0 amazon-ebs.amazon_ami:
I'm struggling to reproduce the error with 1.2.1 from the devel branch.
I have just updated the image to the latest and run again and still no issues seen.
here is the manual output.
I confirmed the gpg key in the first command matches the variable defined in vars/main.yml
ec2-user@az2023_host rpm-gpg]$ rpm -q gpg-pubkey
gpg-pubkey-d832c631-63977702
[ec2-user@az2023_host rpm-gpg]$ rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" gpg-pubkey-d832c631-63977702
Amazon Linux <amazon-linux@amazon.com> d832c631
[ec2-user@az2023_host rpm-gpg]$ rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" gpg-pubkey-d832c631-63977702 | grep "Amazon Linux <amazon-linux@amazon.com> d832c631"
Amazon Linux <amazon-linux@amazon.com> d832c631
[ec2-user@az2023_host rpm-gpg]$ echo $?
0
Many thanks
uk-bolly
p.s. To highlight i am putting testing the devel branch, i will be pushing out a new release soon.
@uk-bolly Thanks , I was able to figure issue now. Just tried out checking on AL2023 manaully with each command as per playbook and found gpg-check value was different, Changing so fix it in my case.
hey , I am working on a AMI that is AL2023 and CIS hardening it , with a repo
https://github.com/ansible-lockdown/AMAZON2023-CIS
,where it is continuosly showing this error to me , this issue is retaining
'''
09:48:58 �[0;32m amazon-ebs.amazon-linux-2023: TASK [AMAZON2023-CIS : 1.6.1.1 | PATCH | Ensure SELinux is installed] **********�[0m
09:48:59 �[0;32m amazon-ebs.amazon-linux-2023: fatal: [default]: FAILED! => {"changed": false, "msg": "The Python 2 yum module is needed for this module. If you require Python 3 support use the dnf Ansible module instead."}�[0m
09:48:59 �[0;32m amazon-ebs.amazon-linux-2023:�[0m
09:48:59 �[0;32m amazon-ebs.amazon-linux-2023: RUNNING HANDLER [AMAZON2023-CIS : Systemd restart tmp.mount] *******************�[0m
09:48:59 �[0;32m amazon-ebs.amazon-linux-2023:�[0m
09:48:59 �[0;32m amazon-ebs.amazon-linux-2023: RUNNING HANDLER [AMAZON2023-CIS : Systemd daemon reload] ***********************�[0m
09:48:59 �[0;32m amazon-ebs.amazon-linux-2023:�[0m
09:48:59 �[0;32m amazon-ebs.amazon-linux-2023: RUNNING HANDLER [AMAZON2023-CIS : Change_requires_reboot] **********************�[0m
'''
so in the repository they have mentioned that : python2_bin : /bin/python2.7
and in the error it is mentioning requires a python2 yum , or for python3 use dnf as a pkt manager . SO is there anyway possible that , we can use python3 Ansible module or something more like that ?
hey , I am working on a AMI that is AL2023 and CIS hardening it , with a repo https://github.com/ansible-lockdown/AMAZON2023-CIS
,where it is continuosly showing this error to me , this issue is retaining
''' 09:48:58 �[0;32m amazon-ebs.amazon-linux-2023: TASK [AMAZON2023-CIS : 1.6.1.1 | PATCH | Ensure SELinux is installed] **********�[0m 09:48:59 �[0;32m amazon-ebs.amazon-linux-2023: fatal: [default]: FAILED! => {"changed": false, "msg": "The Python 2 yum module is needed for this module. If you require Python 3 support use the
dnfAnsible module instead."}�[0m 09:48:59 �[0;32m amazon-ebs.amazon-linux-2023:�[0m 09:48:59 �[0;32m amazon-ebs.amazon-linux-2023: RUNNING HANDLER [AMAZON2023-CIS : Systemd restart tmp.mount] *******************�[0m 09:48:59 �[0;32m amazon-ebs.amazon-linux-2023:�[0m 09:48:59 �[0;32m amazon-ebs.amazon-linux-2023: RUNNING HANDLER [AMAZON2023-CIS : Systemd daemon reload] ***********************�[0m 09:48:59 �[0;32m amazon-ebs.amazon-linux-2023:�[0m 09:48:59 �[0;32m amazon-ebs.amazon-linux-2023: RUNNING HANDLER [AMAZON2023-CIS : Change_requires_reboot] **********************�[0m '''so in the repository they have mentioned that : python2_bin : /bin/python2.7
and in the error it is mentioning requires a python2 yum , or for python3 use dnf as a pkt manager . SO is there anyway possible that , we can use python3 Ansible module or something more like that ?
hi @Riyan-plivo
This issue you have attached this information was closed, i only manage dto spot this through email alerts.
The error you have mentioned is different from those in this issue. If you could please open an new issue let us know the branch etc that you are using when you fill out the details..
In this case if you could add the ami you are using also that would help.
Many thanks
uk-bolly