ansible-lockdown / amazon2-cis Goto Github PK
View Code? Open in Web Editor NEWAnsible role for Amazon Linux 2 CIS Baseline
Home Page: https://ansible-lockdown.readthedocs.io
License: MIT License
Ansible role for Amazon Linux 2 CIS Baseline
Home Page: https://ansible-lockdown.readthedocs.io
License: MIT License
There seem to be serveral syntax errors in the latest release causing the ansible script to abort
ERROR! couldn't resolve module/action 'sysctl'. This often indicates a misspelling, missing collection, or incorrect module path.
The error appears to be in '/srv/ansible/handlers/main.yml': line 35, column 3, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: sysctl flush ipv6 route table
^ here
And If I remove those sections I get:
ERROR! couldn't resolve module/action 'modprobe'. This often indicates a misspelling, missing collection, or incorrect module path.
The error appears to be in '/srv/ansible/tasks/section_1/cis_1.1.1.x.yml': line 13, column 9, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Remove cramfs module"
^ here
Control(s) Affected
All - the script will not complete
Environment (please complete the following information):
Question
The following section does not seem to work as intended, presuming my understanding is correct
https://github.com/ansible-lockdown/AMAZON2-CIS/blob/devel/tasks/section_1/cis_1.1.x.yml#L3
This section is supposed to mount /tmp to tmpfs, however the behaviour is incorrect, it mounts /tmp to the device name
Following a build, fstab is configured like this, and mounting /tmp to the root volume device, not tmpfs:
sh-4.2$ cat /etc/fstab
#
UUID=9697d457-123c-483b-a84c-efd437479b18 / xfs defaults,noatime 1 1
/dev/nvme0n1p1 /tmp xfs defaults,nodev,noexec,nosuid 0 0
tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0
and the tmp.mount service is configured like:
sh-4.2$ systemctl status tmp.mount
โ tmp.mount - /tmp
Loaded: loaded (/etc/fstab; enabled; vendor preset: disabled)
Active: active (mounted) since Fri 2023-07-28 12:25:22 UTC; 4min 59s ago
Where: /tmp
What: /dev/nvme0n1p1
Docs: man:fstab(5)
man:systemd-fstab-generator(8)
We are using the latest available base version of Amazon Linux 2
To workaround this we have had to strip out this section and replace it with one which simply mounts /tmp to tempfs.
This actually causes issues with running instances, as we see them periodically fail health checks and become unresponsive.
I would like to know if this issue is specific to our configuration, or is this a known issue in the role.
Describe the Issue
This role is supposedly to be run on AmazonLinux 2 machines only. The prelim.yml task which sets up bootloader path is configured according to CentOS, so on UEFI based EC2, this role failed to set bootloader path correctly, and so handler to generate grub config is failing
Expected Behavior
Bootloader path must be configured as per ansible_distribution == 'Amazon' and not CentOS
Actual Behavior
Bootloader path set_fact is checking for ansible_distribution == 'CentOS', this must be cheking against ansible_distribution == 'Amazon'
Control(s) Affected
HANDLER [AMAZON2-CIS : grub2cfg]
Environment (please complete the following information):
ansible [core 2.14.2]
config file = None
configured module search path = ['/Users/navneet/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/7.2.0/libexec/lib/python3.11/site-packages/ansible
ansible collection location = /Users/navneet/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.11.1 (main, Dec 23 2022, 09:25:23) [Clang 14.0.0 (clang-1400.0.29.202)] (/opt/homebrew/Cellar/ansible/7.2.0/libexec/bin/python3.11)
jinja version = 3.1.2
libyaml = True
Additional Notes
Anything additional goes here
Possible Solution
Fix bootloader path on EFI images #11
Describe the Issue
I'm running ansible in an environment without internet access so need to copy the goss binary onto the server being hardened rather than download from Github.
Relevant config,
setup_audit: true
run_audit: true
get_goss_file: copy
copy_goss_from_path: ./goss
Expected Behavior
The local goss binary should be copied to the server being audited
Actual Behavior
TASK [AMAZON2-CIS : copy audit binary] *****************************************
fatal: [default]: FAILED! => {"changed": false, "msg": "src (or content) is required"}
Environment (please complete the following information):
Additional Notes
Anything additional goes here
Possible Solution
src value is not defined here, https://github.com/ansible-lockdown/AMAZON2-CIS/blob/devel/tasks/LE_audit_setup.yml#L16. I believe it should be set to "{{ copy_goss_from_path }}"
In contrast, the src value is set for Ubuntu albeit with a different variable name, https://github.com/ansible-lockdown/UBUNTU20-CIS/blob/devel/tasks/LE_audit_setup.yml#L16
Describe the Issue
Using ansible 2.16.3 there is an error while execuiting this role
command/shell - remove deprecated warn module param - Ansible 2.14.0 Release Notes
Deprecation announcement - Ansible 2.11 Release Notes
Expected Behavior
No errors
Actual Behavior
TASK [AMAZON2-CIS : 1.2.2 | AUDIT | Ensure package manager repositories are configured | Get repo list] ***
fatal: [10.0.0.2]: FAILED! => changed=false
msg: 'Unsupported parameters for (ansible.legacy.command) module: warn. Supported parameters include: _raw_params, _uses_shell, argv, chdir, creates, executable, expand_argument_vars, removes, stdin, stdin_add_newline, strip_empty_ends.'
Control(s) Affected
Environment (please complete the following information):
warn: false
was deprecatedAdditional Notes
Module FQCN are not used in the role
Possible Solution
Removing warn: false from commands/shell ansible tasks.
Describe the Issue
If using ansible-core not all the modules are included
Expected Behavior
collections/requirements.yml should specify what is needed along with the meta file stating the other collectons that are needed.
Actual Behavior
fails due to missing modules when using ansible core
Control(s) Affected
1.6.1,3,4,5
Environment (please complete the following information):
All
Anything additional goes here
Possible Solution
Add collections correctly
Describe the Issue
As per #18, I'm running in an environment without internet access so I need to copy the audit file to the server.
Relevant config,
setup_audit: true
run_audit: true
skip_reboot: true
get_goss_file: copy
audit_content: copy
copy_goss_from_path: ../goss
audit_local_copy: ../AMAZON2-CIS-Audit/
Expected Behavior
Ansible is able to execute the run_audit.sh script
Actual Behavior
run_audit.sh fails to run as it's missing the execute bit
fatal: [default]: FAILED! => {"changed": true, "cmd": "/opt/AMAZON2-CIS-Audit/run_audit.sh -v /opt/AMAZON2-CIS-Audit/vars/ip-10-0-0-8.yml -o /opt/ip-10-0-0-8-AMAZON2-CIS_pre_scan_1682517307.json -g ['ungrouped']", "delta": "0:00:00.003543", "end": "2023-04-26 14:06:20.355328", "msg": "non-zero return code", "rc": 126, "start": "2023-04-26 14:06:20.351785", "stderr": "/bin/sh: /opt/AMAZON2-CIS-Audit/run_audit.sh: Permission denied", "stderr_lines": ["/bin/sh: /opt/AMAZON2-CIS-Audit/run_audit.sh: Permission denied"], "stdout": "", "stdout_lines": []}
Environment (please complete the following information):
As per #18
Additional Notes
When the Audit files are copied to the remote host, the file permissions are set to 0644, thereby removing the execute bit(s) on all files, including run_audit.sh
https://github.com/ansible-lockdown/AMAZON2-CIS/blob/devel/tasks/pre_remediation_audit.yml#L33-L39
Possible Solution
Either preserve or re-add the execute bit on run_audit.sh
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.