ansible-lockdown / amazon2-cis Goto Github PK

There seem to be serveral syntax errors in the latest release causing the ansible script to abort

ERROR! couldn't resolve module/action 'sysctl'. This often indicates a misspelling, missing collection, or incorrect module path.

The error appears to be in '/srv/ansible/handlers/main.yml': line 35, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


- name: sysctl flush ipv6 route table
  ^ here

And If I remove those sections I get:

ERROR! couldn't resolve module/action 'modprobe'. This often indicates a misspelling, missing collection, or incorrect module path.

The error appears to be in '/srv/ansible/tasks/section_1/cis_1.1.1.x.yml': line 13, column 9, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


      - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Remove cramfs module"
        ^ here

Control(s) Affected
All - the script will not complete

Environment (please complete the following information):

• Ansible Version: [e.g. 2.10]
• Host Python Version: [e.g. Python 3.7.6]
• Ansible Server Python Version: [e.g. Python 3.7.6]
• branch: [e.g. devel]
• Additional Details:

Question
The following section does not seem to work as intended, presuming my understanding is correct

https://github.com/ansible-lockdown/AMAZON2-CIS/blob/devel/tasks/section_1/cis_1.1.x.yml#L3

This section is supposed to mount /tmp to tmpfs, however the behaviour is incorrect, it mounts /tmp to the device name

Following a build, fstab is configured like this, and mounting /tmp to the root volume device, not tmpfs:

sh-4.2$ cat /etc/fstab
#
UUID=9697d457-123c-483b-a84c-efd437479b18     /           xfs    defaults,noatime  1   1
/dev/nvme0n1p1 /tmp xfs defaults,nodev,noexec,nosuid 0 0
tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0

and the tmp.mount service is configured like:

sh-4.2$ systemctl status tmp.mount
● tmp.mount - /tmp
   Loaded: loaded (/etc/fstab; enabled; vendor preset: disabled)
   Active: active (mounted) since Fri 2023-07-28 12:25:22 UTC; 4min 59s ago
    Where: /tmp
     What: /dev/nvme0n1p1
     Docs: man:fstab(5)
           man:systemd-fstab-generator(8)

We are using the latest available base version of Amazon Linux 2

To workaround this we have had to strip out this section and replace it with one which simply mounts /tmp to tempfs.

This actually causes issues with running instances, as we see them periodically fail health checks and become unresponsive.

I would like to know if this issue is specific to our configuration, or is this a known issue in the role.

Describe the Issue
This role is supposedly to be run on AmazonLinux 2 machines only. The prelim.yml task which sets up bootloader path is configured according to CentOS, so on UEFI based EC2, this role failed to set bootloader path correctly, and so handler to generate grub config is failing

Expected Behavior
Bootloader path must be configured as per ansible_distribution == 'Amazon' and not CentOS

Actual Behavior
Bootloader path set_fact is checking for ansible_distribution == 'CentOS', this must be cheking against ansible_distribution == 'Amazon'

Control(s) Affected
HANDLER [AMAZON2-CIS : grub2cfg]

Environment (please complete the following information):
ansible [core 2.14.2]
config file = None
configured module search path = ['/Users/navneet/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/7.2.0/libexec/lib/python3.11/site-packages/ansible
ansible collection location = /Users/navneet/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.11.1 (main, Dec 23 2022, 09:25:23) [Clang 14.0.0 (clang-1400.0.29.202)] (/opt/homebrew/Cellar/ansible/7.2.0/libexec/bin/python3.11)
jinja version = 3.1.2
libyaml = True

Additional Notes
Anything additional goes here

Possible Solution
Fix bootloader path on EFI images #11

Describe the Issue

I'm running ansible in an environment without internet access so need to copy the goss binary onto the server being hardened rather than download from Github.

Relevant config,

  setup_audit: true
  run_audit: true
  get_goss_file: copy
  copy_goss_from_path: ./goss

Expected Behavior
The local goss binary should be copied to the server being audited

Actual Behavior

TASK [AMAZON2-CIS : copy audit binary] *****************************************
fatal: [default]: FAILED! => {"changed": false, "msg": "src (or content) is required"}

Environment (please complete the following information):

• Ansible Version: 2.13.7
• Host Python Version: 3.10.11
• Ansible Server Python Version: 3.7
• branch: devel
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution

src value is not defined here, https://github.com/ansible-lockdown/AMAZON2-CIS/blob/devel/tasks/LE_audit_setup.yml#L16. I believe it should be set to "{{ copy_goss_from_path }}"

In contrast, the src value is set for Ubuntu albeit with a different variable name, https://github.com/ansible-lockdown/UBUNTU20-CIS/blob/devel/tasks/LE_audit_setup.yml#L16

Describe the Issue
Using ansible 2.16.3 there is an error while execuiting this role

command/shell - remove deprecated warn module param - Ansible 2.14.0 Release Notes
Deprecation announcement - Ansible 2.11 Release Notes

Expected Behavior
No errors

Actual Behavior

TASK [AMAZON2-CIS : 1.2.2 | AUDIT | Ensure package manager repositories are configured | Get repo list] ***
fatal: [10.0.0.2]: FAILED! => changed=false
  msg: 'Unsupported parameters for (ansible.legacy.command) module: warn. Supported parameters include: _raw_params, _uses_shell, argv, chdir, creates, executable, expand_argument_vars, removes, stdin, stdin_add_newline, strip_empty_ends.'

Control(s) Affected

• 1.1.22
• 1.2.2
• 3.1.2
• 6.2.1
• handlers
• pre/post rememediation audit

Environment (please complete the following information):

• Ansible Version: 2.16.3
• Host Python Version: Python 3.7.6
• Ansible Server Python Version: Python 3.11.7
• branch: devel
• Additional Details: warn: false was deprecated

Additional Notes
Module FQCN are not used in the role

Possible Solution
Removing warn: false from commands/shell ansible tasks.

Describe the Issue

If using ansible-core not all the modules are included

Expected Behavior
collections/requirements.yml should specify what is needed along with the meta file stating the other collectons that are needed.

Actual Behavior
fails due to missing modules when using ansible core

Control(s) Affected
1.6.1,3,4,5

Environment (please complete the following information):

All

Anything additional goes here

Possible Solution
Add collections correctly

Describe the Issue
As per #18, I'm running in an environment without internet access so I need to copy the audit file to the server.

Relevant config,

    setup_audit: true
    run_audit: true
    skip_reboot: true
    get_goss_file: copy
    audit_content: copy
    copy_goss_from_path: ../goss
    audit_local_copy: ../AMAZON2-CIS-Audit/

Expected Behavior
Ansible is able to execute the run_audit.sh script

Actual Behavior
run_audit.sh fails to run as it's missing the execute bit

fatal: [default]: FAILED! => {"changed": true, "cmd": "/opt/AMAZON2-CIS-Audit/run_audit.sh -v /opt/AMAZON2-CIS-Audit/vars/ip-10-0-0-8.yml -o /opt/ip-10-0-0-8-AMAZON2-CIS_pre_scan_1682517307.json -g ['ungrouped']", "delta": "0:00:00.003543", "end": "2023-04-26 14:06:20.355328", "msg": "non-zero return code", "rc": 126, "start": "2023-04-26 14:06:20.351785", "stderr": "/bin/sh: /opt/AMAZON2-CIS-Audit/run_audit.sh: Permission denied", "stderr_lines": ["/bin/sh: /opt/AMAZON2-CIS-Audit/run_audit.sh: Permission denied"], "stdout": "", "stdout_lines": []}

Environment (please complete the following information):
As per #18

Additional Notes
When the Audit files are copied to the remote host, the file permissions are set to 0644, thereby removing the execute bit(s) on all files, including run_audit.sh

https://github.com/ansible-lockdown/AMAZON2-CIS/blob/devel/tasks/pre_remediation_audit.yml#L33-L39

Possible Solution
Either preserve or re-add the execute bit on run_audit.sh