Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amazon Linux gpg check fails #734

Closed
Paddy-CH opened this issue Dec 6, 2023 · 1 comment
Closed

Amazon Linux gpg check fails #734

Paddy-CH opened this issue Dec 6, 2023 · 1 comment
Labels
bug

Comments

@Paddy-CH
Copy link

Paddy-CH commented Dec 6, 2023
edited by rndmh3ro
Loading

Description

I am using dev-sec-os-hardening from within packer building a amazon2 ami. It is failing the gpg check.

`

Reproduction steps

This is the packer code

{
    "builders": [{
        "type":"amazon-ebs",
        "profile": "{{user `aws_profile`}}",
        "region": "{{user `aws_region`}}",
        "vpc_id": "{{user `aws_vpc`}}",
        "subnet_id": "{{user `aws_subnet`}}",
        "source_ami_filter": {
            "filters": {
                "virtualization-type": "hvm",
                "root-device-type": "ebs",
                "name": "amzn2-ami-kernel-*-x86_64-gp2"
            },
            "owners" : ["137112412989"],
            "most_recent": true
        },
        "instance_type": "t2.micro",
        "ssh_username": "ec2-user",
        "ami_name": "packer {{timestamp}}"
    }],
    "provisioners": [{
        "type": "ansible",
        "playbook_file": "hardening.yml",
        "extra_arguments": ["--extra-vars", "ansible_python_interpreter=/usr/bin/python3"]
    }]
}

The Playbook is

- name: Harden the image
  hosts: all
  become: true
  roles:
    - dev-sec.os-hardening
  #  - dev-sec.ssh-hardening
  vars:
    ssh_use_pam: true # to allow access with our key on ec2

Current Behavior

TASK [dev-sec.os-hardening : activate gpg-check for config files path={{ item }}, regexp=^\s*gpgcheck\W.*, replace=gpgcheck=1] ***
    amazon-ebs: failed: [default] (item=/etc/yum.conf) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": true, "item": "/etc/yum.conf", "msg": "", "rc": 0}

Expected Behavior

It should pass

OS / Environment

Latest amazon2 os

Ansible Version

ansible [core 2.14.4]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ansible/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ansible/.local/bin/ansible
  python version = 3.9.16 (main, Apr 20 2023, 12:16:10) [GCC 7.3.1 20180712 (Red Hat 7.3.1-15)] (/usr/local/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True

Collection Version

Downloaded today 06/12/2023 using
ansible-galaxy install dev-sec.os-hardening

Additional information

...
@Paddy-CH Paddy-CH added the bug label Dec 6, 2023
@Paddy-CH
Copy link
Author

Paddy-CH commented Dec 7, 2023

Trying the collection

@Paddy-CH Paddy-CH closed this as completed Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Paddy-CH