Issue on CIS 1.2.1

[ssarkar9]

Describe the Issue
Running on minimal version so I ran the following to fix.

yum install gnupg2 --allowerasing -y

Script is failing on CIS 1.2.1
- name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false
failed_when: false
register: os_gpg_key_check
when: os_installed_pub_keys.rc == 0

Expected Behavior
This should be mark as correct since the newest version is installed.

Actual Behavior
It is marked as failed. This was working before, I suspect Amazon changed the key signature.

rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" gpg-pubkey-d832c631-63977702
package gpg-pubkey-d832c631-63977702 is not installed

I ran with another key.

rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" gpg-pubkey-d832c631-63920d79
Amazon Linux amazon-linux@amazon.com d832c631

Control(s) Affected
What controls are being affected by the issue

Environment (please complete the following information):

• branch being used: master
• Ansible Version: ansible [core 2.15.5]
• Host Python Version: 3.9.16
• Ansible Server Python Version: 3.9.16
• Additional Details: Ec2 instance

Additional Notes
Anything additional goes here

Possible Solution
Change the query to do gpg-pubkey instead of a specific number
rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" gpg-pubkey
Amazon Linux amazon-linux@amazon.com d832c631

[tburow]

amazonlinux/amazon-linux-2023#336

[stewartsmith]

Maybe this is more of a clarity of text issue than an issue with item 1.2.1 ?

To quote the CIS Amazon Linux 2023 Benchmark v1.0:

Take care to set this value to false (default) for particular repositories that do not support it.

Currently, that includes the AL2023 repositories that do not support it. Since the CIS Benchmark for AL2023 does take care to indicate that it should only be set for repositories that support it, it doesn't conflict with 1.2.1 to not have repository metadata signed.

[uk-bolly]

HI @ssarkar9

Thank you for taking the time to raise this issue, apologies for the time taking to respond, subscribers and other projects take priority im afraid.
Reading through the thread it appears;

1/ the gpg key details as found in vars/main.yml are no longer correct - these will need to be updated

The second thread appears to be more around 1.2.4 and gpg check for a repo.
2/ the repo_gpgcheck is indeed listed as known error, many repositories do not allow repo_gpg but only the package gpg themselves.. This is a case of understanding your systems and capabilities as some, do, some did and some just dont support this ( This is across all the repos we maintain).

Will look to raise item one as the actual issue. Please let me know if my understanding of your issue is correct.

many thanks

uk-bolly

[ntndash]

When I am running galaxy roles of amazon-cis benchmark for amazon linux 2023 ,I had this error
Do we have a solution or workaround for this ?

Using packer to build and ansible to configure

amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys] ***
amazon-ebs.amazon_ami: ok: [default]
amazon-ebs.amazon_ami:
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys] ***
amazon-ebs.amazon_ami: skipping: [default]
amazon-ebs.amazon_ami:
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail] ***
amazon-ebs.amazon_ami: fatal: [default]: FAILED! => {"changed": false, "msg": "Installed GPG Keys do not meet expected values or expected keys are not installed"}
amazon-ebs.amazon_ami:
amazon-ebs.amazon_ami: PLAY RECAP *********************************************************************
amazon-ebs.amazon_ami: default : ok=96 changed=34 unreachable=0 failed=1 skipped=22 rescued=0 ignored=0
amazon-ebs.amazon_ami:

[uk-bolly]

When I am running galaxy roles of amazon-cis benchmark for amazon linux 2023 ,I had this error Do we have a solution or workaround for this ?

Using packer to build and ansible to configure

amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys] *** amazon-ebs.amazon_ami: ok: [default] amazon-ebs.amazon_ami: amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys] *** amazon-ebs.amazon_ami: skipping: [default] amazon-ebs.amazon_ami: amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail] *** amazon-ebs.amazon_ami: fatal: [default]: FAILED! => {"changed": false, "msg": "Installed GPG Keys do not meet expected values or expected keys are not installed"} amazon-ebs.amazon_ami: amazon-ebs.amazon_ami: PLAY RECAP ********************************************************************* amazon-ebs.amazon_ami: default : ok=96 changed=34 unreachable=0 failed=1 skipped=22 rescued=0 ignored=0 amazon-ebs.amazon_ami:

Hi @ntndash @ssarkar9

I'm struggling to reproduce the error with 1.2.1 from the devel branch.
I have just updated the image to the latest and run again and still no issues seen.

here is the manual output.
I confirmed the gpg key in the first command matches the variable defined in vars/main.yml

ec2-user@az2023_host rpm-gpg]$ rpm -q gpg-pubkey
gpg-pubkey-d832c631-63977702
[ec2-user@az2023_host rpm-gpg]$ rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" gpg-pubkey-d832c631-63977702
Amazon Linux <amazon-linux@amazon.com> d832c631
[ec2-user@az2023_host rpm-gpg]$ rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" gpg-pubkey-d832c631-63977702 | grep "Amazon Linux <amazon-linux@amazon.com> d832c631"
Amazon Linux <amazon-linux@amazon.com> d832c631
[ec2-user@az2023_host rpm-gpg]$ echo $?
0

Many thanks

uk-bolly

p.s. To highlight i am putting testing the devel branch, i will be pushing out a new release soon.

[ntndash]

@uk-bolly Thanks , I was able to figure issue now. Just tried out checking on AL2023 manaully with each command as per playbook and found gpg-check value was different, Changing so fix it in my case.