-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue on CIS 1.2.1 #14
Comments
Maybe this is more of a clarity of text issue than an issue with item 1.2.1 ? To quote the CIS Amazon Linux 2023 Benchmark v1.0:
Currently, that includes the AL2023 repositories that do not support it. Since the CIS Benchmark for AL2023 does take care to indicate that it should only be set for repositories that support it, it doesn't conflict with 1.2.1 to not have repository metadata signed. |
HI @ssarkar9 Thank you for taking the time to raise this issue, apologies for the time taking to respond, subscribers and other projects take priority im afraid. 1/ the gpg key details as found in vars/main.yml are no longer correct - these will need to be updated The second thread appears to be more around 1.2.4 and gpg check for a repo. Will look to raise item one as the actual issue. Please let me know if my understanding of your issue is correct. many thanks uk-bolly |
When I am running galaxy roles of amazon-cis benchmark for amazon linux 2023 ,I had this error Using packer to build and ansible to configure amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys] *** |
I'm struggling to reproduce the error with 1.2.1 from the devel branch. here is the manual output.
Many thanks uk-bolly p.s. To highlight i am putting testing the devel branch, i will be pushing out a new release soon. |
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly Thanks , I was able to figure issue now. Just tried out checking on AL2023 manaully with each command as per playbook and found gpg-check value was different, Changing so fix it in my case. |
* updated to use ansible_facts variables Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Squashed commit of the following: commit 0cad737fe35db33ff0b867ac4439688cd2bcb009 Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Fri Feb 23 09:41:39 2024 +0000 updated and tidied up Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 1fa72013209866be66f7f2a353b9cf6264a3681d Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Fri Feb 23 09:41:10 2024 +0000 audit_only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Always tag for 1.2.1 gpg_key package update #14 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up prelim removal step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed inject facts as vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * 4.6.5 related to #27 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * 6.1.10 thanks to @DianaMariaDDM #37 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tage change to alwasy thanks to @DianaMariaDDM #41 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/3 by editing the destination path! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/4 by masking both the socket and the service! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/6 by editing the value of `clientalivecountmax` to 3! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/2 by using `import_tasks` module so as the rules will get added and executed! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/5 by adding the necessary lines to both sshd_config file and sshd_config.d/ files. The same method is used for all the rules from 4.2.x, to make them compliant with CISs checks. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing trailing whitespaces Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing trailing whitespaces and fixing an end-of-file Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Refactoring docs Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Small fixings for https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/19 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing trailing whitespace Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing fail message so that is states the correct number of the rule that requires the root password to be set Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing inconsistencies for issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing minor syntax issues by adding missing "PATCH" keywords or missing "|". Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing PRELIM task "PRELIM | 4.3.3 | Find all sudoers files" mentioned in issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing 1.1.2.1 from multiline task 1.1.2.2 ,1.1.2.3, 1.1.2.4 because it was not supposed to be there! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing prelim for installing authconfig, as it is not used. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](pre-commit/pre-commit-hooks@v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.17.0 → v8.18.2](gitleaks/gitleaks@v8.17.0...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.18.0 → v24.2.0](ansible/ansible-lint@v6.18.0...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.35.1) * Removing the 6.1.12 duplicate task and adding it to the 6.1.10 task as it was implementing something needed by 6.1.10. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * De-commenting allow and deny variables for sshd. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing double import of cis_5.3.yml. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * As authconfig is not needed anymore, the variable related to its installation is removed! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Feb 24 updates to devel (#58) * updated to use ansible_facts variables Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Squashed commit of the following: commit 0cad737fe35db33ff0b867ac4439688cd2bcb009 Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Fri Feb 23 09:41:39 2024 +0000 updated and tidied up Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 1fa72013209866be66f7f2a353b9cf6264a3681d Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Fri Feb 23 09:41:10 2024 +0000 audit_only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Always tag for 1.2.1 gpg_key package update #14 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up prelim removal step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed inject facts as vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * 4.6.5 related to #27 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * 6.1.10 thanks to @DianaMariaDDM #37 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tage change to alwasy thanks to @DianaMariaDDM #41 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated ansible fact naming and checkout action (#64) * updated ansible fact naming for ansible_facts.virtualization_type Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated checkout version Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ansible fact update Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated ansible facts and timeout now inherited Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate (#65) updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * 4.2.16: Add variable for SSH MaxAuthTries (#66) Signed-off-by: Tom Henderson <tom.henderson@pushpay.com> * 4.2.16: Correct variable name and required max value (#67) Signed-off-by: Tom Henderson <tom.henderson@pushpay.com> * March 24 updates (#68) * addressed #59 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * issue #59 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * issue #62 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated variable name in conditional Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated authselect PR Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix conditional typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix conditional typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix var typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate (#69) updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --------- Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> Signed-off-by: DianaMariaDDM <143085010+DianaMariaDDM@users.noreply.github.com> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: Tom Henderson <tom.henderson@pushpay.com> Co-authored-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: DianaMariaDDM <143085010+DianaMariaDDM@users.noreply.github.com> Co-authored-by: Tom Henderson <tomhenderson@mac.com> Co-authored-by: Tom Henderson <tom.henderson@pushpay.com>
Describe the Issue
Running on minimal version so I ran the following to fix.
yum install gnupg2 --allowerasing -y
Script is failing on CIS 1.2.1
- name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false
failed_when: false
register: os_gpg_key_check
when: os_installed_pub_keys.rc == 0
Expected Behavior
This should be mark as correct since the newest version is installed.
Actual Behavior
It is marked as failed. This was working before, I suspect Amazon changed the key signature.
rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" gpg-pubkey-d832c631-63977702
package gpg-pubkey-d832c631-63977702 is not installed
I ran with another key.
rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" gpg-pubkey-d832c631-63920d79
Amazon Linux amazon-linux@amazon.com d832c631
Control(s) Affected
What controls are being affected by the issue
Environment (please complete the following information):
Additional Notes
Anything additional goes here
Possible Solution
Change the query to do gpg-pubkey instead of a specific number
rpm -q --queryformat "%{PACKAGER} %{VERSION}\n" gpg-pubkey
Amazon Linux amazon-linux@amazon.com d832c631
The text was updated successfully, but these errors were encountered: