New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

playbook makes OS undetectable #124

Closed
kidbrax opened this Issue May 2, 2017 · 7 comments

Comments

Projects
None yet
3 participants
@kidbrax

kidbrax commented May 2, 2017

I launched an AWS Linux AMI, ami-275ffe31, which is their ECS-optimized image. Inspec detects it as a AWS box. But then when I run this playbook, Inspec can no longer detect the OS. When I run Inspec detect after running this playbook, I get:

== Operating System Details

Name:      
Family:    unknown
Release:   
Arch:      This account is currently not available.

Is this expected behavior? Or has anyone else seen similar behavior? I basically can't use Inspec anymore after running this playbook.

@rndmh3ro rndmh3ro self-assigned this May 2, 2017

@rndmh3ro

This comment has been minimized.

Show comment
Hide comment
@rndmh3ro

rndmh3ro May 2, 2017

Member

With what account do you run inspec? The message This account is currently not available looks like there's a problem logging in.

Member

rndmh3ro commented May 2, 2017

With what account do you run inspec? The message This account is currently not available looks like there's a problem logging in.

@kidbrax

This comment has been minimized.

Show comment
Hide comment
@kidbrax

kidbrax May 2, 2017

The account is ec2-user. It works before I run the playbook, but then fails after the playbook has been run with the above output.

To clarify, that is the user I'm connecting with, the ssh user. Not the user on my local machine.

kidbrax commented May 2, 2017

The account is ec2-user. It works before I run the playbook, but then fails after the playbook has been run with the above output.

To clarify, that is the user I'm connecting with, the ssh user. Not the user on my local machine.

@kidbrax

This comment has been minimized.

Show comment
Hide comment
@kidbrax

kidbrax May 3, 2017

FYI, this passes before the playbook is run but not after.
test -f /etc/system-release && cat /etc/system-release
That seems to be what keeps inspec from getting the right OS.

kidbrax commented May 3, 2017

FYI, this passes before the playbook is run but not after.
test -f /etc/system-release && cat /etc/system-release
That seems to be what keeps inspec from getting the right OS.

@rndmh3ro rndmh3ro added the bug label May 7, 2017

@rndmh3ro

This comment has been minimized.

Show comment
Hide comment
@rndmh3ro

rndmh3ro May 7, 2017

Member

I'll spin up a instance on AWS and check it.

Member

rndmh3ro commented May 7, 2017

I'll spin up a instance on AWS and check it.

@HenryTheHamster

This comment has been minimized.

Show comment
Hide comment
@HenryTheHamster

HenryTheHamster Aug 2, 2017

We're also seeing this with the official Centos 6 image. Inspec runs fine on a bare box, but after applying this playbook, the test fails with:
Failed to complete #verify action: [This OS/platform () is not supported by this profile.] on dev-sec-centos6

HenryTheHamster commented Aug 2, 2017

We're also seeing this with the official Centos 6 image. Inspec runs fine on a bare box, but after applying this playbook, the test fails with:
Failed to complete #verify action: [This OS/platform () is not supported by this profile.] on dev-sec-centos6

@HenryTheHamster

This comment has been minimized.

Show comment
Hide comment
@HenryTheHamster

HenryTheHamster Aug 2, 2017

Adding the default user of your AMI to the ignore_users seems to do the trick. So for us:
os_ignore_users: ['centos']

Would be good if this could be included in this list from the auto-detected user, or even just added to the readme.

HenryTheHamster commented Aug 2, 2017

Adding the default user of your AMI to the ignore_users seems to do the trick. So for us:
os_ignore_users: ['centos']

Would be good if this could be included in this list from the auto-detected user, or even just added to the readme.

@rndmh3ro

This comment has been minimized.

Show comment
Hide comment
@rndmh3ro

rndmh3ro Aug 2, 2017

Member

Thanks for the clarification, @HenryTheHamster.

Would be good if this could be included in this list from the auto-detected user

For centos-machines it seems to be the user centos, for ubuntu the user ubuntu. However I could not find the user for other operating systems.

I also do not want to exclude a list of users as this would weaken the hardening. So I guess your proposal to add this to the readme is the best option. Would you mind opening a PR for this?

Member

rndmh3ro commented Aug 2, 2017

Thanks for the clarification, @HenryTheHamster.

Would be good if this could be included in this list from the auto-detected user

For centos-machines it seems to be the user centos, for ubuntu the user ubuntu. However I could not find the user for other operating systems.

I also do not want to exclude a list of users as this would weaken the hardening. So I guess your proposal to add this to the readme is the best option. Would you mind opening a PR for this?

@rndmh3ro rndmh3ro referenced this issue Aug 6, 2017

Merged

update readme #139

@rndmh3ro rndmh3ro closed this in 846e0c2 Aug 7, 2017

rndmh3ro pushed a commit that referenced this issue Aug 7, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment