Closed gregelin closed 10 years ago
gregelin
commented
10 years ago gregelin
commented
10 years ago /etc/yum.repos.d/amzn-main and amzn-updates.epel and epel-testing are listed in /etc/yum.repos.d/ but are not enabled by default.[ec2-user@ip-172-30-0-57 ~]$ sudo yum repolist
Loaded plugins: priorities, update-motd, upgrade-helper
repo id repo name status
!amzn-main/latest amzn-main-Base 4,801
!amzn-updates/latest amzn-updates-Base 1,470
repolist: 6,271[ec2-user@ip-172-30-0-57 ~]$ sudo cat /etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
distroverpkg=system-release
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
deltarpm=0
# by default the yum configuration will point to the latest release
# of Amazon Linux AMI. If you prefer not to automatically move to
# new releases, comment out this line.
releasever=latest
# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
# It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d[ec2-user@ip-172-30-0-57 ~]$ sudo ls /etc/yum.repos.d/
amzn-main.repo amzn-nosrc.repo amzn-preview.repo amzn-updates.repo epel.repo epel-testing.repo[ec2-user@ip-172-30-0-57 ~]$ sudo cat /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 6 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1
[epel-source]
name=Extra Packages for Enterprise Linux 6 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1What goes wrong...
[ec2-user@ip-172-30-0-57 ~]$ sudo yum install openscap
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main/latest | 2.1 kB 00:00
amzn-updates/latest | 2.3 kB 00:00
No package openscap available.
Error: Nothing to do
[ec2-user@ip-172-30-0-57 ~]$ sudo yum-config-manager --enable epel
Loaded plugins: priorities, update-motd, upgrade-helper
# (epel gets enabled...)
sudo yum-config-manager --enable epel
[ec2-user@ip-172-30-0-57 ~]$ sudo yum install openscap
Loaded plugins: priorities, update-motd, upgrade-helper
epel/x86_64/metalink | 13 kB 00:00
epel/x86_64 | 4.4 kB 00:00
epel/x86_64/group_gz | 237 kB 00:00
epel/x86_64/updateinfo | 850 kB 00:00
epel/x86_64/primary_db | 6.3 MB 00:01
epel/x86_64/pkgtags | 929 kB 00:00
970 packages excluded due to repository priority protections
No package openscap available.
Error: Nothing to doyum update -d3yum --disableexcludes=all update
yum --disableexcludes=main install php
yum --disableexcludes=repoid install php httpdWhere,
all : Disable all excludes main : Disable excludes defined in [main] in yum.conf repoid : Disable excludes defined for given repo id (via: http://www.cyberciti.biz/faq/redhat-centos-linux-yum-update-exclude-packages/)
Tried: sudo yum --disableexcludes=all install openscap but:
[ec2-user@ip-172-30-0-57 ~]$ sudo yum --disableexcludes=all install openscap
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main/latest | 2.1 kB 00:00
amzn-updates/latest | 2.3 kB 00:00
970 packages excluded due to repository priority protections
No package openscap available.
Error: Nothing to doMaybe openscap is not excluded but a dependency is?
yum deplist openscap | grep dependency
# partial list
dependency: libpthread.so.0(GLIBC_2.3.2)(64bit)
dependency: libz.so.1()(64bit)
dependency: librt.so.1()(64bit)
dependency: libxml2.so.2(LIBXML2_2.4.30)(64bit)
dependency: libpthread.so.0(GLIBC_2.3.3)(64bit)
dependency: libacl.so.1()(64bit)
dependency: libxml2.so.2(LIBXML2_2.6.0)(64bit)
dependency: libxml2.so.2(LIBXML2_2.6.5)(64bit)
...# remove amzn epel
sudo yum remove epel-release-6-8.9.amzn1.noarch
# Install epel
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpmBut still did not find openscap. So I launched my centos64 machine and went looking for details
[root@vagrant vagrant]# yum list openscap
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: centos.mirrors.hoobly.com
* elrepo: reflector.westga.edu
* epel: reflector.westga.edu
* extras: mirror.us.leaseweb.net
* updates: mirrors.usinternet.com
Available Packages
openscap.i686 1.0.8-1.0.1.el6.centos.1 updates
openscap.x86_64 1.0.8-1.0.1.el6.centos.1 updates
# Which repository provides a particular package?
[root@vagrant vagrant]# repoquery -i openscap
Name : openscap
Version : 1.0.8
Release : 1.0.1.el6.centos.1
Architecture: i686
Size : 44101130
Packager : CentOS BuildSystem <http://bugs.centos.org>
Group : System Environment/Libraries
URL : http://www.open-scap.org/
Repository : updates
Summary : Set of open source libraries enabling integration of the SCAP line of standards
Source : openscap-1.0.8-1.0.1.el6.centos.1.src.rpm
Description :
OpenSCAP is a set of open source libraries providing an easier path
for integration of the SCAP line of standards. SCAP is a line of standards
managed by NIST with the goal of providing a standard language
for the expression of Computer Network Defense related information.
Name : openscap
Version : 1.0.8
Release : 1.0.1.el6.centos.1
Architecture: x86_64
Size : 44259038
Packager : CentOS BuildSystem <http://bugs.centos.org>
Group : System Environment/Libraries
URL : http://www.open-scap.org/
Repository : updates
Summary : Set of open source libraries enabling integration of the SCAP line of standards
Source : openscap-1.0.8-1.0.1.el6.centos.1.src.rpm
Description :
OpenSCAP is a set of open source libraries providing an easier path
for integration of the SCAP line of standards. SCAP is a line of standards
managed by NIST with the goal of providing a standard language
for the expression of Computer Network Defense related information.[root@vagrant vagrant]# yum repolist
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: centos.mirrors.hoobly.com
* elrepo: reflector.westga.edu
* epel: reflector.westga.edu
* extras: mirror.us.leaseweb.net
* updates: mirrors.usinternet.com
repo id repo name status
base CentOS-6 - Base 6,367
elrepo ELRepo.org Community Enterprise Linux Repository - el6 320
epel Extra Packages for Enterprise Linux 6 - x86_64 11,099
extras CentOS-6 - Extras 15
scl CentOS-6 - SCL 1,043
updates CentOS-6 - Updates 1,466Openscap is coming from CentOS-6 Updates repository, not epel
via: http://rpmfind.net/linux/rpm2html/search.php?query=openscap&submit=Search+...
openscap-1.0.8-1.0.1.el6.centos.1.x86_64.html
Set of open source libraries enabling integration of the SCAP line of standards
Updates for CentOS 6.5 for x86_64
openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm
gregelin
commented
10 years ago I located openscap RPM:
[ec2-user@ip-172-30-0-57 ~]$ wget http://rpmfind.net/linux/centos/6.5/updates/x86_64/Packages/openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm
--2014-09-04 13:26:51-- http://rpmfind.net/linux/centos/6.5/updates/x86_64/Packages/openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm
Resolving rpmfind.net (rpmfind.net)... 195.220.108.108
Connecting to rpmfind.net (rpmfind.net)|195.220.108.108|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3017688 (2.9M) [application/x-rpm]
Saving to: ‘openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm’
100%[=========================================================================================>] 3,017,688 2.24MB/s in 1.3s
2014-09-04 13:26:52 (2.24 MB/s) - ‘openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm’ saved [3017688/3017688]
[ec2-user@ip-172-30-0-57 ~]$ sudo rpm -Uvh openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm
warning: openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
error: Failed dependencies:
librpm.so.1()(64bit) is needed by openscap-1.0.8-1.0.1.el6.centos.1.x86_64
librpmio.so.1()(64bit) is needed by openscap-1.0.8-1.0.1.el6.centos.1.x86_64
Also
esolving Dependencies
--> Running transaction check
---> Package openscap.x86_64 0:1.0.8-1.0.1.el6.centos.1 will be installed
--> Processing Dependency: librpmio.so.1()(64bit) for package: openscap-1.0.8-1.0.1.el6.centos.1.x86_64
--> Processing Dependency: librpm.so.1()(64bit) for package: openscap-1.0.8-1.0.1.el6.centos.1.x86_64
--> Finished Dependency Resolution
Error: Package: openscap-1.0.8-1.0.1.el6.centos.1.x86_64 (updates)
Requires: librpm.so.1()(64bit)
Available: rpm-libs-4.8.0-37.el6.x86_64 (base)
librpm.so.1()(64bit)
Installed: rpm-libs-4.11.2-2.54.amzn1.x86_64 (installed)
~librpm.so.3()(64bit)
Error: Package: openscap-1.0.8-1.0.1.el6.centos.1.x86_64 (updates)
Requires: librpmio.so.1()(64bit)
Available: rpm-libs-4.8.0-37.el6.x86_64 (base)
librpmio.so.1()(64bit)
Installed: rpm-libs-4.11.2-2.54.amzn1.x86_64 (installed)
~librpmio.so.3()(64bit)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigestHey, a working result!
vim or other text editor to create /etc/yum.repos.d/CentOS-Base.repo that has repo defined for CentOS-Updates.$releasever to 6 in /etc/yum.repos.d/CentOS-Base.repo (Amzn Linux is using $releasever = latest. You can see this by running python -c 'import yum, pprint; yb = yum.YumBase(); pprint.pprint(yb.conf.yumvar, width=1)')sudo yum install openscap to get an attempted install of openscap package that finds openscap correctly but errors with meaningful error regarding dependency package conflict.[ec2-user@ip-172-30-0-57 ~]$ python -c 'import yum, pprint; yb = yum.YumBase(); pprint.pprint(yb.conf.yumvar, width=1)'
Loaded plugins: update-motd, upgrade-helper
{'arch': 'ia32e',
'basearch': 'x86_64',
'releasever': 'latest',
'uuid': '6343c0d8-c5fe-43de-b235-85a09ff436d7'}
[ec2-user@ip-172-30-0-57 ~]$ sudo cat /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-6 - Base
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/6/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#released updates
[updates]
name=CentOS-6 - Updates
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/6/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that may be useful
[extras]
name=CentOS-6 - Extras
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=extras
#baseurl=http://mirror.centos.org/centos/6/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-6 - Plus
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/6/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#contrib - packages by Centos Users
[contrib]
name=CentOS-6 - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=contrib
#baseurl=http://mirror.centos.org/centos/6/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6Various snippets
[ec2-user@ip-172-30-0-154 ~]$ rpm -q rpm-libs
rpm-libs-4.11.2-2.54.amzn1.x86_64The rpm-lib file can be found in: http://vault.centos.org/6.5/os/Source/SPackages/rpm-4.8.0-37.el6.src.rpm
sudo yumdownloader yum openscap
# Download successful
[ec2-user@ip-172-30-0-154 ~]$ sudo rpm -Uvh openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm
warning: openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
error: Failed dependencies:
librpm.so.1()(64bit) is needed by openscap-1.0.8-1.0.1.el6.centos.1.x86_64
librpmio.so.1()(64bit) is needed by openscap-1.0.8-1.0.1.el6.centos.1.x86_64nodep installsudo rpm -Uvh --nodeps openscap-1.0.8-1.0.1.el6.centos.1.x86_64.rpm
## Success -- Almost -- files get installed but not `oscap`.
Even if OpenSCAP installed, it seems pretty obvious that SCAP content would have to be converted to support Amazon Linux.
Smartest next step would be to talk to Amazon engineers and get OpenSCAP added to their repos.
So closing this comment at this time.
gregelin
commented
10 years ago SSG OVAL CPE definitions figure out the platform by querying a specific RPM package that refers to the release of the system. This is found by telling OVAL which RPM package to inspect and then which key/values in the RPM response to check.
name of package.This means the package name will equal the value indicated in the XML:
<linux:rpminfo_object id="oval:ssg:obj:108" version="1">
<linux:name>centos-release</linux:name>
</linux:rpminfo_object><linux:rpminfo_state id="oval:ssg:ste:109" version="1">
<linux:version operation="pattern match">^6Server</linux:version>
</linux:rpminfo_state>What information is OVAL seeing via the linux:rpminfo object? Let's look via the command line.
[vagrant@vagrant ~]$ rpm -qa | grep redhat-release
redhat-release-server-6Server-6.4.0.4.el6.x86_64
[vagrant@vagrant ~]$ rpm -qi redhat-release-server-6Server-6.4.0.4.el6.x86_64
Name : redhat-release-server Relocations: (not relocatable)
Version : 6Server Vendor: Red Hat, Inc.
Release : 6.4.0.4.el6 Build Date: Tue 29 Jan 2013 03:47:10 PM UTC
Install Date: Sun 31 Aug 2014 07:38:10 PM UTC Build Host: x86-001.build.bos.redhat.com
Group : System Environment/Base Source RPM: redhat-release-server-6Server-6.4.0.4.el6.src.rpm
Size : 121619 License: GPLv2
Signature : RSA/8, Tue 29 Jan 2013 07:32:38 PM UTC, Key ID 199e2f91fd431d51
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary : Red Hat Enterprise Linux Server release file
Description :
Red Hat Enterprise Linux Server release files[vagrant@vagrant ~]$ rpm -qa | grep centos-release
centos-release-6-5.el6.centos.11.2.x86_64
centos-release-SCL-6-5.el6.centos.x86_64
[vagrant@vagrant ~]$ rpm -qi centos-release-6-5.el6.centos.11.2.x86_64
Name : centos-release Relocations: (not relocatable)
Version : 6 Vendor: CentOS
Release : 5.el6.centos.11.2 Build Date: Sun 01 Dec 2013 12:07:02 AM UTC
Install Date: Sat 09 Aug 2014 10:21:46 AM UTC Build Host: c6b9.bsys.dev.centos.org
Group : System Environment/Base Source RPM: centos-release-6-5.el6.centos.11.2.src.rpm
Size : 33534 License: GPLv2
Signature : RSA/SHA1, Sun 01 Dec 2013 06:33:24 PM UTC, Key ID 0946fca2c105b9de
Packager : CentOS BuildSystem <http://bugs.centos.org>
Summary : CentOS release file
Description :
CentOS release files[ec2-user@ip-172-30-0-135 ~]$ rpm -qa | grep release
system-release-2014.03-2.0.noarch
epel-release-6-8.9.amzn1.noarch
[ec2-user@ip-172-30-0-135 ~]$ rpm -qi system-release-2014.03-2.0.noarch
Name : system-release
Version : 2014.03
Release : 2.0
Architecture: noarch
Install Date: Wed 11 Jun 2014 04:51:35 PM UTC
Group : System Environment/Base
Size : 25972
License : GPLv2
Signature : RSA/SHA256, Wed 12 Mar 2014 03:47:24 AM UTC, Key ID bcb4a85b21c0f39f
Source RPM : system-release-2014.03-2.0.src.rpm
Build Date : Wed 12 Mar 2014 03:30:46 AM UTC
Build Host : build-31003.build
Relocations : (not relocatable)
Packager : Amazon.com, Inc. <http://aws.amazon.com>
Vendor : Amazon.com
Summary : Amazon Linux AMI release file
Description :
Amazon Linux AMI release files
[ec2-user@ip-172-30-0-135 ~]$OK. Thanks to Owen's help creating RPMs, we can install OpenSCAP on Amazon Linux. I've created a cpe-dictionary and oval.xml for Amazon. But getting a segmentation fault when running a scan.
[root@ip-172-30-0-135 fisma]# govready scan
[GovReady] Using profile test.
[GovReady] Scanning system for compliance to profile test
[GovReady] Running command: oscap xccdf eval --oval-results --profile test --results scans/test-results-0905-1840.xml --report scans/test-results-0905-1840.html --cpe scap/content/ssg-amzn2014.03.2hvm-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Title Set Daemon Umask
Rule umask_for_daemons
Ident CCE-27031-4
Result /usr/local/bin/govready: line 523: 18446 Segmentation fault oscap xccdf eval --oval-results --profile test --results scans/test-results-0905-1840.xml --report scans/test-results-0905-1840.html --cpe scap/content/ssg-amzn2014.03.2hvm-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
# Look at `/var/log/messages for more information
[root@ip-172-30-0-135 fisma]# tail /var/log/messages
Sep 5 18:34:25 ip-172-30-0-135 oscap: Evaluation started. Content: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml, Profile: test.
Sep 5 18:34:25 ip-172-30-0-135 kernel: [ 8987.822488] oscap[18337]: segfault at 0 ip 00007fc907fefc2a sp 00007fff935dc660 error 4 in libopenscap.so.8.0.4[7fc907f93000+dd000]
Sep 5 18:34:55 ip-172-30-0-135 oscap: Evaluation started. Content: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml, Profile: test.
Sep 5 18:34:55 ip-172-30-0-135 kernel: [ 9017.709581] oscap[18361]: segfault at 0 ip 00007f960fcb7c2a sp 00007fff026a5370 error 4 in libopenscap.so.8.0.4[7f960fc5b000+dd000]
Sep 5 18:35:30 ip-172-30-0-135 oscap: Evaluation started. Content: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml, Profile: usgcb-rhel6-server.
Sep 5 18:35:30 ip-172-30-0-135 kernel: [ 9052.940394] oscap[18390]: segfault at 0 ip 00007fe9aff9bc2a sp 00007fffbdffefd0 error 4 in libopenscap.so.8.0.4[7fe9aff3f000+dd000]
Sep 5 18:40:13 ip-172-30-0-135 oscap: Evaluation started. Content: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml, Profile: usgcb-rhel6-server.
Sep 5 18:40:13 ip-172-30-0-135 kernel: [ 9335.538180] oscap[18419]: segfault at 0 ip 00007f8887d96c2a sp 00007fff01d15160 error 4 in libopenscap.so.8.0.4[7f8887d3a000+dd000]
Sep 5 18:40:27 ip-172-30-0-135 oscap: Evaluation started. Content: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml, Profile: test.
Sep 5 18:40:28 ip-172-30-0-135 kernel: [ 9350.071024] oscap[18446]: segfault at 0 ip 00007f142670ac2a sp 00007fff8b678040 error 4 in libopenscap.so.8.0.4[7f14266ae000+dd000]See the https://github.com/GovReady/govready/blob/master/Quickstart-Amazon-Linux.md for directions on installing on Amazon Linux.
gregelin
commented
10 years ago After merging code, the following changes were also made:
ssg-amzn2014.03.2hvm-cpe-oval.xmlsed statement to quick start file to adjust ssg-rhel6-xccdf.xmlgregelin
commented
9 years ago Switched Amazon quick start guide to use CentOS 6 RPM to install SCAP-Security-Guide. commit 81bfbd0d6fed748f4043a155e513e474e017ef26
bkruger99
commented
7 years ago Not sure if this is still being worked on, but here's a spec file that'll compile open-scap on aws linux. It doesn't include any policies to apply however, that'll still need to be worked out.
OpenSCAP and SSG does not seem to install on AWS Linux because AWS pins their Linux to their own set of repos. The choice to fix is to either build from source, understand how to adjust which repos are used, or to write AWS to have them include it.
This issue traces details of getting OpenSCAP and SSG to work on AWS.
See the https://github.com/GovReady/govready/blob/master/Quickstart-Amazon-Linux.md for directions on installing on Amazon Linux.