TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured

ansible-lockdown / AMAZON2023-CIS

Ansible role for Amazon2023 CIS Baseline

https://ansible-lockdown.readthedocs.io/en/latest/

MIT License

24 stars 18 forks source link

TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail] #75

Open siuolkl opened 3 months ago

siuolkl commented 3 months ago

Hey everyone,

I'm running into an issue while using Ansible Lockdown to harden my AWS AL2023 instance according to the CIS benchmark. During the playbook execution, I encountered the following error

the playbook stops at this section any idea how to resolve it, i am trying to harden 100 instances

TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail] **** fatal: [...]: FAILED! => {"changed": false, "msg": "Installed GPG Keys do not meet expected values or expected keys are not installed"}

eflowkram commented 3 months ago

If you spin up an amazon al2023 image and look at the public key, it comes back as gpg-pubkey-d832c631-6515c85e On line 20 in vars/main.yml the key key is defined as: gpg-pubkey-d832c631-63977702

The definition last segment is different than what AWS AL2023 presents. We are starting with the minimal image and running hardening against it.

uk-bolly commented 3 months ago

hi @eflowkram and @siuolkl

Can you just let me know which image you are using? This maybe we are using an older image and the keys get updated. I will try and get this tested as soon as possible.

many thanks

uk-bolly

siuolkl commented 3 months ago

ok noted @eflowkram @uk-bolly

image : ami-0ac9397cab55f5044

eflowkram commented 3 months ago

@siuolkl : ami-id is regional resource only.

@uk-bolly

We always pull the latest which would be release 2023.4.20240528 as of today. We also always start with the minimal image. It's weird because the first part of the key hash matches what is in your code, but the second part doesn't. Copy paste error? Here's the info, we start with the public image from amazon, apply cis, and our needed tweaks for our org and then snapshot it as our own "golden ami" for the org to base stuff off of.

Ok, fired up an image. Parent image is

al2023-ami-minimal-2023.4.20240528-kernel-6.1-x86_64

Owner is account 137112412989 (amazon).

package that the key belongs to is:

system-release-2023.4.20240528-0.amzn2023.noarch

eflowkram commented 3 months ago

I did not check the "non minimal" image. But they should be the same as it is their package signing key.

uk-bolly commented 3 months ago

hi @eflowkram @siuolkl

Thank you for the feedback we are indeed using a much older version of the ami. I have updated the one we test with and works as expected with updates. I have added this to a new branch june24_updates I will look to PR and merge to devel next week.

thanks

uk-bolly

honeysood commented 1 month ago

@uk-bolly I tried with multiple images (older and new both) of Amazon Linux 2023, but still getting the same error, please confirm which image we use so we will not get the GPG keys issue.