search

ansible-lockdown / AMAZON2023-CIS

Ansible role for Amazon2023 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
24 stars 18 forks source link

yum repo keys break during execution #79

Open four43 opened 2 months ago

four43 commented 2 months ago

Describe the Issue

Some of the self remediation of the playbook (installing missing packages) breaks. yum isn't able interact with amazon repos after running the playbook

Expected Behavior

yum should continue to be able to interact with amazon repos without an interactive session

Actual Behavior

As the playbook runs it fails to install any other needed dependencies (like aide) because the keys need to be manually accepted.

$ yum search systemd
Amazon Linux 2023 repository                                                                             1.7 MB/s | 1.8 kB     00:00
Importing GPG key 0xD832C631:
 Userid     : "Amazon Linux <amazon-linux@amazon.com>"
 Fingerprint: B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
Is this ok [y/N]: y
Amazon Linux 2023 repository                                                                             1.1 kB/s | 243  B     00:00
Amazon Linux 2023 repository                                                                             1.7 MB/s | 1.8 kB     00:00
Amazon Linux 2023 repository                                                                             1.7 kB/s | 243  B     00:00
Errors during downloading metadata for repository 'amazonlinux':
  - Status code: 403 for https://al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com/core/guids/3bcf27ddb101a0d9a00e48592ff86fe0e8191daaab7cde84698fcc78eb841037/x86_64/repodata/repomd.xml.asc (IP: 52.217.118.42)
  - Status code: 403 for https://al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com/core/guids/3bcf27ddb101a0d9a00e48592ff86fe0e8191daaab7cde84698fcc78eb841037/x86_64/repodata/repomd.xml.asc (IP: 52.216.37.202)
Error: Failed to download metadata for repo 'amazonlinux': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 403 for https://al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com/core/guids/3bcf27ddb101a0d9a00e48592ff86fe0e8191daaab7cde84698fcc78eb841037/x86_64/repodata/repomd.xml.asc (IP: 52.216.37.202)
Amazon Linux 2023 Kernel Livepatch repository                                                            1.7 MB/s | 1.8 kB     00:00
Importing GPG key 0xD832C631:
 Userid     : "Amazon Linux <amazon-linux@amazon.com>"
 Fingerprint: B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
Is this ok [y/N]: y
Amazon Linux 2023 Kernel Livepatch repository                                                            1.2 kB/s | 243  B     00:00
Amazon Linux 2023 Kernel Livepatch repository                                                            1.7 MB/s | 1.8 kB     00:00
Amazon Linux 2023 Kernel Livepatch repository                                                            1.8 kB/s | 243  B     00:00
Errors during downloading metadata for repository 'kernel-livepatch':
  - Status code: 403 for https://al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com/kernel-livepatch/guids/90fec3f16411a822bdfa74e307fdd3bc342130b3ca37b10aa2dc8e198caeeaa7/x86_64/repodata/repomd.xml.asc (IP: 54.231.199.2)
  - Status code: 403 for https://al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com/kernel-livepatch/guids/90fec3f16411a822bdfa74e307fdd3bc342130b3ca37b10aa2dc8e198caeeaa7/x86_64/repodata/repomd.xml.asc (IP: 52.217.126.194)
Error: Failed to download metadata for repo 'kernel-livepatch': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 403 for https://al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com/kernel-livepatch/guids/90fec3f16411a822bdfa74e307fdd3bc342130b3ca37b10aa2dc8e198caeeaa7/x86_64/repodata/repomd.xml.asc (IP: 52.217.126.194)
Ignoring repositories: amazonlinux, kernel-livepatch
===================================================== Name Exactly Matched: systemd =====================================================
systemd.x86_64 : System and Service Manager
==================================================== Name & Summary Matched: systemd ====================================================
python3-systemd.x86_64 : Python module wrapping libsystemd functionality
rpm-plugin-systemd-inhibit.x86_64 : Rpm plugin for systemd inhibit functionality
systemd-libs.x86_64 : systemd libraries
systemd-pam.x86_64 : systemd PAM module
========================================================= Name Matched: systemd =========================================================
systemd-networkd.x86_64 : System daemon that manages network configurations
systemd-resolved.x86_64 : Network Name Resolution manager
systemd-udev.x86_64 : Rule-based device node and kernel event manager
======================================================= Summary Matched: systemd ========================================================
zram-generator.x86_64 : Systemd unit generator for zram swap devices

Control(s) Affected What controls are being affected by the issue

1.2.4 broke the behavior

Environment (please complete the following information):

Additional Notes

Thanks for the great project!

Possible Solution Run with --skip-tags rule_1.2.4

uk-bolly commented 1 month ago

hi @four43

Thank you for taking the time to raise this issue. This particular issue is known and can be seen as listed in the known issues on the readme. While CIS recommends (any benchmarking tool) suggests good practises they don't always work, in this case amazon have chosen not to have the repo gpg signed but the packages are. So your solution is correct,

Kindest regards

uk-bolly