search

ansible-lockdown / AMAZON2023-CIS

Ansible role for Amazon2023 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
24 stars 18 forks source link

How to set root password using the correct encryption version #86

Open Ranjith219 opened 1 month ago

Ranjith219 commented 1 month ago

Question I'm pretty new to Ansible and I have been trying this Ansible role. However, it's failing at the "Ensure root password is set" step and I'm unclear on how to set the password. I just cloned this repo, configured the tag in the playbook, and ran it. Please help me out. The error message is below.

amazon-ebs.amz3-build: TASK [ace-os-hardening-ansible-cis-amnz-linux3 : Ensure root password is set] ***
amazon-ebs.amz3-build: fatal: [default]: FAILED! => {"changed": false, "cmd": "passwd -S root | grep \"Password set, SHA512 crypt\"", "delta": "0:00:00.021461", "end": "2024-08-14 03:18:43.994469", "msg": "non-zero return code", "rc": 1, "start": "2024-08-14 03:18:43.973008", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

Environment (please complete the following information):

uk-bolly commented 4 weeks ago

hi @Ranjith219

This is a test to ensure you have a root password set when you have a specific control enabled. In this case

You have rule 4.6.6 enabled this requires that you have a root password set (this is also the in the error output.

This will halt the playbook due to the fact it could break your system with that enabled and you not yet set a root password. For amazon they generally don't set them but CIS recommends that you do. You can either skip this particular control changing the value to false for amzn2023cis_rule_4_6_6 or you could set a root password manually to enable this control to take place.

Hope that helps.

uk-bolly

Ranjith219 commented 4 weeks ago

Ah, that makes sense, thank you so much for clarification and quick response, appreciate it.

Ranjith219 commented 4 weeks ago

Hi @uk-bolly, Could you please shed some light on this? I'm Getting No such file or directory: '/usr/bin/python'\nShared connection to 127.0.0.1 closed while installing crypto-policies

amazon-ebs.amz3-build: TASK [ace-os-hardening-ansible-cis-amnz-linux3 : PRELIM | Install crypto-policies | pkgs present] ***
amazon-ebs.amz3-build: An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Shared connection to 127.0.0.1 closed.
amazon-ebs.amz3-build: fatal: [default]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/home/ec2-user/~gha/.ansible/tmp/ansible-tmp-1723643095.1981156-1950-145898115397304/AnsiballZ_yum.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/home/ec2-user/~gha/.ansible/tmp/ansible-tmp-1723643095.1981156-1950-145898115397304/AnsiballZ_yum.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/ec2-user/~gha/.ansible/tmp/ansible-tmp-1723643095.1981156-1950-145898115397304/AnsiballZ_yum.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible.modules.yum', init_globals=dict(_module_fqn='ansible.modules.yum', _modlib_path=modlib_path),\n  File \"/usr/lib64/python3.9/runpy.py\", line 225, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.9/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.9/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_ansible.legacy.yum_payload_t_o4_i4i/ansible_ansible.legacy.yum_payload.zip/ansible/modules/yum.py\", line 1803, in <module>\n  File \"/tmp/ansible_ansible.legacy.yum_payload_t_o4_i4i/ansible_ansible.legacy.yum_payload.zip/ansible/modules/yum.py\", line 1799, in main\n  File \"/tmp/ansible_ansible.legacy.yum_payload_t_o4_i4i/ansible_ansible.legacy.yum_payload.zip/ansible/modules/yum.py\", line 1679, in run\n  File \"/tmp/ansible_ansible.legacy.yum_payload_t_o4_i4i/ansible_ansible.legacy.yum_payload.zip/ansible/module_utils/common/respawn.py\", line 43, in respawn_module\n  File \"/usr/lib64/python3.9/subprocess.py\", line 349, in call\n    with Popen(*popenargs, **kwargs) as p:\n  File \"/usr/lib64/python3.9/subprocess.py\", line 951, in __init__\n    self._execute_child(args, executable, preexec_fn, close_fds,\n  File \"/usr/lib64/python3.9/subprocess.py\", line 1821, in _execute_child\n    raise child_exception_type(errno_num, err_msg, err_filename)\n**FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/python'\nShared connection to 127.0.0.1 closed.**\r\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}