ansible-role-cis-amazon-linux playbook error

smuthali commented 6 years ago

Hello!, first off thank you for the ansible-role-cis-amazon-linux playbook. I've hooked this in to AWS codebuild and the AMI creation fails when Ansible task executions either take a very long time or hung. Ansible version: 2.4.3

Specifically here:

AWS AMI Builder - CIS: TASK [anthcourtney.cis-amazon-linux : 3.6.2 - Ensure default deny firewall policy(DROP INPUT)] ***

Failed messages from build.log

AWS AMI Builder - CIS: TASK [anthcourtney.cis-amazon-linux : 3.5.4 - Ensure TIPC is disabled] *********
AWS AMI Builder - CIS: [0;33mchanged: [127.0.0.1][0m
AWS AMI Builder - CIS:
AWS AMI Builder - CIS: TASK [anthcourtney.cis-amazon-linux : 3.6.1 - Ensure iptables is installed] ****
AWS AMI Builder - CIS: [0;32mok: [127.0.0.1][0m
AWS AMI Builder - CIS:
AWS AMI Builder - CIS: TASK [anthcourtney.cis-amazon-linux : 3.6.2 - Ensure default deny firewall policy(DROP INPUT)] ***
AWS AMI Builder - CIS: [0;33mchanged: [127.0.0.1] => (item=INPUT)[0m
AWS AMI Builder - CIS: [0;33mchanged: [127.0.0.1] => (item=FORWARD)[0m
==> AWS AMI Builder - CIS: Terminating the source AWS instance...
==> AWS AMI Builder - CIS: Cleaning up any extra volumes...
==> AWS AMI Builder - CIS: No volumes to clean up, skipping
==> AWS AMI Builder - CIS: Deleting temporary security group...
==> AWS AMI Builder - CIS: Deleting temporary keypair...
Build 'AWS AMI Builder - CIS' errored: Error executing Ansible: Non-zero exit status: 2300218

==> Some builds didn't complete successfully and had errors:
--> AWS AMI Builder - CIS: Error executing Ansible: Non-zero exit status: 2300218

With verbose enabled

AWS AMI Builder - CIS: TASK [anthcourtney.cis-amazon-linux : 3.6.2 - Ensure default deny firewall policy(DROP INPUT)] ***
AWS AMI Builder - CIS: task path: /tmp/packer-provisioner-ansible-local/5a918be7-cf73-af80-79ad-2c4d415a3b6a/roles/anthcourtney.cis-amazon-linux/tasks/level-1/3.6.2.yml:6
AWS AMI Builder - CIS: Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/iptables.py
AWS AMI Builder - CIS: <127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: ec2-user
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c 'echo ~ && sleep 0'
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.45-210223813466673 `" && echo ansible-tmp-1519488317.45-210223813466673="` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.45-210223813466673 `" ) && sleep 0'
AWS AMI Builder - CIS: <127.0.0.1> PUT /tmp/tmpWst8Um TO /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.45-210223813466673/iptables.py
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.45-210223813466673/ /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.45-210223813466673/iptables.py && sleep 0'
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-mjyykfcuhnygkfssisoxutueavlofpmo; /usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.45-210223813466673/iptables.py; rm -rf "/home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.45-210223813466673/" > /dev/null 2>&1'"'"' && sleep 0'
AWS AMI Builder - CIS: changed: [127.0.0.1] => (item=INPUT) => {
AWS AMI Builder - CIS: "chain": "INPUT",
AWS AMI Builder - CIS: "changed": true,
AWS AMI Builder - CIS: "flush": false,
AWS AMI Builder - CIS: "invocation": {
AWS AMI Builder - CIS: "module_args": {
AWS AMI Builder - CIS: "action": "append",
AWS AMI Builder - CIS: "chain": "INPUT",
AWS AMI Builder - CIS: "comment": null,
AWS AMI Builder - CIS: "ctstate": [],
AWS AMI Builder - CIS: "destination": null,
AWS AMI Builder - CIS: "destination_port": null,
AWS AMI Builder - CIS: "flush": false,
AWS AMI Builder - CIS: "fragment": null,
AWS AMI Builder - CIS: "goto": null,
AWS AMI Builder - CIS: "icmp_type": null,
AWS AMI Builder - CIS: "in_interface": null,
AWS AMI Builder - CIS: "ip_version": "ipv4",
AWS AMI Builder - CIS: "jump": "DROP",
AWS AMI Builder - CIS: "limit": null,
AWS AMI Builder - CIS: "limit_burst": null,
AWS AMI Builder - CIS: "match": [],
AWS AMI Builder - CIS: "out_interface": null,
AWS AMI Builder - CIS: "policy": null,
AWS AMI Builder - CIS: "protocol": null,
AWS AMI Builder - CIS: "reject_with": null,
AWS AMI Builder - CIS: "set_counters": null,
AWS AMI Builder - CIS: "set_dscp_mark": null,
AWS AMI Builder - CIS: "set_dscp_mark_class": null,
AWS AMI Builder - CIS: "source": null,
AWS AMI Builder - CIS: "source_port": null,
AWS AMI Builder - CIS: "state": "present",
AWS AMI Builder - CIS: "table": "filter",
AWS AMI Builder - CIS: "tcp_flags": {},
AWS AMI Builder - CIS: "to_destination": null,
AWS AMI Builder - CIS: "to_ports": null,
AWS AMI Builder - CIS: "to_source": null,
AWS AMI Builder - CIS: "uid_owner": null
AWS AMI Builder - CIS: }
AWS AMI Builder - CIS: },
AWS AMI Builder - CIS: "ip_version": "ipv4",
AWS AMI Builder - CIS: "item": "INPUT",
AWS AMI Builder - CIS: "rule": "-j DROP",
AWS AMI Builder - CIS: "state": "present",
AWS AMI Builder - CIS: "table": "filter"
AWS AMI Builder - CIS: }
AWS AMI Builder - CIS: Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/iptables.py
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c 'echo ~ && sleep 0'
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.62-94776954667970 `" && echo ansible-tmp-1519488317.62-94776954667970="` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.62-94776954667970 `" ) && sleep 0'
AWS AMI Builder - CIS: <127.0.0.1> PUT /tmp/tmp_yVIIW TO /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.62-94776954667970/iptables.py
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.62-94776954667970/ /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.62-94776954667970/iptables.py && sleep 0'
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-uurjubgfoaekyikzlvzbqwxrrjtxkjoe; /usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.62-94776954667970/iptables.py; rm -rf "/home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.62-94776954667970/" > /dev/null 2>&1'"'"' && sleep 0'
AWS AMI Builder - CIS: changed: [127.0.0.1] => (item=FORWARD) => {
AWS AMI Builder - CIS: "chain": "FORWARD",
AWS AMI Builder - CIS: "changed": true,
AWS AMI Builder - CIS: "flush": false,
AWS AMI Builder - CIS: "invocation": {
AWS AMI Builder - CIS: "module_args": {
AWS AMI Builder - CIS: "action": "append",
AWS AMI Builder - CIS: "chain": "FORWARD",
AWS AMI Builder - CIS: "comment": null,
AWS AMI Builder - CIS: "ctstate": [],
AWS AMI Builder - CIS: "destination": null,
AWS AMI Builder - CIS: "destination_port": null,
AWS AMI Builder - CIS: "flush": false,
AWS AMI Builder - CIS: "fragment": null,
AWS AMI Builder - CIS: "goto": null,
AWS AMI Builder - CIS: "icmp_type": null,
AWS AMI Builder - CIS: "in_interface": null,
AWS AMI Builder - CIS: "ip_version": "ipv4",
AWS AMI Builder - CIS: "jump": "DROP",
AWS AMI Builder - CIS: "limit": null,
AWS AMI Builder - CIS: "limit_burst": null,
AWS AMI Builder - CIS: "match": [],
AWS AMI Builder - CIS: "out_interface": null,
AWS AMI Builder - CIS: "policy": null,
AWS AMI Builder - CIS: "protocol": null,
AWS AMI Builder - CIS: "reject_with": null,
AWS AMI Builder - CIS: "set_counters": null,
AWS AMI Builder - CIS: "set_dscp_mark": null,
AWS AMI Builder - CIS: "set_dscp_mark_class": null,
AWS AMI Builder - CIS: "source": null,
AWS AMI Builder - CIS: "source_port": null,
AWS AMI Builder - CIS: "state": "present",
AWS AMI Builder - CIS: "table": "filter",
AWS AMI Builder - CIS: "tcp_flags": {},
AWS AMI Builder - CIS: "to_destination": null,
AWS AMI Builder - CIS: "to_ports": null,
AWS AMI Builder - CIS: "to_source": null,
AWS AMI Builder - CIS: "uid_owner": null
AWS AMI Builder - CIS: }
AWS AMI Builder - CIS: },
AWS AMI Builder - CIS: "ip_version": "ipv4",
AWS AMI Builder - CIS: "item": "FORWARD",
AWS AMI Builder - CIS: "rule": "-j DROP",
AWS AMI Builder - CIS: "state": "present",
AWS AMI Builder - CIS: "table": "filter"
AWS AMI Builder - CIS: }
AWS AMI Builder - CIS: Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/iptables.py
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c 'echo ~ && sleep 0'
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.78-154260623678646 `" && echo ansible-tmp-1519488317.78-154260623678646="` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.78-154260623678646 `" ) && sleep 0'
AWS AMI Builder - CIS: <127.0.0.1> PUT /tmp/tmp8vSpSS TO /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.78-154260623678646/iptables.py
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.78-154260623678646/ /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.78-154260623678646/iptables.py && sleep 0'
AWS AMI Builder - CIS: <127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-mjqvzztsrygiuyivyrvzqjvacorlxplm; /usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.78-154260623678646/iptables.py; rm -rf "/home/ec2-user/.ansible/tmp/ansible-tmp-1519488317.78-154260623678646/" > /dev/null 2>&1'"'"' && sleep 0'

So, I also tried to modify ssh config to something like this:

#!/bin/bash -x

# These SSH configuration values are set when the server comes up so that Packer can
# maintain a hanging, trafficless SSH connection.

sudo sed -i -e '/Defaults    requiretty/{ s/.*/# Defaults    requiretty/ }'  /etc/sudoers
sudo sed -i -e '/ClientAliveInterval 300/{ s/.*/ClientAliveInterval 1000/ }' /etc/ssh/sshd_config
sudo sed -i -e '/ClientAliveCountMax 0/{ s/.*/ClientAliveCountMax 10/ }'      /etc/ssh/sshd_config
sudo sed -i -e '/#TCPKeepAlive yes/{ s/.*/TCPKeepAlive yes/ }'               /etc/ssh/sshd_config

sudo service sshd restart
exit $?

Please let me know if you need any additional information

smuthali commented 6 years ago

After debugging a bit, the following exclusions had to be placed to ensure AMI build was successful

    cis_level_1_exclusions:
      - 3.6.2
      - 5.3.3

I am pretty sure that this is an Ansible 2.4.x issue. I will debug further. Meanwhile if you have any suggestions, that'll be great.

chandanchowdhury commented 6 years ago

Hi @smuthali , the issue is due to firewall task 3.6.2 which by default will block all ports including SSH which is used by anisble. So once task 3.6.2 has ran there is no way to SSH into the host and all subsequent tasks fails.

To fix the issue allow port 22 in 3.6.5.yml and update level-1.yml to rearrange the firewall task so that 3.6.2 is executed after all firewall task has finished.

Testing has finished and working on the PR to fix this issue.

anthcourtney / ansible-role-cis-amazon-linux

ansible-role-cis-amazon-linux playbook error #33