[Image Builder Component] [bug]: linux stig and scap image builder components fail on RHEL 9.3

[davidgaster]

The AWS image builder components stig-build-linux-high, scap-compliance-checker-linux components fail on the official RedHat 9.3 OS images and causes command executions to exit. I see a ton of failures in the execution, with the most recent CloudWatch logs showing:

+ local 'Failure=Failed to set the system to not perform package IPv4 forwarding, not in compliance with V-258080.'
+ echo
+ '[' '!' -d ' /var/log/faillock' ']'
+ mkdir -p /var/log/faillock
+ ls -Zd /var/log/faillock
+ grep -E -q '^(\s*)unconfined_u:object_r:faillog_t:s0 \/var\/log\/faillock?\s*$'
+ dnf -q list installed policycoreutils-python-utils
+ semanage fcontext -a -t faillog_t '/var/log/faillock(/.*)?'
+ restorecon -R -v /var/log/faillock
+ ls -Zd /var/log/faillock
+ grep -E -q '^(\s*)unconfined_u:object_r:faillog_t:s0 \/var\/log\/faillock?\s*$'
+ echo 'Failed to set the system to not perform package IPv4 forwarding, not in compliance with V-258080.'
+ exit 1

The base AMI details are from the official RedHat AMIs:

RHEL_HA-9.3.0_HVM-20240229-x86_64-27-Hourly2-GP3	ami-03b04c2b901272c06	219670896067/RHEL_HA-9.3.0_HVM-20240229-x86_64-27-Hourly2-GP3	219670896067

image builder component ARNs

• arn:aws-us-gov:imagebuilder:us-gov-west-1:aws:component/stig-build-linux-high/2024.2.0/1
• arn:aws-us-gov:imagebuilder:us-gov-west-1:aws:component/scap-compliance-checker-linux/2023.04.0/1

The scap component says it's only compatible with RHEL 7 and 8. Is it possible to add RHEL 9 compatibility? The stig build linux high says it is compatible with RHEL 9.

For context, this same setup works perfectly fine on RHEL 8.8 and 8.9. The only change was bumping the base AMIs to RHEL 9.3.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Would appreciate some help looking into this bug.

[davidgaster]

please let me know if there is a better place for bug reports!

[austoonz]

Hi @davidgaster, I've passed this onto the team that own those components. Will update when I have something to share.

[austoonz]

The fixes for this have deployed to all regions. Feel free to reopen if you find things still not working.