search

plus3it / amigen9

Set of Tools to Provide Automation of Tasks for Creating STIG-Partitioned EL9 AMIs and Other VM-Template Types
Apache License 2.0
0 stars 5 forks source link

[Feature Request] Ensure use of NetworkManager Key-files instead of ifcfg files #22

Open ferricoxide opened 2 months ago

ferricoxide commented 2 months ago

Is your feature request related to a problem? Please describe.

While writing security-automation for the watchmaker project (see: ash-linux-formula PR #506), a security-finding came up for the network configuration files. This led me to find a vendor-article on the deprecation of ifcfg files in RHEL 9 and later (see the "NetworkManager connection profiles in ifcfg format are deprecated" section of the linked-document for specific verbiage). The AMIgen automation needs to be updated to account for this change

Describe the solution you'd like

AMIgen bakes in the cloud-init service. Instances launched from AMIgen-created images already leverage cloud-init for boot-time automation-tasks. The ifcfg to NM-keyfile operation could be included by way of a per once stage script.

Describe alternatives you've considered

Additional context

ferricoxide commented 2 months ago

While the legacy files are being created in PostBuild.sh, it's not 100% clear that a similar mechanism can be used for creating the NM-keyfiles from the get-go.

That said, the EL9 EC2s are launching with ensN interfaces instead of ethN interfaces and associated …/network-scripts/* files are getting created at launch, so, it may be mostly – or even wholly – unnecessary to even have the prepositioned …/network-scripts/* or NM-keyfiles in the AMIs.

ferricoxide commented 3 weeks ago

Looking at a newly launched system, the files that AMIgen9 creates in /etc/sysconfig/network-scripts/ are, effectively ignored:

/etc/sysconfig/network-scripts/readme-ifcfg-rh.txt
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-ens5

AMIgen9, carrying over logic from previous AMIgenN projects, currently creates /etc/sysconfig/network-scripts/ifcfg-eth0. That file gets ignored and an /etc/sysconfig/network-scripts/ifcfg-ens5 gets created at boot-time.

Further, if one wholly nukes those files, the system still boots up with functional networking, even though there's no files in either the legacy/deprecated /etc/sysconfig/network-scripts/ or the currently-supported /etc/NetworkManager/system-connections/ directory-locations.

# find /etc/sysconfig/network-scripts/ /etc/NetworkManager/system-connections/
/etc/sysconfig/network-scripts/
/etc/sysconfig/network-scripts/readme-ifcfg-rh.txt
/etc/NetworkManager/system-connections/
ferricoxide commented 3 weeks ago

Interestingly, the RHEL 9 AMI published by Red Hat is still using legacy behavior:

# find /etc/sysconfig/network-scripts/ /etc/NetworkManager/system-connections/
/etc/sysconfig/network-scripts/
/etc/sysconfig/network-scripts/readme-ifcfg-rh.txt
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/NetworkManager/system-connections/
[root@ip-zabvtctuwer ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 02:4a:74:ec:da:91 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname ens5
    inet 140.48.100.244/26 brd 140.48.100.255 scope global dynamic noprefixroute eth0
       valid_lft 3419sec preferred_lft 3419sec
    inet6 fe80::4a:74ff:feec:da91/64 scope link
       valid_lft forever preferred_lft forever

Need to dig in and see if can replicate.

ferricoxide commented 3 weeks ago

Nuking out the legacy ifcfg-scripts content and generating a new images doesn't resolve the issue in instances made from the new image. Going to do a comparison between the new image and the vendor image (since the vendor image is creating instances that still create ethN devices)

ferricoxide commented 3 weeks ago

Right now, it looks like the /etc/default/grub file's contents are getting ignored when grub2-mkconfig is run. Looks like, with 9.3+, need to modify the grub2-mkconfig line in PostBuild.sh:

/sbin/grub2-mkconfig > /boot/grub2/grub.cfg

to

grub2-mkconfig -o /boot/grub2/grub.cfg --update-bls-cmdline
ferricoxide commented 1 week ago

Implemented in PR #28

Right now, it looks like the /etc/default/grub file's contents are getting ignored when grub2-mkconfig is run. Looks like, with 9.3+, need to modify the grub2-mkconfig line in PostBuild.sh:

/sbin/grub2-mkconfig > /boot/grub2/grub.cfg

to

grub2-mkconfig -o /boot/grub2/grub.cfg --update-bls-cmdline