search

sonofagl1tch / AWSDetonationLab

This script is used to generate some basic detections of the aws security services
Apache License 2.0
71 stars 12 forks source link

Template deployment ends up with ROLLBACK status #51

Closed mgmacias95 closed 5 years ago

mgmacias95 commented 5 years ago

Describe the bug When I try to deploy the template it fails in the middle of the deployment process and rolls back all the deployed resources.

To Reproduce Steps to reproduce the behavior:

  1. Create a new stack with the template.
  2. Wait.

Expected behavior I expect the stack deployment to get CREATE_COMPLETE status instead of ROLLBACK_IN_PROGRESS.

Screenshots image 1

Additional context It seems Amazon Marketplace has updated their images so the ID is no longer the one specified in the template.

mgmacias95 commented 5 years ago

Hello @sonofagl1tch,

After updating AMIs used in the CF template in https://github.com/sonofagl1tch/AWSDetonationLab/commit/3f4cbfd148e6e454ac072962f6e1a7ef66c78454, the template was still failing: imagen

I disabled rolling back when the template failed so I was able to do some checks in the environment and get further information about the error. I accessed bastion machine and found out the bastion_bootstrap.sh script is failing:

# /tmp/bastion_bootstrap.sh --banner https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/master/artifacts/banner_message.txt --enable true --tcp-forwarding true --x11-forwarding false
checkos Ended
BANNER_PATH = https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/master/artifacts/banner_message.txt
Creating Banner in /etc/ssh_banner
curl  -s https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/master/artifacts/banner_message.txt > /etc/ssh_banner
[INFO] Installing banner ...
Setting up bastion session log in /var/log/bastion/bastion.log
ln: failed to create hard link ‘/var/log/bastion/.bastion.log’: File exists
Value of TCP_FORWARDING - true
Value of X11_FORWARDING - false
[ERROR] Unsupported Linux Bastion OS

Searching in the script's code, I found out where the error was being raised: https://github.com/sonofagl1tch/AWSDetonationLab/blob/e3a7078e93a6409ea66625a0c813d4770eeb8cbe/additionalInstallationScripts/bastion_bootstrap.sh#L582-L598 It seems the result from osrelease function isn't correct. Reviewing that function: https://github.com/sonofagl1tch/AWSDetonationLab/blob/e3a7078e93a6409ea66625a0c813d4770eeb8cbe/additionalInstallationScripts/bastion_bootstrap.sh#L57-L69 It seems the following command is returning a wrong value:

# cat /etc/os-release | grep '^NAME=' |  tr -d \" | sed 's/\n//g' | sed 's/NAME=//g'
Amazon Linux AMI

But I don't know if replacing content in line 61 would be a good fix, since it was changed here: https://github.com/awslabs/amazon-guardduty-tester/commit/9fb76df51b797c163d570e5eed087f87d7983170#diff-18583a0977c9ce589518e28d2ef9a78c Am I using an old instance by error when I changed AMIs?

Best regards, Marta

sonofagl1tch commented 5 years ago

looking at this bash i was using a full string match as my conditional which worked before the aws template updates. looks like now we need more of an "if a string contains substring" type of conditional. similar to the code snippet below.

string='My long string'
if [[ $string == *"My long"* ]]; then
  echo "It's there!"
fi

https://stackoverflow.com/questions/229551/how-to-check-if-a-string-contains-a-substring-in-bash