Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Building with hardening=stig fails during cleanup.sh #51

Closed
stanhu opened this issue Apr 15, 2022 · 7 comments · Fixed by #53
Closed

Building with hardening=stig fails during cleanup.sh #51

stanhu opened this issue Apr 15, 2022 · 7 comments · Fixed by #53

Comments

@stanhu
Copy link

stanhu commented Apr 15, 2022
edited
Loading

What happened:

I applied this diff:

diff --git a/Makefile b/Makefile
index 9b8133b..84b5d12 100644
--- a/Makefile
+++ b/Makefile
@@ -11,12 +11,10 @@ EKS_116_VERSION := 1.16.15
 EKS_117_VERSION := 1.17.12
 EKS_118_VERSION := 1.18.9
 EKS_119_VERSION := 1.19.6
+EKS_121_VERSION := 1.21.5
 
 build:
 	packer build \
-		--var 'aws_region=$(AWS_REGION)' \
-		--var 'vpc_id=$(VPC_ID)' \
-		--var 'subnet_id=$(SUBNET_ID)' \
 		$(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)='$($(packerVar))',)) \
 		$(PACKER_FILE)
 
@@ -105,6 +103,12 @@ build-rhel8-1.18:
 build-rhel8-1.19:
 	$(MAKE) build PACKER_FILE=amazon-eks-node-rhel8.json eks_version=$(EKS_119_VERSION) eks_build_date=2021-01-05
 
+build-rhel7-1.21-fips:
+	$(MAKE) build PACKER_FILE=amazon-eks-node-rhel7.json eks_version=$(EKS_121_VERSION) eks_build_date=2021-11-10 hardening_flag=stig
+
+build-rhel8-1.21-fips:
+	$(MAKE) build PACKER_FILE=amazon-eks-node-rhel8.json eks_version=$(EKS_121_VERSION) eks_build_date=2021-11-10 hardening_flag=stig
+
 # CentOS 7
 #-----------------------------------------------------
 build-centos7-1.15:

I attempted to build this via make build-rhel8-1.21-fips and make build-rhel7-1.21-fips and got:

<snip>
    amazon-ebs:   usbguard-1.0.0-2.el8.x86_64        usbguard-selinux-1.0.0-2.el8.noarch
    amazon-ebs:
    amazon-ebs: Complete!
    amazon-ebs: Remediating rule 359/362: 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'
    amazon-ebs: Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /usr/lib/systemd/system/usbguard.service.
    amazon-ebs: Remediating rule 360/362: 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend'
    amazon-ebs: Remediating rule 361/362: 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy'
    amazon-ebs: Remediating rule 362/362: 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages'
==> amazon-ebs: Provisioning with shell script: ./scripts/rhel8/cleanup.sh
    amazon-ebs:
    amazon-ebs: We trust you have received the usual lecture from the local System
    amazon-ebs: Administrator. It usually boils down to these three things:
    amazon-ebs:
    amazon-ebs:     #1) Respect the privacy of others.
    amazon-ebs:     #2) Think before you type.
    amazon-ebs:     #3) With great power comes great responsibility.
    amazon-ebs:
    amazon-ebs: [sudo] password for ec2-user: Sorry, try again.
    amazon-ebs: [sudo] password for ec2-user:
    amazon-ebs: sudo: no password was provided
    amazon-ebs: sudo: 1 incorrect password attempt
==> amazon-ebs: Provisioning step had errors: Running the cleanup provisioner, if present...
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: No volumes to clean up, skipping
==> amazon-ebs: Deleting temporary security group...
==> amazon-ebs: Deleting temporary keypair...
Build 'amazon-ebs' errored after 13 minutes 29 seconds: Script exited with non-

I noticed README.md mentions:

  • Packer does not support RHEL 8 in FIPS mode. SSH authentication breaks once FIPS is enabled. This repository enables FIPS as the last step as a workaround.

Is this relevant here (hashicorp/packer#8609)? I don't see any SSH hanshake failures, only a sudo failure.

When I dropped the hardening=stig flag, the build worked.

What you expected to happen:

Build successful

How to reproduce it (as minimally and precisely as possible):

See diff above.

Environment:

  • OS: macOS
  • OS Version: 12.1
  • EKS Version: 1.21.5
  • Packer Version: 1.8.0
@spunkedy
Copy link

spunkedy commented May 3, 2022

@stanhu I have seen you comment on a few issues across EKS + fips hardening across a few different projects.

Are you able to share what version / configuration you got going with EKS + FIPS?

@stanhu
Copy link
Author

stanhu commented May 3, 2022

@spunkedy I ended up using awslabs/amazon-eks-ami#898. I used EKS w/ Kubernetes 1.21: https://docs.gitlab.com/ee/development/fips_compliance.html#build-a-custom-eks-ami

@spunkedy
Copy link

spunkedy commented May 5, 2022

Thanks!

@nywilken
Copy link

nywilken commented May 5, 2022

Hi there - the latest release of the Amazon plugin has been patched to resolve the issues around legacy key algorithms, which may be at play here given that FIPs is enabled. Alternatively, there is the temporary_key_pair_type configuration argument that you can try to change the type of SSH key to "ed25519" which might work.

I would suggest giving one of the option suggested a try and seeing if it resolves your issue.

@stanhu
Copy link
Author

stanhu commented May 5, 2022

Thanks, it looks like with the test above I got a slightly different issue:

amazon-ebs: sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

Details:

    amazon-ebs: Running transaction
    amazon-ebs:   Preparing        :                                                        1/1
    amazon-ebs:   Installing       : libqb-1.0.3-12.el8.x86_64                              1/4
    amazon-ebs:   Running scriptlet: libqb-1.0.3-12.el8.x86_64                              1/4
    amazon-ebs:   Installing       : protobuf-3.5.0-13.el8.x86_64                           2/4
    amazon-ebs:   Running scriptlet: usbguard-selinux-1.0.0-2.el8.noarch                    3/4
    amazon-ebs:   Installing       : usbguard-selinux-1.0.0-2.el8.noarch                    3/4
    amazon-ebs:   Running scriptlet: usbguard-selinux-1.0.0-2.el8.noarch                    3/4
    amazon-ebs:   Installing       : usbguard-1.0.0-2.el8.x86_64                            4/4
    amazon-ebs:   Running scriptlet: usbguard-1.0.0-2.el8.x86_64                            4/4
    amazon-ebs:   Running scriptlet: usbguard-selinux-1.0.0-2.el8.noarch                    4/4
    amazon-ebs:   Running scriptlet: usbguard-1.0.0-2.el8.x86_64                            4/4
    amazon-ebs:   Verifying        : protobuf-3.5.0-13.el8.x86_64                           1/4
    amazon-ebs:   Verifying        : usbguard-selinux-1.0.0-2.el8.noarch                    2/4
    amazon-ebs:   Verifying        : usbguard-1.0.0-2.el8.x86_64                            3/4
    amazon-ebs:   Verifying        : libqb-1.0.3-12.el8.x86_64                              4/4
    amazon-ebs: Installed products updated.
    amazon-ebs:
    amazon-ebs: Installed:
    amazon-ebs:   libqb-1.0.3-12.el8.x86_64          protobuf-3.5.0-13.el8.x86_64
    amazon-ebs:   usbguard-1.0.0-2.el8.x86_64        usbguard-selinux-1.0.0-2.el8.noarch
    amazon-ebs:
    amazon-ebs: Complete!
    amazon-ebs: Remediating rule 366/370: 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'
    amazon-ebs: Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /usr/lib/systemd/system/usbguard.service.
    amazon-ebs: Remediating rule 367/370: 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend'
    amazon-ebs: Remediating rule 368/370: 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy'
    amazon-ebs: Remediating rule 369/370: 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages'
    amazon-ebs: Remediating rule 370/370: 'xccdf_org.ssgproject.content_rule_xwindows_runlevel_target'
==> amazon-ebs: Provisioning with shell script: ./scripts/rhel8/cleanup.sh
    amazon-ebs: sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
==> amazon-ebs: Provisioning step had errors: Running the cleanup provisioner, if present...
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: No volumes to clean up, skipping
==> amazon-ebs: Deleting temporary security group...
==> amazon-ebs: Deleting temporary keypair...
Build 'amazon-ebs' errored after 20 minutes 41 seconds: Script exited with non-zero exit status: 1.Allowed exit codes are: [0]

@hectoralicea
Copy link

we are running into the same issue and have opened a support ticket with AWS. If anyone has any solutions of how to create an EKS RedHat 8 STIG based image, your info would be very much appreciated.

@hectoralicea
Copy link

@spunkedy I ended up using awslabs/amazon-eks-ami#898. I used EKS w/ Kubernetes 1.21: https://docs.gitlab.com/ee/development/fips_compliance.html#build-a-custom-eks-ami

Did this version of this repo work for you, for RHEL 8 - STIG - EKS image? Which kubernetes did you use.

@bryantbiggs bryantbiggs mentioned this issue Jul 21, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor: Reduce AMI variants supported to only AL2 at this time aws-samples/amazon-eks-custom-amis
4 participants
@spunkedy @stanhu @nywilken @hectoralicea