geerlingguy / ansible-role-aws-inspector Goto Github PK
View Code? Open in Web Editor NEWAnsible Role - AWS Inspector
Home Page: https://galaxy.ansible.com/geerlingguy/aws-inspector/
License: MIT License
ansible-role-aws-inspector's People
Contributors
Stargazers
Watchers
Forkers
icemanncsu amal-j ffrizzo bibhuti-bhusan gakaya arhea borkenpipe gannino ahmedrgb1 vladimirkuchmar intento yash-github01 htallur leppikallio vmulasmob chaordic piyushsachan1210 xescab rajeshreddy1618 hwn123 l1ahim neerajlove chelomontilla aa90416 arun9theja tohch4 japm94 farrukh90 devopsglobalsolutions pokerface3 ekmixon geerlinguy jeanvetorello anjilinux juangarcia4ks general-abdul-hbo testingiacwithnewaccount cloud-devops-factoryansible-role-aws-inspector's Issues
Idempotent?
Hey Jeff -- this isn't idempotent is it?
Default AWS Inspector URL no longer valid
The default URL to install AWS Inspector is no longer valid. This line needs to change:
to:
aws_inspector_url: https://inspector-agent.amazonaws.com/linux/latest/install
Per documentation:
Update Default URL for Inspector Agent Installer Script
Thanks for your efforts, this is an excellent little role. I discovered this during my analysis of #5, but the official upstream URL for the installer is not a Cloudfront URL, but a designated DNS name in the official docs, the official URL to download the agent is now below.
https://inspector-agent.amazonaws.com/linux/latest/install
Note, testing the current Ansible module and this new URL return the exact same output as of the date of file this ticket.
$ curl --silent -L -o install_cloudfront https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install
$ curl --silent -L -o install_newurl https://inspector-agent.amazonaws.com/linux/latest/install
$ sha256sum install_cloudfront install_newurl
19ab6161d71ed32da53d6664bdbf7ee177ef85dd09eeee1fb731772922c2869a install_cloudfront
19ab6161d71ed32da53d6664bdbf7ee177ef85dd09eeee1fb731772922c2869a install_newurl
$ diff install_cloudfront install_newurl
$ echo $?
0Installer Script Fails When Signing Required
Hello @geerlingguy, first-time caller, long-time listener. Excited to have a chance to talk to you directly. I am evaluating this role with master (044ec6d) via ansible-galaxy in our a playbook's requirements.yml as a dependency. I am working in a highly-regulated environment, and our RedHat/CentOS gold images require gpgcheck=yes globally in our yum config to comply with well-known US governmental and military standards for OS hardening. Why does this matter here? This role will break because, as it stands now, AWS is not yet shipping their RPM with signatures, and the current version of the script shows they do GPG checks out of band. I cannot find clear docs on yum and rpm, but it seems with yum I cannot add a signature for a package, only a repo, and this script drops a local copy and installs from /tmp. Probably not a surprise to you.
Below is snipped from driving ansible via packer in debug mode:
PUBKEY_FILE: /tmp/awsagent.lqUQhDTD/inspector.gpg
+ [[ -z /tmp/awsagent.lqUQhDTD/inspector.gpg ]]
+ [[ ! -s /tmp/awsagent.lqUQhDTD/inspector.gpg ]]
+ curl -s --fail --retry 5 --max-time 30 -o /tmp/awsagent.lqUQhDTD/AGENT_MANIFEST https://s3.us-east-1.amazonaws.com/aws-agent.us-east-1/linux/releases/1.1.1649.0/AGENT_MANIFEST
+ res=0
+ [[ 0 -ne 0 ]]
+ curl -s --fail --retry 5 --max-time 30 -o /tmp/awsagent.lqUQhDTD/AGENT_MANIFEST.sig https://s3.us-east-1.amazonaws.com/aws-agent.us-east-1/linux/releases/1.1.1649.0/AGENT_MANIFEST.sig
+ res=0
+ [[ 0 -ne 0 ]]
++ gpg -q --no-default-keyring --keyring /tmp/awsagent.lqUQhDTD/inspector.gpg --verify /tmp/awsagent.lqUQhDTD/AGENT_MANIFEST.sig /tmp/awsagent.lqUQhDTD/AGENT_MANIFEST
+ gpg_results='gpg: Signature made Tue 21 Jul 2020 04:38:20 PM EDT using RSA key ID 58360418
gpg: Good signature from "Amazon Inspector <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DDA0 D4C5 10AE 3C20 6F46 6DC0 2474 0960 5836 0418'
+ [[ 0 -eq 0 ]]
++ echo 'gpg: Signature made Tue 21 Jul 2020 04:38:20 PM EDT using RSA key ID 58360418
gpg: Good signature from "Amazon Inspector <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DDA0 D4C5 10AE 3C20 6F46 6DC0 2474 0960 5836 0418'
[... SNIP ...]
+ yum install -y /tmp/awsagent.lqUQhDTD/AWSAgent.rpm
Loaded plugins: amazon-id, s3iam, search-disabled-repos
Examining /tmp/awsagent.lqUQhDTD/AWSAgent.rpm: AwsAgent-1.1.1649.0-102649.x86_64
Marking /tmp/awsagent.lqUQhDTD/AWSAgent.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package AwsAgent.x86_64 0:1.1.1649.0-102649 will be installed
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
Found and removing 0 unneeded dependencies
Dependencies Resolved
==============================================================================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================================================================
Installing:
AwsAgent x86_64 1.1.1649.0-102649 /AWSAgent 35 M
Transaction Summary
==============================================================================================================================================================================================================================================
Install 1 Package
Total size: 35 M
Installed size: 35 M
Downloading packages:
Package AWSAgent.rpm is not signed
+ rv=1
+ [[ 1 -ne 0 ]]
+ [[ agent == \a\g\e\n\t ]]
+ handle_status PACKAGE_INSTALLATION_ERROR Agent__rv_1__AWSAgent.rpm__1.1.1649.0__0.0.0.0__/tmp/awsagent.lqUQhDTD/AWSAgent.rpm
+ report_status_and_exit_if_requested report_and_exit PACKAGE_INSTALLATION_ERROR Agent__rv_1__AWSAgent.rpm__1.1.1649.0__0.0.0.0__/tmp/awsagent.lqUQhDTD/AWSAgent.rpm
+ local action=nil
A current pull of the upstream script from AWS is below. I see this role calls the script. I will work, and try using replace as a tweak to inline change the script to yum install --nogpgcheck and toggle if a variable is set to true, but will default to not making this change, if our security officials permit this.
Will you want to receive this change upstream or I keep it in a fork? I know this is kind of kludgey, but I do not want to maintain something separate from official AWS upstream instructions, much like you I would guess, lol.
$ date
Mon Sep 14 13:39:57 EDT 2020
$ curl --silent -L https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install | grep -A 50 'function download_and_verify_sig()'
function download_and_verify_sig() {
local download_url=$1
local download_file_name=$2
local is_it_km=$3
if [[ -z "${PUBKEY_FILE}" || -z "${SECURE_TMP_DIR}" || ! -d "${SECURE_TMP_DIR}" ]]; then
handle_status "SANITY_CHECK_FAILURE" "SECURE_TMP_DIR"
fi
echo "PUBKEY_FILE: ${SECURE_TMP_DIR}/${PUBKEY_FILE}"
if [[ -z "${SECURE_TMP_DIR}/${PUBKEY_FILE}" || ! -s "${SECURE_TMP_DIR}/${PUBKEY_FILE}" ]]; then
handle_status "SANITY_CHECK_FAILURE" "PUBKEY_FILE"
fi
#get the awsagent inventory file
${DOWNLOAD_CMD} ${O_ARG} "${SECURE_TMP_DIR}/${download_file_name}" "${download_url}"
res=$?
if [[ $res -ne 0 ]]; then
echo "Download command failed with exist status code: ${res}"
if [[ "${is_it_km}" == "true" ]]; then
return
fi
echo "Failed to download the ${download_file_name} from ${download_url}"
if [[ "${is_it_km}" == "true" ]]; then
report_status "FILE_DOWNLOAD_ERROR" "${download_file_name}"
return
else
handle_status "FILE_DOWNLOAD_ERROR" "${download_file_name}"
fi
fi
#get the awsagent inventory signature
${DOWNLOAD_CMD} ${O_ARG} "${SECURE_TMP_DIR}/${download_file_name}.sig" "${download_url}.sig"
res=$?
if [[ $res -ne 0 ]]; then
echo "Download command failed with exist status code: ${res}"
echo "Failed to download the ${download_file_name} signature from ${download_url}.sig"
handle_status "FILE_DOWNLOAD_ERROR" "${download_file_name}.sig"
fi
gpg_results=$( gpg -q --no-default-keyring --keyring "${SECURE_TMP_DIR}/${PUBKEY_FILE}" --verify "${SECURE_TMP_DIR}/${download_file_name}.sig" "${SECURE_TMP_DIR}/${download_file_name}" 2>&1 )
if [[ $? -eq 0 ]]; then
echo "Validated ${download_file_name} signature with: $(echo "${gpg_results}" | grep -i fingerprint)"
else
echo "Error validating signature of ${download_file_name}, terminating. Please contact AWS Support."
echo ${gpg_results}
handle_status "SIGNATURE_MISMATCH" "${download_file_name}"
fi
}Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.