geerlingguy / ansible-role-aws-inspector Goto Github PK
View Code? Open in Web Editor NEWAnsible Role - AWS Inspector
Home Page: https://galaxy.ansible.com/geerlingguy/aws-inspector/
License: MIT License
Ansible Role - AWS Inspector
Home Page: https://galaxy.ansible.com/geerlingguy/aws-inspector/
License: MIT License
Hey Jeff -- this isn't idempotent is it?
The default URL to install AWS Inspector is no longer valid. This line needs to change:
to:
aws_inspector_url: https://inspector-agent.amazonaws.com/linux/latest/install
Per documentation:
Thanks for your efforts, this is an excellent little role. I discovered this during my analysis of #5, but the official upstream URL for the installer is not a Cloudfront URL, but a designated DNS name in the official docs, the official URL to download the agent is now below.
https://inspector-agent.amazonaws.com/linux/latest/install
Note, testing the current Ansible module and this new URL return the exact same output as of the date of file this ticket.
$ curl --silent -L -o install_cloudfront https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install
$ curl --silent -L -o install_newurl https://inspector-agent.amazonaws.com/linux/latest/install
$ sha256sum install_cloudfront install_newurl
19ab6161d71ed32da53d6664bdbf7ee177ef85dd09eeee1fb731772922c2869a install_cloudfront
19ab6161d71ed32da53d6664bdbf7ee177ef85dd09eeee1fb731772922c2869a install_newurl
$ diff install_cloudfront install_newurl
$ echo $?
0
Hello @geerlingguy, first-time caller, long-time listener. Excited to have a chance to talk to you directly. I am evaluating this role with master (044ec6d
) via ansible-galaxy
in our a playbook's requirements.yml
as a dependency. I am working in a highly-regulated environment, and our RedHat/CentOS gold images require gpgcheck=yes
globally in our yum config to comply with well-known US governmental and military standards for OS hardening. Why does this matter here? This role will break because, as it stands now, AWS is not yet shipping their RPM with signatures, and the current version of the script shows they do GPG checks out of band. I cannot find clear docs on yum and rpm, but it seems with yum I cannot add a signature for a package, only a repo, and this script drops a local copy and installs from /tmp
. Probably not a surprise to you.
Below is snipped from driving ansible
via packer
in debug mode:
PUBKEY_FILE: /tmp/awsagent.lqUQhDTD/inspector.gpg
+ [[ -z /tmp/awsagent.lqUQhDTD/inspector.gpg ]]
+ [[ ! -s /tmp/awsagent.lqUQhDTD/inspector.gpg ]]
+ curl -s --fail --retry 5 --max-time 30 -o /tmp/awsagent.lqUQhDTD/AGENT_MANIFEST https://s3.us-east-1.amazonaws.com/aws-agent.us-east-1/linux/releases/1.1.1649.0/AGENT_MANIFEST
+ res=0
+ [[ 0 -ne 0 ]]
+ curl -s --fail --retry 5 --max-time 30 -o /tmp/awsagent.lqUQhDTD/AGENT_MANIFEST.sig https://s3.us-east-1.amazonaws.com/aws-agent.us-east-1/linux/releases/1.1.1649.0/AGENT_MANIFEST.sig
+ res=0
+ [[ 0 -ne 0 ]]
++ gpg -q --no-default-keyring --keyring /tmp/awsagent.lqUQhDTD/inspector.gpg --verify /tmp/awsagent.lqUQhDTD/AGENT_MANIFEST.sig /tmp/awsagent.lqUQhDTD/AGENT_MANIFEST
+ gpg_results='gpg: Signature made Tue 21 Jul 2020 04:38:20 PM EDT using RSA key ID 58360418
gpg: Good signature from "Amazon Inspector <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DDA0 D4C5 10AE 3C20 6F46 6DC0 2474 0960 5836 0418'
+ [[ 0 -eq 0 ]]
++ echo 'gpg: Signature made Tue 21 Jul 2020 04:38:20 PM EDT using RSA key ID 58360418
gpg: Good signature from "Amazon Inspector <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DDA0 D4C5 10AE 3C20 6F46 6DC0 2474 0960 5836 0418'
[... SNIP ...]
+ yum install -y /tmp/awsagent.lqUQhDTD/AWSAgent.rpm
Loaded plugins: amazon-id, s3iam, search-disabled-repos
Examining /tmp/awsagent.lqUQhDTD/AWSAgent.rpm: AwsAgent-1.1.1649.0-102649.x86_64
Marking /tmp/awsagent.lqUQhDTD/AWSAgent.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package AwsAgent.x86_64 0:1.1.1649.0-102649 will be installed
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
Found and removing 0 unneeded dependencies
Dependencies Resolved
==============================================================================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================================================================
Installing:
AwsAgent x86_64 1.1.1649.0-102649 /AWSAgent 35 M
Transaction Summary
==============================================================================================================================================================================================================================================
Install 1 Package
Total size: 35 M
Installed size: 35 M
Downloading packages:
Package AWSAgent.rpm is not signed
+ rv=1
+ [[ 1 -ne 0 ]]
+ [[ agent == \a\g\e\n\t ]]
+ handle_status PACKAGE_INSTALLATION_ERROR Agent__rv_1__AWSAgent.rpm__1.1.1649.0__0.0.0.0__/tmp/awsagent.lqUQhDTD/AWSAgent.rpm
+ report_status_and_exit_if_requested report_and_exit PACKAGE_INSTALLATION_ERROR Agent__rv_1__AWSAgent.rpm__1.1.1649.0__0.0.0.0__/tmp/awsagent.lqUQhDTD/AWSAgent.rpm
+ local action=nil
A current pull of the upstream script from AWS is below. I see this role calls the script. I will work, and try using replace
as a tweak to inline change the script to yum install --nogpgcheck
and toggle if a variable is set to true, but will default to not making this change, if our security officials permit this.
Will you want to receive this change upstream or I keep it in a fork? I know this is kind of kludgey, but I do not want to maintain something separate from official AWS upstream instructions, much like you I would guess, lol.
$ date
Mon Sep 14 13:39:57 EDT 2020
$ curl --silent -L https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install | grep -A 50 'function download_and_verify_sig()'
function download_and_verify_sig() {
local download_url=$1
local download_file_name=$2
local is_it_km=$3
if [[ -z "${PUBKEY_FILE}" || -z "${SECURE_TMP_DIR}" || ! -d "${SECURE_TMP_DIR}" ]]; then
handle_status "SANITY_CHECK_FAILURE" "SECURE_TMP_DIR"
fi
echo "PUBKEY_FILE: ${SECURE_TMP_DIR}/${PUBKEY_FILE}"
if [[ -z "${SECURE_TMP_DIR}/${PUBKEY_FILE}" || ! -s "${SECURE_TMP_DIR}/${PUBKEY_FILE}" ]]; then
handle_status "SANITY_CHECK_FAILURE" "PUBKEY_FILE"
fi
#get the awsagent inventory file
${DOWNLOAD_CMD} ${O_ARG} "${SECURE_TMP_DIR}/${download_file_name}" "${download_url}"
res=$?
if [[ $res -ne 0 ]]; then
echo "Download command failed with exist status code: ${res}"
if [[ "${is_it_km}" == "true" ]]; then
return
fi
echo "Failed to download the ${download_file_name} from ${download_url}"
if [[ "${is_it_km}" == "true" ]]; then
report_status "FILE_DOWNLOAD_ERROR" "${download_file_name}"
return
else
handle_status "FILE_DOWNLOAD_ERROR" "${download_file_name}"
fi
fi
#get the awsagent inventory signature
${DOWNLOAD_CMD} ${O_ARG} "${SECURE_TMP_DIR}/${download_file_name}.sig" "${download_url}.sig"
res=$?
if [[ $res -ne 0 ]]; then
echo "Download command failed with exist status code: ${res}"
echo "Failed to download the ${download_file_name} signature from ${download_url}.sig"
handle_status "FILE_DOWNLOAD_ERROR" "${download_file_name}.sig"
fi
gpg_results=$( gpg -q --no-default-keyring --keyring "${SECURE_TMP_DIR}/${PUBKEY_FILE}" --verify "${SECURE_TMP_DIR}/${download_file_name}.sig" "${SECURE_TMP_DIR}/${download_file_name}" 2>&1 )
if [[ $? -eq 0 ]]; then
echo "Validated ${download_file_name} signature with: $(echo "${gpg_results}" | grep -i fingerprint)"
else
echo "Error validating signature of ${download_file_name}, terminating. Please contact AWS Support."
echo ${gpg_results}
handle_status "SIGNATURE_MISMATCH" "${download_file_name}"
fi
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.