Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

playbook makes OS undetectable #124

Closed
kidbrax opened this issue May 2, 2017 · 7 comments
Closed

playbook makes OS undetectable #124

kidbrax opened this issue May 2, 2017 · 7 comments
Assignees
@rndmh3ro
Labels
bug

Comments

@kidbrax
Copy link

kidbrax commented May 2, 2017
edited by rndmh3ro
Loading

I launched an AWS Linux AMI, ami-275ffe31, which is their ECS-optimized image. Inspec detects it as a AWS box. But then when I run this playbook, Inspec can no longer detect the OS. When I run Inspec detect after running this playbook, I get:

== Operating System Details

Name:      
Family:    unknown
Release:   
Arch:      This account is currently not available.

Is this expected behavior? Or has anyone else seen similar behavior? I basically can't use Inspec anymore after running this playbook.
@rndmh3ro rndmh3ro self-assigned this May 2, 2017
@rndmh3ro
Copy link
Member

rndmh3ro commented May 2, 2017

With what account do you run inspec? The message This account is currently not available looks like there's a problem logging in.

@kidbrax
Copy link
Author

kidbrax commented May 2, 2017
edited
Loading

The account is ec2-user. It works before I run the playbook, but then fails after the playbook has been run with the above output.

To clarify, that is the user I'm connecting with, the ssh user. Not the user on my local machine.

@kidbrax
Copy link
Author

kidbrax commented May 3, 2017

FYI, this passes before the playbook is run but not after.
test -f /etc/system-release && cat /etc/system-release
That seems to be what keeps inspec from getting the right OS.

@rndmh3ro rndmh3ro added the bug label May 7, 2017
@rndmh3ro
Copy link
Member

rndmh3ro commented May 7, 2017

I'll spin up a instance on AWS and check it.

@HenryTheHamster
Copy link

We're also seeing this with the official Centos 6 image. Inspec runs fine on a bare box, but after applying this playbook, the test fails with:
Failed to complete #verify action: [This OS/platform () is not supported by this profile.] on dev-sec-centos6

@HenryTheHamster
Copy link

HenryTheHamster commented Aug 2, 2017
edited
Loading

Adding the default user of your AMI to the ignore_users seems to do the trick. So for us:
os_ignore_users: ['centos']

Would be good if this could be included in this list from the auto-detected user, or even just added to the readme.

@rndmh3ro
Copy link
Member

rndmh3ro commented Aug 2, 2017

Thanks for the clarification, @HenryTheHamster.

Would be good if this could be included in this list from the auto-detected user

For centos-machines it seems to be the user centos, for ubuntu the user ubuntu. However I could not find the user for other operating systems.

I also do not want to exclude a list of users as this would weaken the hardening. So I guess your proposal to add this to the readme is the best option. Would you mind opening a PR for this?

@rndmh3ro rndmh3ro mentioned this issue Aug 6, 2017
Merged
rndmh3ro pushed a commit that referenced this issue Aug 7, 2017
add kitchen to os_ignore_user to fix #124
41feffd
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
add kitchen to os_ignore_user to fix dev-sec#124
81029f0
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
add kitchen to os_ignore_user to fix dev-sec#124
22d1566
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rndmh3ro rndmh3ro

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kidbrax @HenryTheHamster @rndmh3ro