ec2-image-builder-roadmap icon indicating copy to clipboard operation
ec2-image-builder-roadmap copied to clipboard
verified publisher icon aws

[Image Builder Component] [bug]: linux stig and scap image builder components fail on RHEL 9.3

Open davidgaster opened this issue 1 year ago • 2 comments

The AWS image builder components stig-build-linux-high, scap-compliance-checker-linux components fail on the official RedHat 9.3 OS images and causes command executions to exit. I see a ton of failures in the execution, with the most recent CloudWatch logs showing:

+ local 'Failure=Failed to set the system to not perform package IPv4 forwarding, not in compliance with V-258080.'
+ echo
+ '[' '!' -d ' /var/log/faillock' ']'
+ mkdir -p /var/log/faillock
+ ls -Zd /var/log/faillock
+ grep -E -q '^(\s*)unconfined_u:object_r:faillog_t:s0 \/var\/log\/faillock?\s*$'
+ dnf -q list installed policycoreutils-python-utils
+ semanage fcontext -a -t faillog_t '/var/log/faillock(/.*)?'
+ restorecon -R -v /var/log/faillock
+ ls -Zd /var/log/faillock
+ grep -E -q '^(\s*)unconfined_u:object_r:faillog_t:s0 \/var\/log\/faillock?\s*$'
+ echo 'Failed to set the system to not perform package IPv4 forwarding, not in compliance with V-258080.'
+ exit 1

The base AMI details are from the official RedHat AMIs:

RHEL_HA-9.3.0_HVM-20240229-x86_64-27-Hourly2-GP3 ami-03b04c2b901272c06 219670896067/RHEL_HA-9.3.0_HVM-20240229-x86_64-27-Hourly2-GP3 219670896067

image builder component ARNs

  • arn:aws-us-gov:imagebuilder:us-gov-west-1:aws:component/stig-build-linux-high/2024.2.0/1
  • arn:aws-us-gov:imagebuilder:us-gov-west-1:aws:component/scap-compliance-checker-linux/2023.04.0/1

The scap component says it's only compatible with RHEL 7 and 8. Is it possible to add RHEL 9 compatibility? The stig build linux high says it is compatible with RHEL 9.

For context, this same setup works perfectly fine on RHEL 8.8 and 8.9. The only change was bumping the base AMIs to RHEL 9.3.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Would appreciate some help looking into this bug.

davidgaster avatar Jul 25 '24 00:07 davidgaster

please let me know if there is a better place for bug reports!

davidgaster avatar Jul 25 '24 16:07 davidgaster

Hi @davidgaster, I've passed this onto the team that own those components. Will update when I have something to share.

austoonz avatar Jul 30 '24 16:07 austoonz

The fixes for this have deployed to all regions. Feel free to reopen if you find things still not working.

austoonz avatar Aug 19 '24 17:08 austoonz