Jeremy
Reputation: 1972
How to customize the install location of amazon-ssm-agent for EC2 Image Builder (RHEL8)?
I am dealing with a STIG image and part of the STIG is that /var has a noexec flag on it.
I am trying to use EC2 Image Builder to build out the STIG AMIs to be used for our deployments. Currently I am doing this manually.
When I use EC2 Image Builder I get errors:
2024-09-24 19:25:24.3374 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Sending reply {
"additionalInfo": {
"agent": {
"lang": "en-US",
"name": "amazon-ssm-agent",
"os": "",
"osver": "1",
"ver": "3.3.859.0"
},
"dateTime": "2024-09-24T19:25:24.337Z",
"runId": "",
"runtimeStatusCounts": {
"Failed": 1
}
},
"documentStatus": "Failed",
"documentTraceOutput": "",
"runtimeStatus": {
"aws:runShellScript": {
"status": "Failed",
"code": 126,
"name": "aws:runShellScript",
"output": "\n----------ERROR-------\nsh: /var/lib/amazon/ssm/i-0adb629670a162125/document/opt/ec2-image-builder-ssm-working-dir/f56cb6c1-6608-41c7-bc00-02783ba30c4e/awsrunShellScript/0.awsrunShellScript/_script.sh: Permission denied\nfailed to run commands: exit status 126",
"startDateTime": "2024-09-24T19:25:24.332Z",
"endDateTime": "2024-09-24T19:25:24.336Z",
"outputS3BucketName": "",
"outputS3KeyPrefix": "",
"stepName": "",
"standardOutput": "",
"standardError": "sh: /var/lib/amazon/ssm/i-0adb629670a162125/document/opt/ec2-image-builder-ssm-working-dir/f56cb6c1-6608-41c7-bc00-02783ba30c4e/awsrunShellScript/0.awsrunShellScript/_script.sh: Permission denied\nfailed to run commands: exit status 126"
}
}
}
This is expected as /var has no executable permissions, per the STIG.
I wanted to try to install this agent into a custom location but I cannot figure out how to do this at all.
I even tried configuring the json file to point to a new directory but this seems to just be ignored completely.
sudo cp /etc/amazon/ssm/amazon-ssm-agent.json.template /etc/amazon/ssm/amazon-ssm-agent.json
sudo sed -i 's|"OrchestrationRootDir": ""|"OrchestrationRootDir": "/opt/ec2-image-builder-ssm-working-dir"|' /etc/amazon/ssm/amazon-ssm-agent.json
sudo sed -i 's|"Region": ""|"Region": "${AWS::Region}"|' /etc/amazon/ssm/amazon-ssm-agent.json
I even tried this (found this online):
sudo dnf install --installroot=/opt/ec2-image-builder-ssm-working-dir --nogpgcheck amazon-ssm-agent.rpm
But that just failed to install at all.
No matter what I try, it is always installed in the /var directory so EC2 Image Builder always fails.
This has been a bit frustrating so I am reaching out here to see if anyone can give me any insight or other solutions.
This is the part of the CloudFormaiton template that I am working with:
TenableSecurityCenterImageRecipe:
Type: "AWS::ImageBuilder::ImageRecipe"
Properties:
Name: !Sub "${AWS::StackName}-TenableSecurityCenterRecipe"
Version: !Ref RecipeVersion
Components:
- ComponentArn:
Fn::ImportValue: !Sub "${Ec2BuilderComponentsStackName}-FixStorageConfigurationComponent-Arn"
- ComponentArn:
Fn::ImportValue: !Sub "${Ec2BuilderComponentsStackName}-UpdateStigYumComponent-Arn"
- ComponentArn:
Fn::ImportValue: !Sub "${Ec2BuilderComponentsStackName}-CloudWatchAgentComponent-Arn"
- ComponentArn:
Fn::ImportValue: !Sub "${Ec2BuilderComponentsStackName}-AWSCLIInstallationComponent-Arn"
- ComponentArn:
Fn::ImportValue: !Sub "${Ec2BuilderComponentsStackName}-SuricataInstallationComponent-Arn"
- ComponentArn: !Ref TenableSecurityCenterComponent
ParentImage: !Ref AmiId
AdditionalInstanceConfiguration:
UserDataOverride:
Fn::Base64:
Fn::Sub: |
#!/bin/bash
# Fix STIG issue with noexec in /var directory
sudo mkdir -p /opt/ec2-image-builder-ssm-working-dir
sudo chown -R root:root /opt/ec2-image-builder-ssm-working-dir
sudo chmod 750 /opt/ec2-image-builder-ssm-working-dir
sudo dnf install --nogpgcheck -y
# fapolicyd rules for SSM agent
sudo fapolicyd-cli --file add /usr/bin/amazon-ssm-agent --trust-file ssm
sudo fapolicyd-cli --file add /usr/bin/ssm-session-worker --trust-file ssm
sudo fapolicyd-cli --file add /usr/bin/ssm-cli --trust-file ssm
sudo fapolicyd-cli --file add /var/lib/amazon/ssm --trust-file ssm
sudo fapolicyd-cli --file add /opt/ec2-image-builder-ssm-working-dir --trust-file ssm
sudo fagenrules --load
sudo systemctl restart fapolicyd
sudo systemctl enable amazon-ssm-agent
sudo systemctl restart amazon-ssm-agent
# Build our config once the files are in place
sudo cp /etc/amazon/ssm/amazon-ssm-agent.json.template /etc/amazon/ssm/amazon-ssm-agent.json
sudo sed -i 's|"OrchestrationRootDir": ""|"OrchestrationRootDir": "/opt/ec2-image-builder-ssm-working-dir"|' /etc/amazon/ssm/amazon-ssm-agent.json
sudo sed -i 's|"Region": ""|"Region": "${AWS::Region}"|' /etc/amazon/ssm/amazon-ssm-agent.json
sudo systemctl restart amazon-ssm-agent
WorkingDirectory: "/opt/ec2-image-builder-ssm-working-dir" # Set to a STIG-compliant directory
BlockDeviceMappings:
- DeviceName: "/dev/sda1"
Ebs:
VolumeType: gp3
VolumeSize: 150
DeleteOnTermination: true
- DeviceName: "/dev/xvdh"
Ebs:
VolumeType: gp3
VolumeSize: 30
DeleteOnTermination: true
- DeviceName: "/dev/xvdl"
Ebs:
VolumeType: gp3
VolumeSize: 2
DeleteOnTermination: true
- DeviceName: "/dev/xvdx"
Ebs:
VolumeType: gp3
VolumeSize: 1
DeleteOnTermination: true
- DeviceName: "/dev/xvdz"
Ebs:
VolumeType: gp3
VolumeSize: 1
DeleteOnTermination: true
Thanks
Upvotes: 0
Views: 35
Answers (0)
Related Questions
- AWS EC2 Image Builder: How to prevent removing SSM Agent
- My Linux machines doesn't appear in AWS Systems Manager console
- Manage SSM agent failure on EC2 automatically
- SSM agent fails working on EC2 post IDMSV2
- Install SSM Agent and Role suring Launch on SUSE Linux EC2 Instance in AWS
- Is there a bootstrap script to install Amazon SSM Agent into EC2 Windows instance upon launch?
- Unable to start the Amazon SSM Agent - failed to start message bus
- Is there a way to install the SSM agent without logging in to EC2 instance in AWS?