Support for Amazon Linux 2

[mmitnyan]

Since the redhat config been modified 3 month ago for redhat specifics needs, Amazon Linux 2 cannot use it anymore in compatibility mode. That addition will allow the role ssh_hardening to work as expected under Amazon Linux 2

[schurzi]

I am curious. Since the config does not differ from RedHat and we also have Amazon Linux in our CI tests, what is the problem you encounter?

[mmitnyan]

Hi tks for following up on my PR.
Part of this PR: dac66f4

A change for role ssh_hardening in ssh_hardening/vars/RedHat.yml where made. That is 100% perfect for RedHat
ssh_selinux_packages:
remove policycoreutils-python
add policycoreutils-python-utils

When Amazon Linux 2 (that we use with dev-sec for a year+) now try to harden, it complain that this module (policycoreutils-python-utils) is not available. That is the case for Amazon Linux 2.

That behavior come from the OS selection that dont match the OS as now, So it fall back to compatibilty familly as per code
https://github.com/dev-sec/ansible-collection-hardening/blob/master/roles/ssh_hardening/tasks/hardening.yml#L11
Ansible inventory return for Amazon Linux2 : RedHat.

So the code that was working in a compatibility mode (familly) cannot work anymore.

The error:

19:00:44 2023-01-24T00:00:44Z:     amazon-ebs.builder: TASK [devsec.hardening.ssh_hardening : Install selinux dependencies when selinux is installed] ***

19:00:48 2023-01-24T00:00:47Z:     amazon-ebs.builder: fatal: [default]: FAILED! => {"changed": false, "msg": "No package matching 'policycoreutils-python-utils' found available, installed or updated", "rc": 126, "results": ["No package matching 'policycoreutils-python-utils' found available, installed or updated"]}

Package validation:

[[root@mq-dev-c-1] ~]# cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="[https://amazonlinux.com/"](https://amazonlinux.com/%22)
Amazon Linux release 2 (Karoo)
[[root@mq-dev-c-1](javascript:x_2ww('new','root@mq-dev-c-1')) ~]# yum --showduplicates list available policycoreutils-python
Loaded plugins: priorities, update-motd
216 packages excluded due to repository priority protections
Available Packages
policycoreutils-python.x86_64                                                                                  2.5-17.1.amzn2                                                                                  amzn2-core
policycoreutils-python.x86_64                                                                                  2.5-22.amzn2                                                                                    amzn2-core

[[root@mq-dev-c-1] ~]# yum --showduplicates list available policycoreutils-python-utils
Loaded plugins: priorities, update-motd
216 packages excluded due to repository priority protections
Error: No matching Packages to list

[rndmh3ro]

Thanks for catching that. Amazon Linux, based on RedHat but major version 2 - I love it.

In PR #612 we'll implement tests for selinux so this will be noticed in the future.