Created
November 29, 2017 17:22
-
-
Save SwampDragons/a9f32e3852e08a6fa113fa927b53f1de to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <powershell> | |
| # Set administrator password | |
| net user Administrator SuperS3cr3t! | |
| wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE | |
| # First, make sure WinRM can't be connected to | |
| netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block | |
| # Delete any existing WinRM listeners | |
| winrm delete winrm/config/listener?Address=*+Transport=HTTP 2>$Null | |
| winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null | |
| # Create a new WinRM listener and configure | |
| winrm create winrm/config/listener?Address=*+Transport=HTTP | |
| winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}' | |
| winrm set winrm/config '@{MaxTimeoutms="7200000"}' | |
| winrm set winrm/config/service '@{AllowUnencrypted="true"}' | |
| winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}' | |
| winrm set winrm/config/service/auth '@{Basic="true"}' | |
| winrm set winrm/config/client/auth '@{Basic="true"}' | |
| # Configure UAC to allow privilege elevation in remote shells | |
| $Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' | |
| $Setting = 'LocalAccountTokenFilterPolicy' | |
| Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force | |
| # Configure and restart the WinRM Service; Enable the required firewall exception | |
| Stop-Service -Name WinRM | |
| Set-Service -Name WinRM -StartupType Automatic | |
| netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any | |
| Start-Service -Name WinRM | |
| </powershell> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "variables": { | |
| "aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}", | |
| "aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}", | |
| "region": "{{env `AWS_DEFAULT_REGION`}}" | |
| }, | |
| "builders": [ | |
| { | |
| "type": "amazon-ebs", | |
| "region": "ap-southeast-2", | |
| "source_ami": "ami-2013f142", | |
| "instance_type": "t2.small", | |
| "ami_name": "default-packer{{ timestamp }}", | |
| "user_data_file": "./boot_config/packer_bootstrap_win.txt", | |
| "communicator": "winrm", | |
| "winrm_username": "Administrator", | |
| "winrm_password": "SuperS3cr3t!" | |
| }], | |
| "provisioners": [ | |
| { | |
| "type": "powershell", | |
| "inline": "Write-Output(\"HELLO SWAMPY I AM POWERSHELL WOOOOOO\")" | |
| }, | |
| { | |
| "script": "./scripts/test_env_vars.ps1", | |
| "type": "powershell", | |
| "environment_vars": [ | |
| "VAR1=A`$Dollar", | |
| "VAR2=A``Backtick", | |
| "VAR4=A`'SingleQuote" | |
| ] | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
###Packer with ansible provisioners (Windows 2016 AMI creation on AWS) Authentication or permission failure #8726####
#######################Error################
amazon-ebs: ansible-playbook 2.9.3
amazon-ebs: config file = /etc/ansible/ansible.cfg
amazon-ebs: configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
amazon-ebs: ansible python module location = /usr/lib/python2.7/site-packages/ansible
amazon-ebs: executable location = /bin/ansible-playbook
amazon-ebs: python version = 2.7.5 (default, Apr 11 2018, 07:36:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
amazon-ebs: Using /etc/ansible/ansible.cfg as config file
amazon-ebs: host_list declined parsing /tmp/packer-provisioner-ansible413060560 as it did not pass its verify_file() method
amazon-ebs: script declined parsing /tmp/packer-provisioner-ansible413060560 as it did not pass its verify_file() method
amazon-ebs: auto declined parsing /tmp/packer-provisioner-ansible413060560 as it did not pass its verify_file() method
amazon-ebs: Parsed /tmp/packer-provisioner-ansible413060560 inventory source with ini plugin
amazon-ebs:
amazon-ebs: PLAYBOOK: win-playbook1.yml ****************************************************
amazon-ebs: 1 plays in /root/win-playbook1.yml
amazon-ebs:
amazon-ebs: PLAY [localhost] ***************************************************************
amazon-ebs: META: ran handlers
amazon-ebs:
amazon-ebs: TASK [18.9.26.1.1,CCE-37775-4 | Ensure 'Application - Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] ***
amazon-ebs: task path: /root/win-playbook1.yml:7
amazon-ebs: <127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
amazon-ebs: <127.0.0.1> EXEC None -c 'PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdAEAIAB9ACAAfQA= ; sleep 0'
amazon-ebs: fatal: [localhost]: UNREACHABLE! => {
amazon-ebs: "changed": false,
amazon-ebs: "msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in "/tmp". Failed command was: PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdAEAIAB9ACAAfQA=, exited with result 127",
amazon-ebs: "unreachable": true
amazon-ebs: }
amazon-ebs:
amazon-ebs: PLAY RECAP *********************************************************************
amazon-ebs: localhost : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
amazon-ebs:
==> amazon-ebs: Provisioning step had errors: Running the cleanup provisioner, if present...
==> amazon-ebs: Pausing before cleanup of step 'StepConnect'. Press enter to continue.
==> amazon-ebs: Pausing before cleanup of step 'StepGetPassword'. Press enter to continue.
==> amazon-ebs: Pausing before cleanup of step 'StepRunSourceInstance'. Press enter to continue.
==> amazon-ebs: Terminating the source AWS instance...
######Overview of the Issue###########
I am using Packer 1.5.1, ansible 2.9.3 to build Windows 2016 AMI in AWS environment (Public AMI ID ami-08c7081300f7d9abb)
Connected to WinRM, able to run powershell-provisioner, however not able to run ansible provisioner for hardening Windows 2016 based on CIS benchmark
######Reproduction Steps#######
Refer the following configuration
######Packer version##########
1.5.1
########Simplified Packer Buildfile########
"builders": [{
"type":"amazon-ebs",
"access_key": "{{user aws_access_key}}",
"secret_key": "{{user aws_secret_key}}",
"region": "{{user aws_region}}",
"instance_type": "t2.medium",
"iam_instance_profile": "Admin",
"associate_public_ip_address": false,
"availability_zone":"us-east-1b",
"vpc_id":"{{user
aws_vpc_id}}","subnet_id":"{{user
aws_subnet_id}}","security_group_id":"{{user
aws_security_group_id}}","ami_name": "packer-example-{{timestamp}}",
"user_data_file": "windows-aws1.txt",
"communicator": "winrm",
"winrm_username": "Administrator",
"winrm_password": "S3cr3t!P@cker",
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"name": "Windows_Server-2016-English-Full-Base-2019.11.13",
"root-device-type": "ebs"
},
"owners": ["amazon"],
"most_recent": true
},
"launch_block_device_mappings": [
{
"device_name": "/dev/xvda",
"volume_size": 80,
"volume_type": "gp2",
"delete_on_termination": true
}
]
}],
"provisioners": [{
"type": "powershell",
"inline": [
"dir c:"
]
},
{
"type": "ansible",
"playbook_file": "./win-playbook1.yml",
"extra_arguments": [
"--connection", "packer", "-vvv",
"--extra-vars", "ansible_shell_type=powershell ansible_shell_executable=None"
]
}]
}
############## User_data_file #########
net user Administrator S3cr3t!P@cker wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block
winrm delete winrm/config/listener?Address=+Transport=HTTP 2>$Null
winrm delete winrm/config/listener?Address=+Transport=HTTPS 2>$Null
winrm create winrm/config/listener?Address=*+Transport=HTTP
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
winrm set winrm/config '@{MaxTimeoutms="7200000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Automatic
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM
#######Sample YML file "win-playbook1.yml" - for reference############
-hosts: localhost
gather_facts: no
tasks:
-name: "18.9.26.1.1,CCE-37775-4 | Ensure 'Application - Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application
name: "Retention"
data: "0"
type: string
-name: "18.9.8.2,CCE-38217-6 | Ensure 'Set the default behavior for AutoRun' is set to 'Enabled - Do not execute any autorun commands'"
win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer
name: "NoAutorun"
data: "1"
type: dword
#########Operating system and Environment details##########
Windows_Server-2016-English-Full-Base-2019.11.13
#########Log Fragments and crash.log files##########
amazon-ebs: "msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in "/tmp". Failed command was: PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdAEAIAB9ACAAfQA=, exited with result 127",
amazon-ebs: "unreachable": true