[GH-ISSUE #83] [BUG] Konstruktoid hardening on Ubuntu in AWS seems to cause ssm-agent to cease functioning

kerem commented

2026-03-03 13:58:36 +03:00

Owner

Originally created by @fentonfentonfenton on GitHub (Jul 30, 2020).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/83

Originally assigned to: @konstruktoid on GitHub.

Describe the bug
Apologies for this if you are not an AWS user or anti amazon, but I thought I would raise it incase the issue has been raised before somewhere else

To Reproduce
Run hardening on an AWS ubuntu based AMI either directly on host or via ansible role.

Expected behavior
AWS system manager / AWS Session Manager features work (FYI this can we away to obtain a shell on the box using AWS's SSM protocol(?) rather than using plain old SSH.

Actual behavior
AWS reports that

1 SSM Agent isn't installed on the instance. You can install the agent on both Windows instances and Linux instances.
2 Session Manager setup is incomplete. For more information, see https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html

System (lsb_release -a):
Ubuntu 18.04 etc

Additional context
AWS and Ubuntu Server ship with ssm-agent installed, and a user called ssm-user - I am trying to debug this to find out which script causes the lack of functionality, but it may take me a while to pin that down.

Originally created by @fentonfentonfenton on GitHub (Jul 30, 2020). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/83 Originally assigned to: @konstruktoid on GitHub. **Describe the bug** Apologies for this if you are not an AWS user or anti amazon, but I thought I would raise it incase the issue has been raised before somewhere else **To Reproduce** Run hardening on an AWS ubuntu based AMI either directly on host or via ansible role. **Expected behavior** AWS system manager / AWS Session Manager features work (FYI this can we away to obtain a shell on the box using AWS's SSM protocol(?) rather than using plain old SSH. **Actual behavior** AWS reports that ``` 1 SSM Agent isn't installed on the instance. You can install the agent on both Windows instances and Linux instances. 2 Session Manager setup is incomplete. For more information, see https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html ``` **System (lsb_release -a):** Ubuntu 18.04 etc **Additional context** AWS and Ubuntu Server ship with ssm-agent installed, and a user called `ssm-user` - I am trying to debug this to find out which script causes the lack of functionality, but it may take me a while to pin that down.

kerem

2026-03-03 13:58:36 +03:00

closed this issue
added the
Stale
label

kerem commented

2026-03-03 13:58:37 +03:00

Author

Owner

@fentonfentonfenton commented on GitHub (Jul 30, 2020):

https://github.com/konstruktoid/hardening/pull/84 WIP PR

@fentonfentonfenton commented on GitHub (Jul 30, 2020): https://github.com/konstruktoid/hardening/pull/84 WIP PR

kerem commented

2026-03-03 13:58:37 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jul 31, 2020):

Thanks for reporting this @fentonfentonfenton, even though I'm not a customer of AWS I'll try to find a solution.

(PS I got absolutely nothing again AWS or similar services.)

@konstruktoid commented on GitHub (Jul 31, 2020): Thanks for reporting this @fentonfentonfenton, even though I'm not a customer of AWS I'll try to find a solution. (PS I got absolutely nothing again AWS or similar services.)

kerem commented

2026-03-03 13:58:37 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jul 31, 2020):

Ah, can you verify that snap is installed?

~$ lsb_release -d && uname -r
Description:    Ubuntu 20.04.1 LTS
5.4.0-1018-aws
~$ hostname -f
ip-172-31-XX-XXX.eu-north-1.compute.internal
~$ git clone https://github.com/konstruktoid/hardening
~$ cd hardening/
~$ vi ubuntu.cfg
~$ sudo apt-get -y install net-tools procps
~$ sudo bash ubuntu.sh
~$ sudo reboot
~$ sudo snap install amazon-ssm-agent --classic
sudo: snap: command not found
~$

(https://docs.aws.amazon.com/systems-manager/latest/userguide/agent-install-ubuntu.html#agent-install-ubuntu-tabs)

@konstruktoid commented on GitHub (Jul 31, 2020): Ah, can you verify that `snap` is installed? ``` ~$ lsb_release -d && uname -r Description: Ubuntu 20.04.1 LTS 5.4.0-1018-aws ~$ hostname -f ip-172-31-XX-XXX.eu-north-1.compute.internal ~$ git clone https://github.com/konstruktoid/hardening ~$ cd hardening/ ~$ vi ubuntu.cfg ~$ sudo apt-get -y install net-tools procps ~$ sudo bash ubuntu.sh ~$ sudo reboot ~$ sudo snap install amazon-ssm-agent --classic sudo: snap: command not found ~$ ``` (https://docs.aws.amazon.com/systems-manager/latest/userguide/agent-install-ubuntu.html#agent-install-ubuntu-tabs)

kerem commented

2026-03-03 13:58:37 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jul 31, 2020):

And with snap installed there's an apparmor error.

* remove squashfs from /etc/modprobe.d/disablefs.conf *
~$ sudo apt-get -y install snap snapd --no-install-recommends
~$ sudo snap install amazon-ssm-agent --classic
- Setup snap "core" (9665) security profiles (cannot setup profiles for snap "core": cannot create host snap-confine apparmor configuration: cannot reload snap-confine apparmor profile: cannot load apparmor profiles: exec: "ap    parmor_parser": executable file not found in $PATH
apparmor_parser output:
 )
~$ sudo -i
~# snap install hello-world
error: cannot perform the following tasks:
- Setup snap "core" (9665) security profiles (cannot setup profiles for snap "core": cannot create host snap-confine apparmor configuration: cannot reload snap-confine apparmor profile: cannot load apparmor profiles: exec: "ap    parmor_parser": executable file not found in $PATH
apparmor_parser output:
)
~# which apparmor_parser 
/usr/sbin/apparmor_parser
~# echo $PATH 
 /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

@konstruktoid commented on GitHub (Jul 31, 2020): And with snap installed there's an apparmor error. ``` * remove squashfs from /etc/modprobe.d/disablefs.conf * ~$ sudo apt-get -y install snap snapd --no-install-recommends ~$ sudo snap install amazon-ssm-agent --classic - Setup snap "core" (9665) security profiles (cannot setup profiles for snap "core": cannot create host snap-confine apparmor configuration: cannot reload snap-confine apparmor profile: cannot load apparmor profiles: exec: "ap parmor_parser": executable file not found in $PATH apparmor_parser output: ) ~$ sudo -i ~# snap install hello-world error: cannot perform the following tasks: - Setup snap "core" (9665) security profiles (cannot setup profiles for snap "core": cannot create host snap-confine apparmor configuration: cannot reload snap-confine apparmor profile: cannot load apparmor profiles: exec: "ap parmor_parser": executable file not found in $PATH apparmor_parser output: ) ~# which apparmor_parser /usr/sbin/apparmor_parser ~# echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ```

kerem commented

2026-03-03 13:58:37 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jul 31, 2020):

https://docs.aws.amazon.com/systems-manager/latest/userguide/agent-install-deb.html

~# apt-get -y purge snap*
~$ mkdir /tmp/ssm
~$ cd /tmp/ssm
~$ wget wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
~$ sudo dpkg -i amazon-ssm-agent.deb
~$ sudo systemctl status amazon-ssm-agent
~$ sudo systemctl enable amazon-ssm-agent
~$ sudo cat /var/log/amazon/ssm/amazon-ssm-agent.log
[...]
2020-07-31 21:01:21 INFO [MessagingDeliveryService] [Association] Updating association status {
  "ErrorCode": "",
  "ExecutionDate": "2020-07-31T21:01:21.861Z",
  "ExecutionSummary": "1 out of 1 plugin processed, 1 success, 0 failed, 0 timedout, 0 skipped. ",
  "OutputUrl": null,
  "Status": "Success"
}
[...]

AWS Systems Manager - Managed Instances 2020-07-31 23-06-19

@konstruktoid commented on GitHub (Jul 31, 2020): https://docs.aws.amazon.com/systems-manager/latest/userguide/agent-install-deb.html ``` ~# apt-get -y purge snap* ~$ mkdir /tmp/ssm ~$ cd /tmp/ssm ~$ wget wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb ~$ sudo dpkg -i amazon-ssm-agent.deb ~$ sudo systemctl status amazon-ssm-agent ~$ sudo systemctl enable amazon-ssm-agent ~$ sudo cat /var/log/amazon/ssm/amazon-ssm-agent.log [...] 2020-07-31 21:01:21 INFO [MessagingDeliveryService] [Association] Updating association status { "ErrorCode": "", "ExecutionDate": "2020-07-31T21:01:21.861Z", "ExecutionSummary": "1 out of 1 plugin processed, 1 success, 0 failed, 0 timedout, 0 skipped. ", "OutputUrl": null, "Status": "Success" } [...] ``` <img width="820" alt="AWS Systems Manager - Managed Instances 2020-07-31 23-06-19" src="https://user-images.githubusercontent.com/7956715/89077679-3c529900-d372-11ea-83bc-506c629afd2b.png">

kerem commented

2026-03-03 13:58:37 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jul 31, 2020):

@konstruktoid commented on GitHub (Jul 31, 2020): <img width="994" alt="AWS Systems Manager - Session Manager 2020-07-31 23-17-17" src="https://user-images.githubusercontent.com/7956715/89078158-5d67b980-d373-11ea-8ea7-29063cbedeb8.png">

kerem commented

2026-03-03 13:58:38 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Sep 3, 2020):

This issue is stale because it has been open 30 days with no activity, without any activity this will be closed in 5 days.

@github-actions[bot] commented on GitHub (Sep 3, 2020): This issue is stale because it has been open 30 days with no activity, without any activity this will be closed in 5 days.

kerem commented

2026-03-03 13:58:38 +03:00

Author

Owner

@fentonfentonfenton commented on GitHub (Apr 1, 2021):

I forgot to thank you! Thank you 👍

@fentonfentonfenton commented on GitHub (Apr 1, 2021): I forgot to thank you! Thank you 👍

kerem referenced this issue

2026-03-03 14:29:44 +03:00

[PR #37] [MERGED] ssh and apt #116

Rows
Columns

[GH-ISSUE #83] [BUG] Konstruktoid hardening on Ubuntu in AWS seems to cause ssm-agent to cease functioning #37