Product Name
Azure Hardened Images
Product Version
Red Hat Enterprise Linux CIS Images
Date
Problem
Red Hat Enterprise Linux CIS Images are not patching via MS Automation .
The following recommendation is causing this: 5.5.3 Ensure default user shell timeout is 900 seconds or less
For that recommendation, run the following command: echo -e 'TMOUT=900\nreadonly TMOUT\nexport TMOUT' >> /etc/profile.d/tmout.sh
For the update manager, it requires a shell to be able to apply updates, gather heartbeat/status information as well as send the assessment information back to Azure all from the omsagent user. The timeout configuration is interrupting that service user from operating correctly.
Solution:
So if you wish to utilize Azure Update Manager with CIS RHEL8 image, revert that recommendation, however only before the instance is added to Azure Automation Accounts and the Azure Update Manager.
Once the instance is created, have the TMOUT=900, readonly TMOUT, export TMOUT
parameters removed from /etc/profile.d/tmout.sh. Then once that is done, you can add the instances to Azure Update Manger and so on.
Note: If you are reading the logs at (/var/opt/microsoft/omsagent/<workspace id>/log/omsagent.log)
, to ensure the instance is successfully forwarding the logs, please see the below output (Main focus is the Sending Avaliable Updates message):
2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : Filtering xml size=158
2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : Sending available updates infor mation data. Hash=55f821
2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : installedPackages x 0,
availableUpdates x 0
Add Comment