Throws warnings on stock AL AMI #1
Description
Following the instructions in the README on a fresh AL AMI instance, the following warnings are generated:
Rule ID: xccdf_preupg_rule_python_check
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/Babel-0.9.4.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/Jinja2-2.7.2.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/awscli is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/awscli-1.16.102.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/babel is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/backports is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/backports is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/backports.ssl_match_hostname-3.4.0.2.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/boto is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/boto-2.48.0.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/botocore is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/botocore-1.12.92.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.log.INFO: Python directory in dist-packages /usr/lib/python2.7/dist-packages/cfnbootstrap is not owned by an RPM package.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/chardet is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/cloud_init-0.7.6.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/cloudinit is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/colorama is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/concurrent is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/daemon is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/dateutil is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/docutils is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/ecdsa is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/futures-3.0.3.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/iniparse is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/jinja2 is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/jmespath is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/jmespath-0.9.2.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/jsonpatch-1.2.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/kitchen is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/kitchen-1.1.1.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.log.INFO: Python directory in dist-packages /usr/lib/python2.7/dist-packages/oscap_docker_python is not owned by an RPM package.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/paramiko is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/paramiko-1.15.1.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/pip is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/pip-9.0.3.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/pkg_resources is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/ply is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/preupg is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/preupgrade_assistant-2.6.0.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/pyasn1 is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/pyasn1-0.1.7.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/pykickstart is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/pystache is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/pystache-0.5.3.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/python_daemon-1.5.2.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/python_dateutil-2.1.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/requests is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/requests-1.2.3.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/rpmUtils is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/rsa is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/rsa-3.4.1.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/setuptools is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/setuptools-36.2.7.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/six-1.8.0.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/urlgrabber is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/urllib3 is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/urllib3-1.24.3.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/virtualenv-15.1.0.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/virtualenv_support is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/yum is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib/python2.7/dist-packages/yumutils is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/Crypto is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/MarkupSafe-0.11.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/PIL is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/backports is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/curl is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/gpgme is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/markupsafe is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/pyliblzma-0.5.3.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/rpm is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/simplejson is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/simplejson-3.6.5.egg-info is owned by an RPM package that was not GPG signed by AL.
preupg.risk.SLIGHT: Python directory /usr/lib64/python2.7/dist-packages/yaml is owned by an RPM package that was not GPG signed by AL.
and:
xccdf_preupg_rule_move-to-extras_check
Amazon Linux 2 provides some software in a more limited-support, but updated
more-frequently source of software, called Extras. Some of the software you
have installed here can be found in Amazon Linux Extras when you move to 2.
In particular, packages
vim-minimal-8.0.0503-1.46.amzn1.x86_64
vim-enhanced-8.0.0503-1.46.amzn1.x86_64
nano-2.5.3-1.19.amzn1.x86_64
vim-common-8.0.0503-1.46.amzn1.x86_64
vim-filesystem-8.0.0503-1.46.amzn1.x86_64