From 4a4c12bf3058079bc2336db9e7330aa869b0753f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 31 Oct 2019 16:00:52 +0100 Subject: [PATCH 1/2] Use only first occurence from /etc/mtab The mount options of the first entry will be used. If there are multiple lines in `/etc/mtab` that match the same mount point, the variable `_previous_mount_opts` contained newline characters. These newlines were propagated to `/etc/fstab`. As a result, an invalid entry in /etc/fstab was created, `mount` command hasn't been successful and the oscap scan after remediation returned false. --- .../include_mount_options_functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh index 392367dc05..7e81e8c711 100644 --- a/shared/bash_remediation_functions/include_mount_options_functions.sh +++ b/shared/bash_remediation_functions/include_mount_options_functions.sh @@ -27,7 +27,7 @@ function ensure_mount_option_in_fstab { if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then # runtime opts without some automatic kernel/userspace-added defaults - _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | awk '{print $4}' \ + _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//") [ "$_previous_mount_opts" ] && _previous_mount_opts+="," echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab From 0a7f149efed656fe61ab3e873055fd630054f5f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 1 Nov 2019 14:50:42 +0100 Subject: [PATCH 2/2] Add test scenario for multiple entries in mtab --- .../tests/multiple_entries_in_mtab.fail.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh new file mode 100644 index 0000000000..dd56f9bb6c --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_ospp + +cat /etc/mtab > /etc/mtab.old +# destroy symlink +rm -f /etc/mtab +cp /etc/mtab.old /etc/mtab +echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab +echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab