|
 |
dac76a |
From fa3e18fa8b1939b5173a889d2d6e696c67a49b56 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Mon, 11 May 2020 17:44:32 +0200
|
|
|
dac76a |
Subject: [PATCH 1/6] Do not duplicate mount point options
|
|
|
dac76a |
|
|
|
dac76a |
The Ansible remediation for mount options was always adding the option.
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/templates/template_ANSIBLE_mount_option | 1 +
|
|
|
dac76a |
1 file changed, 1 insertion(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
index cfb55859ac..08fa14208f 100644
|
|
|
dac76a |
--- a/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
+++ b/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
@@ -27,5 +27,6 @@
|
|
|
dac76a |
state: "mounted"
|
|
|
dac76a |
fstype: "{{ mount_info.fstype }}"
|
|
|
dac76a |
when:
|
|
|
dac76a |
+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
|
|
|
dac76a |
- device_name.stdout is defined
|
|
|
dac76a |
- (device_name.stdout | length > 0)
|
|
|
dac76a |
|
|
|
dac76a |
From 67f899077d542dbeb57b1772d6f86b029e0be066 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Mon, 11 May 2020 17:46:23 +0200
|
|
|
dac76a |
Subject: [PATCH 2/6] Keep any already defined mount options
|
|
|
dac76a |
|
|
|
dac76a |
When mount doesn't need to exist to remediate, check whether mtab sets
|
|
|
dac76a |
the mountpoint and extend any already configured option.
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/templates/template_ANSIBLE_mount_option | 10 ++++++++++
|
|
|
dac76a |
1 file changed, 10 insertions(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
index 08fa14208f..aa5b5e2f8d 100644
|
|
|
dac76a |
--- a/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
+++ b/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
@@ -9,6 +9,16 @@
|
|
|
dac76a |
failed_when: device_name.rc > 1
|
|
|
dac76a |
changed_when: False
|
|
|
dac76a |
|
|
|
dac76a |
+{{% if MOUNT_HAS_TO_EXIST == "no" %}}
|
|
|
dac76a |
+- name: Check mtab information associated to mountpoint
|
|
|
dac76a |
+ command: findmnt --mtab '{{{ MOUNTPOINT }}}'
|
|
|
dac76a |
+ register: device_name
|
|
|
dac76a |
+ failed_when: device_name.rc > 1
|
|
|
dac76a |
+ changed_when: False
|
|
|
dac76a |
+ when:
|
|
|
dac76a |
+ - device_name.stdout is defined and device_name.stdout == ""
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
- name: create mount_info dictionary variable
|
|
|
dac76a |
set_fact:
|
|
|
dac76a |
mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}"
|
|
|
dac76a |
|
|
|
dac76a |
From 035d388383195637c79a2d47f3f100753a96c43f Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Mon, 11 May 2020 17:50:49 +0200
|
|
|
dac76a |
Subject: [PATCH 3/6] Fix task naming in Ansible mount option template
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/templates/template_ANSIBLE_mount_option | 4 ++--
|
|
|
dac76a |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
index aa5b5e2f8d..7452dfbc05 100644
|
|
|
dac76a |
--- a/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
+++ b/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
@@ -3,7 +3,7 @@
|
|
|
dac76a |
# strategy = configure
|
|
|
dac76a |
# complexity = low
|
|
|
dac76a |
# disruption = high
|
|
|
dac76a |
-- name: get back mount information associated to mountpoint
|
|
|
dac76a |
+- name: Check fstab information associated to mountpoint
|
|
|
dac76a |
command: findmnt --fstab '{{{ MOUNTPOINT }}}'
|
|
|
dac76a |
register: device_name
|
|
|
dac76a |
failed_when: device_name.rc > 1
|
|
|
dac76a |
@@ -19,7 +19,7 @@
|
|
|
dac76a |
- device_name.stdout is defined and device_name.stdout == ""
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
|
|
|
dac76a |
-- name: create mount_info dictionary variable
|
|
|
dac76a |
+- name: Create mount_info dictionary variable
|
|
|
dac76a |
set_fact:
|
|
|
dac76a |
mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}"
|
|
|
dac76a |
with_together:
|
|
|
dac76a |
|
|
|
dac76a |
From 3c302161bc0aaa6dfb765e7e9abf40aff90c42ce Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Mon, 11 May 2020 18:04:05 +0200
|
|
|
dac76a |
Subject: [PATCH 4/6] Add tests for mount option noexed in /dev/shm
|
|
|
dac76a |
|
|
|
dac76a |
Tests added:
|
|
|
dac76a |
- No entry in fstab
|
|
|
dac76a |
- Entry in fstab without options
|
|
|
dac76a |
- Tests profile metadata fixed, they don't need to be tested using a
|
|
|
dac76a |
specific profile.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh | 3 +++
|
|
|
dac76a |
.../tests/multiple_entries_in_mtab.fail.sh | 1 -
|
|
|
dac76a |
.../tests/no_entry_in_fstab.fail.sh | 4 ++++
|
|
|
dac76a |
3 files changed, 7 insertions(+), 1 deletion(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..515d690e1f
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "tmpfs /dev/shm tmpfs rw,seclabel,nodev,nosuid 0 0" >> /etc/fstab
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
|
|
|
dac76a |
index dd56f9bb6c..d7721b791d 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
|
|
|
dac76a |
@@ -1,5 +1,4 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
-# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
dac76a |
|
|
|
dac76a |
cat /etc/mtab > /etc/mtab.old
|
|
|
dac76a |
# destroy symlink
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..f484a3614c
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# make sure there is no entry for /dev/shm
|
|
|
dac76a |
+sed -i '/\/dev\/shm/d' /etc/fstab
|
|
|
dac76a |
|
|
|
dac76a |
From f74beb900a0cf0d40bc1b85d518f8f7bf27f8d76 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Tue, 12 May 2020 12:06:53 +0200
|
|
|
dac76a |
Subject: [PATCH 5/6] Update mount_option template documentation
|
|
|
dac76a |
|
|
|
dac76a |
Now the 'mount_has_to_exist' parameter is used in Ansible remediations.
|
|
|
dac76a |
As 'mount_has_to_exist=no' is only used for /dev/shm rules, the Ansible
|
|
|
dac76a |
remediation will add options based on existing ones consulting
|
|
|
dac76a |
/etc/mtab.
|
|
|
dac76a |
---
|
|
|
dac76a |
docs/manual/developer_guide.adoc | 2 +-
|
|
|
dac76a |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
|
|
|
dac76a |
index 9d73e870f9..74fc869c51 100644
|
|
|
dac76a |
--- a/docs/manual/developer_guide.adoc
|
|
|
dac76a |
+++ b/docs/manual/developer_guide.adoc
|
|
|
dac76a |
@@ -1574,7 +1574,7 @@ mount_option::
|
|
|
dac76a |
** *mountoption* - mount option, eg. `nosuid`
|
|
|
dac76a |
** *filesystem* - filesystem in `/etc/fstab`, eg. `tmpfs`. Used only in Bash remediation.
|
|
|
dac76a |
** *type* - filesystem type. Used only in Bash remediation.
|
|
|
dac76a |
-** *mount_has_to_exist* - Used only in Bash remediation. Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`.
|
|
|
dac76a |
+** *mount_has_to_exist* - Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`.
|
|
|
dac76a |
* Languages: Anaconda, Ansible, Bash, OVAL
|
|
|
dac76a |
|
|
|
dac76a |
mount_option_remote_filesystems::
|
|
|
dac76a |
|
|
|
dac76a |
From 5abea4f5773d5099e57d1645f1565c5afeadf426 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Tue, 12 May 2020 12:51:23 +0200
|
|
|
dac76a |
Subject: [PATCH 6/6] Check all tabfiles when entry in fstab can be created by
|
|
|
dac76a |
Ansible
|
|
|
dac76a |
|
|
|
dac76a |
Skipped tasks still register facts! Instead of executing a task based on
|
|
|
dac76a |
results of fstab mounts, lets just change the actual task to check all
|
|
|
dac76a |
tab files.
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/templates/template_ANSIBLE_mount_option | 17 +++++++----------
|
|
|
dac76a |
1 file changed, 7 insertions(+), 10 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
index 7452dfbc05..95bede25f9 100644
|
|
|
dac76a |
--- a/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
+++ b/shared/templates/template_ANSIBLE_mount_option
|
|
|
dac76a |
@@ -3,21 +3,18 @@
|
|
|
dac76a |
# strategy = configure
|
|
|
dac76a |
# complexity = low
|
|
|
dac76a |
# disruption = high
|
|
|
dac76a |
-- name: Check fstab information associated to mountpoint
|
|
|
dac76a |
- command: findmnt --fstab '{{{ MOUNTPOINT }}}'
|
|
|
dac76a |
- register: device_name
|
|
|
dac76a |
- failed_when: device_name.rc > 1
|
|
|
dac76a |
- changed_when: False
|
|
|
dac76a |
|
|
|
dac76a |
{{% if MOUNT_HAS_TO_EXIST == "no" %}}
|
|
|
dac76a |
-- name: Check mtab information associated to mountpoint
|
|
|
dac76a |
- command: findmnt --mtab '{{{ MOUNTPOINT }}}'
|
|
|
dac76a |
+ {{% set TABFILE="" %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ {{% set TABFILE="--fstab" %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Check information associated to mountpoint
|
|
|
dac76a |
+ command: findmnt {{{ TABFILE }}} '{{{ MOUNTPOINT }}}'
|
|
|
dac76a |
register: device_name
|
|
|
dac76a |
failed_when: device_name.rc > 1
|
|
|
dac76a |
changed_when: False
|
|
|
dac76a |
- when:
|
|
|
dac76a |
- - device_name.stdout is defined and device_name.stdout == ""
|
|
|
dac76a |
-{{% endif %}}
|
|
|
dac76a |
|
|
|
dac76a |
- name: Create mount_info dictionary variable
|
|
|
dac76a |
set_fact:
|