rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   dac76ab332cb6f7ca5cdbec311d2754a26f6d91e
  2.   SOURCES
  3.   scap-security-guide-0.1.50-fix_ansible_template_mount_options_PR_5752.patch
Blob Blame History Raw 
From fa3e18fa8b1939b5173a889d2d6e696c67a49b56 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 May 2020 17:44:32 +0200
Subject: [PATCH 1/6] Do not duplicate mount point options

The Ansible remediation for mount options was always adding the option.
---
 shared/templates/template_ANSIBLE_mount_option | 1 +
 1 file changed, 1 insertion(+)

diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
index cfb55859ac..08fa14208f 100644
--- a/shared/templates/template_ANSIBLE_mount_option
+++ b/shared/templates/template_ANSIBLE_mount_option
@@ -27,5 +27,6 @@
     state: "mounted"
     fstype: "{{ mount_info.fstype }}"
   when:
+    - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
     - device_name.stdout is defined
     - (device_name.stdout | length > 0)

From 67f899077d542dbeb57b1772d6f86b029e0be066 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 May 2020 17:46:23 +0200
Subject: [PATCH 2/6] Keep any already defined mount options

When mount doesn't need to exist to remediate, check whether mtab sets
the mountpoint and extend any already configured option.
---
 shared/templates/template_ANSIBLE_mount_option | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
index 08fa14208f..aa5b5e2f8d 100644
--- a/shared/templates/template_ANSIBLE_mount_option
+++ b/shared/templates/template_ANSIBLE_mount_option
@@ -9,6 +9,16 @@
   failed_when: device_name.rc > 1
   changed_when: False
 
+{{% if MOUNT_HAS_TO_EXIST == "no" %}}
+- name: Check mtab information associated to mountpoint
+  command: findmnt --mtab '{{{ MOUNTPOINT }}}'
+  register: device_name
+  failed_when: device_name.rc > 1
+  changed_when: False
+  when:
+    - device_name.stdout is defined and device_name.stdout == ""
+{{% endif %}}
+
 - name: create mount_info dictionary variable
   set_fact:
     mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}"

From 035d388383195637c79a2d47f3f100753a96c43f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 May 2020 17:50:49 +0200
Subject: [PATCH 3/6] Fix task naming in Ansible mount option template

---
 shared/templates/template_ANSIBLE_mount_option | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
index aa5b5e2f8d..7452dfbc05 100644
--- a/shared/templates/template_ANSIBLE_mount_option
+++ b/shared/templates/template_ANSIBLE_mount_option
@@ -3,7 +3,7 @@
 # strategy = configure
 # complexity = low
 # disruption = high
-- name: get back mount information associated to mountpoint
+- name: Check fstab information associated to mountpoint
   command: findmnt --fstab '{{{ MOUNTPOINT }}}'
   register: device_name
   failed_when: device_name.rc > 1
@@ -19,7 +19,7 @@
     - device_name.stdout is defined and device_name.stdout == ""
 {{% endif %}}
 
-- name: create mount_info dictionary variable
+- name: Create mount_info dictionary variable
   set_fact:
     mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}"
   with_together:

From 3c302161bc0aaa6dfb765e7e9abf40aff90c42ce Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 May 2020 18:04:05 +0200
Subject: [PATCH 4/6] Add tests for mount option noexed in /dev/shm

Tests added:
- No entry in fstab
- Entry in fstab without options
- Tests profile metadata fixed, they don't need to be tested using a
  specific profile.
---
 .../mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh  | 3 +++
 .../tests/multiple_entries_in_mtab.fail.sh                    | 1 -
 .../tests/no_entry_in_fstab.fail.sh                           | 4 ++++
 3 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh
 create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh
new file mode 100644
index 0000000000..515d690e1f
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "tmpfs /dev/shm tmpfs rw,seclabel,nodev,nosuid 0 0" >> /etc/fstab
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
index dd56f9bb6c..d7721b791d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_ospp
 
 cat /etc/mtab > /etc/mtab.old
 # destroy symlink
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh
new file mode 100644
index 0000000000..f484a3614c
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# make sure there is no entry for /dev/shm
+sed -i '/\/dev\/shm/d' /etc/fstab

From f74beb900a0cf0d40bc1b85d518f8f7bf27f8d76 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 12:06:53 +0200
Subject: [PATCH 5/6] Update mount_option template documentation

Now the 'mount_has_to_exist' parameter is used in Ansible remediations.
As 'mount_has_to_exist=no' is only used for /dev/shm rules, the Ansible
remediation will add options based on existing ones consulting
/etc/mtab.
---
 docs/manual/developer_guide.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
index 9d73e870f9..74fc869c51 100644
--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
@@ -1574,7 +1574,7 @@ mount_option::
 ** *mountoption* - mount option, eg. `nosuid`
 ** *filesystem* - filesystem in `/etc/fstab`, eg. `tmpfs`. Used only in Bash remediation.
 ** *type* - filesystem type. Used only in Bash remediation.
-** *mount_has_to_exist* - Used only in Bash remediation. Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`.
+** *mount_has_to_exist* - Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`.
 * Languages: Anaconda, Ansible, Bash, OVAL
 
 mount_option_remote_filesystems::

From 5abea4f5773d5099e57d1645f1565c5afeadf426 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 12:51:23 +0200
Subject: [PATCH 6/6] Check all tabfiles when entry in fstab can be created by
 Ansible

Skipped tasks still register facts! Instead of executing a task based on
results of fstab mounts, lets just change the actual task to check all
tab files.
---
 shared/templates/template_ANSIBLE_mount_option | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
index 7452dfbc05..95bede25f9 100644
--- a/shared/templates/template_ANSIBLE_mount_option
+++ b/shared/templates/template_ANSIBLE_mount_option
@@ -3,21 +3,18 @@
 # strategy = configure
 # complexity = low
 # disruption = high
-- name: Check fstab information associated to mountpoint
-  command: findmnt --fstab '{{{ MOUNTPOINT }}}'
-  register: device_name
-  failed_when: device_name.rc > 1
-  changed_when: False
 
 {{% if MOUNT_HAS_TO_EXIST == "no" %}}
-- name: Check mtab information associated to mountpoint
-  command: findmnt --mtab '{{{ MOUNTPOINT }}}'
+   {{% set TABFILE="" %}}
+{{% else %}}
+   {{% set TABFILE="--fstab" %}}
+{{% endif %}}
+
+- name: Check information associated to mountpoint
+  command: findmnt {{{ TABFILE }}} '{{{ MOUNTPOINT }}}'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: False
-  when:
-    - device_name.stdout is defined and device_name.stdout == ""
-{{% endif %}}
 
 - name: Create mount_info dictionary variable
   set_fact:

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation