From fa3e18fa8b1939b5173a889d2d6e696c67a49b56 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 11 May 2020 17:44:32 +0200 Subject: [PATCH 1/6] Do not duplicate mount point options The Ansible remediation for mount options was always adding the option. --- shared/templates/template_ANSIBLE_mount_option | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option index cfb55859ac..08fa14208f 100644 --- a/shared/templates/template_ANSIBLE_mount_option +++ b/shared/templates/template_ANSIBLE_mount_option @@ -27,5 +27,6 @@ state: "mounted" fstype: "{{ mount_info.fstype }}" when: + - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options - device_name.stdout is defined - (device_name.stdout | length > 0) From 67f899077d542dbeb57b1772d6f86b029e0be066 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 11 May 2020 17:46:23 +0200 Subject: [PATCH 2/6] Keep any already defined mount options When mount doesn't need to exist to remediate, check whether mtab sets the mountpoint and extend any already configured option. --- shared/templates/template_ANSIBLE_mount_option | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option index 08fa14208f..aa5b5e2f8d 100644 --- a/shared/templates/template_ANSIBLE_mount_option +++ b/shared/templates/template_ANSIBLE_mount_option @@ -9,6 +9,16 @@ failed_when: device_name.rc > 1 changed_when: False +{{% if MOUNT_HAS_TO_EXIST == "no" %}} +- name: Check mtab information associated to mountpoint + command: findmnt --mtab '{{{ MOUNTPOINT }}}' + register: device_name + failed_when: device_name.rc > 1 + changed_when: False + when: + - device_name.stdout is defined and device_name.stdout == "" +{{% endif %}} + - name: create mount_info dictionary variable set_fact: mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}" From 035d388383195637c79a2d47f3f100753a96c43f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 11 May 2020 17:50:49 +0200 Subject: [PATCH 3/6] Fix task naming in Ansible mount option template --- shared/templates/template_ANSIBLE_mount_option | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option index aa5b5e2f8d..7452dfbc05 100644 --- a/shared/templates/template_ANSIBLE_mount_option +++ b/shared/templates/template_ANSIBLE_mount_option @@ -3,7 +3,7 @@ # strategy = configure # complexity = low # disruption = high -- name: get back mount information associated to mountpoint +- name: Check fstab information associated to mountpoint command: findmnt --fstab '{{{ MOUNTPOINT }}}' register: device_name failed_when: device_name.rc > 1 @@ -19,7 +19,7 @@ - device_name.stdout is defined and device_name.stdout == "" {{% endif %}} -- name: create mount_info dictionary variable +- name: Create mount_info dictionary variable set_fact: mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}" with_together: From 3c302161bc0aaa6dfb765e7e9abf40aff90c42ce Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 11 May 2020 18:04:05 +0200 Subject: [PATCH 4/6] Add tests for mount option noexed in /dev/shm Tests added: - No entry in fstab - Entry in fstab without options - Tests profile metadata fixed, they don't need to be tested using a specific profile. --- .../mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh | 3 +++ .../tests/multiple_entries_in_mtab.fail.sh | 1 - .../tests/no_entry_in_fstab.fail.sh | 4 ++++ 3 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh new file mode 100644 index 0000000000..515d690e1f --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "tmpfs /dev/shm tmpfs rw,seclabel,nodev,nosuid 0 0" >> /etc/fstab diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh index dd56f9bb6c..d7721b791d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh @@ -1,5 +1,4 @@ #!/bin/bash -# profiles = xccdf_org.ssgproject.content_profile_ospp cat /etc/mtab > /etc/mtab.old # destroy symlink diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh new file mode 100644 index 0000000000..f484a3614c --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# make sure there is no entry for /dev/shm +sed -i '/\/dev\/shm/d' /etc/fstab From f74beb900a0cf0d40bc1b85d518f8f7bf27f8d76 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 12 May 2020 12:06:53 +0200 Subject: [PATCH 5/6] Update mount_option template documentation Now the 'mount_has_to_exist' parameter is used in Ansible remediations. As 'mount_has_to_exist=no' is only used for /dev/shm rules, the Ansible remediation will add options based on existing ones consulting /etc/mtab. --- docs/manual/developer_guide.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc index 9d73e870f9..74fc869c51 100644 --- a/docs/manual/developer_guide.adoc +++ b/docs/manual/developer_guide.adoc @@ -1574,7 +1574,7 @@ mount_option:: ** *mountoption* - mount option, eg. `nosuid` ** *filesystem* - filesystem in `/etc/fstab`, eg. `tmpfs`. Used only in Bash remediation. ** *type* - filesystem type. Used only in Bash remediation. -** *mount_has_to_exist* - Used only in Bash remediation. Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. +** *mount_has_to_exist* - Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. * Languages: Anaconda, Ansible, Bash, OVAL mount_option_remote_filesystems:: From 5abea4f5773d5099e57d1645f1565c5afeadf426 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 12 May 2020 12:51:23 +0200 Subject: [PATCH 6/6] Check all tabfiles when entry in fstab can be created by Ansible Skipped tasks still register facts! Instead of executing a task based on results of fstab mounts, lets just change the actual task to check all tab files. --- shared/templates/template_ANSIBLE_mount_option | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option index 7452dfbc05..95bede25f9 100644 --- a/shared/templates/template_ANSIBLE_mount_option +++ b/shared/templates/template_ANSIBLE_mount_option @@ -3,21 +3,18 @@ # strategy = configure # complexity = low # disruption = high -- name: Check fstab information associated to mountpoint - command: findmnt --fstab '{{{ MOUNTPOINT }}}' - register: device_name - failed_when: device_name.rc > 1 - changed_when: False {{% if MOUNT_HAS_TO_EXIST == "no" %}} -- name: Check mtab information associated to mountpoint - command: findmnt --mtab '{{{ MOUNTPOINT }}}' + {{% set TABFILE="" %}} +{{% else %}} + {{% set TABFILE="--fstab" %}} +{{% endif %}} + +- name: Check information associated to mountpoint + command: findmnt {{{ TABFILE }}} '{{{ MOUNTPOINT }}}' register: device_name failed_when: device_name.rc > 1 changed_when: False - when: - - device_name.stdout is defined and device_name.stdout == "" -{{% endif %}} - name: Create mount_info dictionary variable set_fact: