Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add mount[] platform and use it for /tmp and /var/tmp mount option rules #10431

Merged
merged 2 commits into from Apr 6, 2023
Merged

Add mount[] platform and use it for /tmp and /var/tmp mount option rules #10431

merged 2 commits into from Apr 6, 2023

Conversation

evgenyz
Copy link
Member

@evgenyz evgenyz commented Apr 6, 2023
edited

Description:

This is a continuation on #10295 and, at the same time, a fix for #10389.

Rationale:

Review Hints:

  • Bash conditional now checks for findmnt --kernel || findmnt --fstab.
  • Ansible does something. But we don't really care about the details for now, as it won't be used for offline remediation (ever?).

@github-actions
Copy link

github-actions bot commented Apr 6, 2023

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@evgenyz evgenyz mentioned this pull request Apr 6, 2023
Closed
@evgenyz
shared/applicability: Replace partition-tmp and partition-var-tmp with
018bbe2 
a new templated platform mount[]

The platform conditionals now check for the /etc/fstab entries
in addition to active mountpoint presence.

Also the name better reflects the nature of the check.
@evgenyz
permissions/partitions: Add mount[] platform to mount_option_tmp*
442aa3e 
and mount_option_var_tmp* rules

This restores previously removed 'not applicable' behavior of these
rules for systems where mountpoints have not been configured.
@evgenyz evgenyz force-pushed the fix_mount_options_not_applicable branch from e7ec398 to 442aa3e Compare April 6, 2023 02:06
@evgenyz evgenyz added usability Enhancements related to usability. bugfix Fixes to reported bugs. labels Apr 6, 2023
@evgenyz evgenyz changed the title Add mount[] paltform and use it for /tmp and /var/tmp mount option rules Add mount[] platform and use it for /tmp and /var/tmp mount option rules Apr 6, 2023
@codeclimate
Copy link

codeclimate bot commented Apr 6, 2023

Code Climate has analyzed commit 442aa3e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4% (0.0% change).

View more on Code Climate.

@Mab879
Copy link
Member

Mab879 commented Apr 6, 2023

Please also propose this to the stabilization branch as well.

This was referenced Apr 6, 2023
Closed
Closed
@Mab879 Mab879 self-assigned this Apr 6, 2023
Mab879
Mab879 approved these changes Apr 6, 2023
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks!

Mab879 added a commit to Mab879/content that referenced this pull request Apr 6, 2023
@Mab879 @evgenyz
Backport of ComplianceAsCode#10431
f92ffd6 
Co-authored-by: Evgeny Kolesnikov <ekolesni@redhat.com>
@Mab879 Mab879 mentioned this pull request Apr 6, 2023
Merged
@Mab879 Mab879 added the backported-into-stabilization PRs which were cherry-picked during stabilization process. label Apr 6, 2023
@Mab879 Mab879 added this to the 0.1.67 milestone Apr 6, 2023
@marcusburghardt
Copy link
Member

Before the fix:

rhel8 - mount_option_tmp_nodev - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
INFO - Script fstab.fail.sh using profile (all) OK
INFO - Script separate.pass.sh using profile (all) OK
INFO - Script runtime.pass.sh using profile (all) OK

rhel8 - mount_option_tmp_noexec - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
INFO - Script fstab.fail.sh using profile (all) OK
INFO - Script separate.pass.sh using profile (all) OK
INFO - Script runtime.pass.sh using profile (all) OK

rhel8 - mount_option_tmp_nosuid - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
INFO - Script runtime.pass.sh using profile (all) OK
INFO - Script separate.pass.sh using profile (all) OK
INFO - Script fstab.fail.sh using profile (all) OK

rhel8 - mount_option_var_tmp_nodev - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
INFO - Script fstab.fail.sh using profile (all) OK
INFO - Script runtime.pass.sh using profile (all) OK
INFO - Script separate.pass.sh using profile (all) OK
INFO - Script notapplicable.pass.sh using profile (all) OK

rhel8 - mount_option_var_tmp_noexec - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
INFO - Script runtime.pass.sh using profile (all) OK
INFO - Script fstab.fail.sh using profile (all) OK
INFO - Script separate.pass.sh using profile (all) OK

rhel8 - mount_option_var_tmp_nosuid - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
INFO - Script separate.pass.sh using profile (all) OK
INFO - Script fstab.fail.sh using profile (all) OK
INFO - Script runtime.pass.sh using profile (all) OK

After the fix:

rhel8 - mount_option_tmp_nodev - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
WARNING - Script runtime.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev evaluation resulted in notapplicable
WARNING - Script fstab.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev evaluation resulted in notapplicable
WARNING - Script separate.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev evaluation resulted in notapplicable

rhel8 - mount_option_tmp_noexec - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
WARNING - Script runtime.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec evaluation resulted in notapplicable
WARNING - Script separate.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec evaluation resulted in notapplicable
WARNING - Script fstab.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec evaluation resulted in notapplicable

rhel8 - mount_option_tmp_nosuid - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
WARNING - Script runtime.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid evaluation resulted in notapplicable
WARNING - Script fstab.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid evaluation resulted in notapplicable
WARNING - Script separate.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid evaluation resulted in notapplicable

rhel8 - mount_option_var_tmp_nodev - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
WARNING - Script fstab.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev evaluation resulted in notapplicable
WARNING - Script runtime.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev evaluation resulted in notapplicable
WARNING - Script separate.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev evaluation resulted in notapplicable
WARNING - Script notapplicable.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev evaluation resulted in notapplicable

rhel8 - mount_option_var_tmp_noexec - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
WARNING - Script separate.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec evaluation resulted in notapplicable
WARNING - Script fstab.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec evaluation resulted in notapplicable
WARNING - Script runtime.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec evaluation resulted in notapplicable

rhel8 - mount_option_var_tmp_nosuid - bash VM
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
WARNING - Script separate.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid evaluation resulted in notapplicable
WARNING - Script fstab.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid evaluation resulted in notapplicable
WARNING - Script runtime.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid evaluation resulted in notapplicable

marcusburghardt
marcusburghardt approved these changes Apr 6, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

marcusburghardt added a commit that referenced this pull request Apr 6, 2023
@marcusburghardt
Merge pull request #10438 from Mab879/backport_10431
0313d3b 
Backport of #10431
@marcusburghardt marcusburghardt merged commit ffc50a9 into ComplianceAsCode:master Apr 6, 2023
44 of 49 checks passed
@Mab879 Mab879 mentioned this pull request Apr 6, 2023
Closed
@jan-cerny jan-cerny mentioned this pull request Apr 27, 2023
Closed
@j-ode j-ode mentioned this pull request Apr 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@Mab879 Mab879

Labels
backported-into-stabilization PRs which were cherry-picked during stabilization process. bugfix Fixes to reported bugs. usability Enhancements related to usability.
Projects
None yet
Milestone
0.1.67
Development

Successfully merging this pull request may close these issues.

mount_option_*_tmp_* is pass when should be not applicable on RHEL8/RHEL9
3 participants
@evgenyz @Mab879 @marcusburghardt