Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issue when adding fstab entries with iso9660 #10572

Merged
merged 3 commits into from
May 30, 2023
Merged

Fix issue when adding fstab entries with iso9660 #10572

merged 3 commits into from
May 30, 2023

Conversation

Xeicker
Copy link
Contributor

@Xeicker Xeicker commented May 15, 2023

Description:

  • Replace blocksize parameter with block when retrieving an iso9660 mount point from mtab and adding it to fstab

Rationale:

  • It was noticed that iso9660 file systems, when present in mtab file, could include a blocksize parameter. However that's not valid in fstab and there the equivalent parameter is called block

Review Hints:

  • I wasn't able to come up with an automated test. But manually it can be tested in next way:
    • Mount a cdrom in the system, E.g.:
 # mkdir /mnt/cdrom
 # mount /dev/cdrom /mnt/cdrom/
  • Run bash remediation for mount_option_nodev_nonroot_local_partitions E.g.:
# oscap xccdf eval --profile stig --rule xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions --results-arf /tmp/arf.xml /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml
# oscap xccdf generate fix --fix-type bash --result-id "" /tmp/arf.xml > bash-fix.sh
# bash bash-fix.sh
  • Reboot system
  • The system won't reboot with previous remediation due to an entry similar to this:
    /dev/sr0 /mnt/cdrom iso9660 defaults,ro,relatime,nojoliet,check=s,map=n,blocksize=2048,iocharset=utf8,nodev 0 0
  • Replacing blocksize with block( as with this change), the system boots normally

@Xeicker
Fix issue when adding fstab entries with iso9660
da07ef7 
This fs type has an issue in which the entries in mtab could describe a
value for blocksize, however that's not recognized by fstab, there the
name for this same option is 'block'.
The issue can be seen from rule
mount_option_nodev_nonroot_local_partitions, if there was a cdrom
mounted manually, and then this rule was remediated. The system
wouldn't be able to reboot

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label May 15, 2023
@openshift-ci
Copy link

openshift-ci bot commented May 15, 2023

Hi @Xeicker. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented May 15, 2023
edited

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /boot/efi  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto%0A+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noauto)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /boot  defaults,${previous_mount_opts}noauto 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noauto"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev%0A+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /boot  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec%0A+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /boot  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /boot  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev%0A+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev%0A@@ -13,6 +13,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type="tmpfs"%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec%0A+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec%0A@@ -13,6 +13,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type="tmpfs"%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid%0A@@ -13,6 +13,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type="tmpfs"%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota%0A+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|grpquota)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /home  defaults,${previous_mount_opts}grpquota 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "grpquota"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev%0A+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /home  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_home_noexec%0A+++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /home  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /home  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota%0A+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|usrquota)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /home  defaults,${previous_mount_opts}usrquota 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "usrquota"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions%0A+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions%0A@@ -25,6 +25,12 @@%0A             previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                         | sed -E "s/(rw|defaults|seclabel|$MOUNT_OPTION)(,|$)//g;s/,$//")%0A             [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+            # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+            # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+            fs_type="$device_type"%0A+            if [  "$fs_type" == "iso9660" ] ; then%0A+                previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+            fi%0A             echo "$device $mount_point $device_type defaults,${previous_mount_opts}$MOUNT_OPTION 0 0" >> /etc/fstab%0A         # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A         elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "$MOUNT_OPTION"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /opt  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid%0A@@ -16,6 +16,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|$mountoption)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type="proc"%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo "proc /proc proc defaults,${previous_mount_opts}$mountoption 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "$mountoption"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /srv  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev%0A+++ xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /tmp  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec%0A+++ xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /tmp  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /tmp  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var/log/audit  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var/log/audit  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var/log/audit  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var/log  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var/log  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var/log  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_nodev' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_nodev%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_nodev%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_noexec' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_noexec%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_noexec%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var/tmp  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var/tmp  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid%0A+++ xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid%0A@@ -19,6 +19,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type=""%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " /var/tmp  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems%0A+++ xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems%0A@@ -14,6 +14,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|sec=krb5:krb5i:krb5p)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type="nfs4"%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}sec=krb5:krb5i:krb5p 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "sec=krb5:krb5i:krb5p"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems%0A+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems%0A@@ -14,6 +14,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type="nfs4"%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems%0A+++ xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems%0A@@ -14,6 +14,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type="nfs4"%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems' differs.%0A--- xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems%0A+++ xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems%0A@@ -14,6 +14,12 @@%0A         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \%0A                     | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")%0A         [ "$previous_mount_opts" ] && previous_mount_opts+=","%0A+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in%0A+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.%0A+        fs_type="nfs4"%0A+        if [  "$fs_type" == "iso9660" ] ; then%0A+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")%0A+        fi%0A         echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab%0A     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it%0A     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then

@marcusburghardt
Copy link
Member

@Xeicker , could you take a look in the CI tests failures, please? It seems to be some minor issues.

@marcusburghardt marcusburghardt added this to the 0.1.68 milestone May 17, 2023
@marcusburghardt marcusburghardt added bugfix Fixes to reported bugs. Bash Bash remediation update. labels May 17, 2023
@marcusburghardt marcusburghardt self-assigned this May 17, 2023
@Xeicker
Address Gate test issue on empty string
46bf269 
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Copy link
Contributor Author

Xeicker commented May 19, 2023

@marcusburghardt

I see tests are failing due to this warning:

SC2050 (warning): This expression is constant. Did you forget the $ on a variable?

I can fix this, just wanted to confirm if this wasn't expected due to the usage of jinja macros

@marcusburghardt
Copy link
Member

@marcusburghardt

I see tests are failing due to this warning:

SC2050 (warning): This expression is constant. Did you forget the $ on a variable?

I can fix this, just wanted to confirm if this wasn't expected due to the usage of jinja macros

I see, it is expected due to the Jinja2 variable. I think it is easy to make the shellcheck happy here without impacting the readability.

@Xeicker @marcusburghardt
Update shared/macros/10-bash.jinja
4a1dc26 
This address failing tests due to warnings

Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
@codeclimate
Copy link

codeclimate bot commented May 25, 2023

Code Climate has analyzed commit 4a1dc26 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.5% (0.1% change).

View more on Code Climate.

@jan-cerny jan-cerny modified the milestones: 0.1.68, 0.1.69 May 29, 2023
@marcusburghardt marcusburghardt merged commit 10f9d15 into ComplianceAsCode:master May 30, 2023
28 of 31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
Bash Bash remediation update. bugfix Fixes to reported bugs. needs-ok-to-test Used by openshift-ci bot.
Projects
None yet
Milestone
0.1.69
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Xeicker @marcusburghardt @jan-cerny