Add mount platforms #10794
Merged
Add mount platforms #10794
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -3,7 +3,8 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
tags:
- CCE-86039-5
- NIST-800-53-CM-6(b)
@@ -21,7 +22,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -47,7 +49,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -66,7 +69,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',grpquota''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "grpquota" not in mount_info.options
tags:
- CCE-86039-5
@@ -86,7 +90,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota'
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_home:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -3,7 +3,8 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
tags:
- CCE-81048-1
- configure_strategy
@@ -20,7 +21,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -45,7 +47,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -63,7 +66,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-81048-1
@@ -82,7 +86,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_home:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -3,7 +3,8 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
tags:
- CCE-81050-7
- DISA-STIG-RHEL-08-010570
@@ -27,7 +28,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -59,7 +61,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -84,7 +87,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-81050-7
@@ -110,7 +114,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_home:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -3,7 +3,8 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
tags:
- CCE-86035-3
- NIST-800-53-CM-6(b)
@@ -21,7 +22,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -47,7 +49,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -66,7 +69,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',usrquota''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "usrquota" not in mount_info.options
tags:
- CCE-86035-3
@@ -86,7 +90,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/home" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota'
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_home:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/opt" > /dev/null || findmnt --fstab "/opt" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
@@ -3,7 +3,8 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/opt" in ansible_mounts | map(attribute="mount") | list )
tags:
- CCE-83319-4
- configure_strategy
@@ -20,7 +21,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/opt" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -45,7 +47,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/opt" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -63,7 +66,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/opt" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-83319-4
@@ -82,7 +86,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/opt" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_opt:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/srv" > /dev/null || findmnt --fstab "/srv" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
@@ -3,7 +3,8 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/srv" in ansible_mounts | map(attribute="mount") | list )
tags:
- CCE-83322-8
- configure_strategy
@@ -20,7 +21,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/srv" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -45,7 +47,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/srv" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -63,7 +66,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/srv" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-83322-8
@@ -82,7 +86,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/srv" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_srv:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
@@ -3,7 +3,9 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var/log/audit" in ansible_mounts | map(attribute="mount") |
+ list )
tags:
- CCE-82080-3
- DISA-STIG-RHEL-08-040129
@@ -27,7 +29,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -60,7 +63,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -85,7 +89,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-82080-3
@@ -112,7 +117,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_var-log-audit:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
@@ -3,7 +3,9 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var/log/audit" in ansible_mounts | map(attribute="mount") |
+ list )
tags:
- CCE-82975-4
- DISA-STIG-RHEL-08-040131
@@ -27,7 +29,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -60,7 +63,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -85,7 +89,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-82975-4
@@ -112,7 +117,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec'
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_var-log-audit:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
@@ -3,7 +3,9 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var/log/audit" in ansible_mounts | map(attribute="mount") |
+ list )
tags:
- CCE-82921-8
- DISA-STIG-RHEL-08-040130
@@ -27,7 +29,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -60,7 +63,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -85,7 +89,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-82921-8
@@ -112,7 +117,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_var-log-audit:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
@@ -3,7 +3,9 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var/log" in ansible_mounts | map(attribute="mount") | list
+ )
tags:
- CCE-82077-9
- DISA-STIG-RHEL-08-040126
@@ -27,7 +29,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -59,7 +62,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -84,7 +88,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-82077-9
@@ -110,7 +115,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_var-log:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
@@ -3,7 +3,9 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var/log" in ansible_mounts | map(attribute="mount") | list
+ )
tags:
- CCE-82008-4
- DISA-STIG-RHEL-08-040128
@@ -27,7 +29,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -60,7 +63,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -85,7 +89,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-82008-4
@@ -111,7 +116,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec'
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_var-log:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
@@ -3,7 +3,9 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var/log" in ansible_mounts | map(attribute="mount") | list
+ )
tags:
- CCE-82065-4
- DISA-STIG-RHEL-08-040127
@@ -27,7 +29,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -60,7 +63,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -85,7 +89,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-82065-4
@@ -111,7 +116,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/log" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_var-log:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_var_nodev
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_var_nodev
@@ -3,7 +3,8 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var" in ansible_mounts | map(attribute="mount") | list )
tags:
- CCE-82062-1
- NIST-800-53-AC-6
@@ -26,7 +27,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -57,7 +59,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -80,7 +83,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-82062-1
@@ -105,7 +109,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_var_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_var_nodev
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_var:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_noexec'.
--- xccdf_org.ssgproject.content_rule_mount_option_var_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_noexec
@@ -4,7 +4,7 @@
[description]:
The noexec mount option can be used to prevent binaries from being
-executed out of /var.
+executed out of /var.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var.
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_noexec
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_var_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_noexec
@@ -3,7 +3,8 @@
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var" in ansible_mounts | map(attribute="mount") | list )
tags:
- CCE-83330-1
- configure_strategy
@@ -20,7 +21,8 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var" in ansible_mounts | map(attribute="mount") | list )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -45,7 +47,8 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var" in ansible_mounts | map(attribute="mount") | list )
- ("--fstab" | length == 0)
- (device_name.stdout | length == 0)
tags:
@@ -63,7 +66,8 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var" in ansible_mounts | map(attribute="mount") | list )
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-83330-1
@@ -82,7 +86,8 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var" in ansible_mounts | map(attribute="mount") | list )
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_noexec'
--- xccdf_org.ssgproject.content_rule_mount_option_var_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_var_noexec
@@ -1 +1,2 @@
oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-installed_env_mount_var:def:1 |
|
Code Climate has analyzed commit 1e3ed5a and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.5% (0.0% change). View more on Code Climate. |
|
/packit rebuild-failed |
jan-cerny
approved these changes
Jul 4, 2023
There was a problem hiding this comment.
I have reviewed that the rules now have a platform assigned in the data stream.
Also, I have executed some test scenarios with a VM backend.
[jcerny@fedora scap-security-guide{pr/10794}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 mount_option_home_nodev
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-07-04-1126/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_mount_option_home_nodev
INFO - Script fstab.fail.sh using profile (all) OK
INFO - Script runtime.pass.sh using profile (all) OK
INFO - Script separate.pass.sh using profile (all) OK
INFO - Script fstab_comment.pass.sh using profile (all) OK
[jcerny@fedora scap-security-guide{pr/10794}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 mount_option_home_nosuid
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-07-04-1128/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
INFO - Script fstab.fail.sh using profile (all) OK
INFO - Script fstab_comment.pass.sh using profile (all) OK
INFO - Script runtime.pass.sh using profile (all) OK
INFO - Script separate.pass.sh using profile (all) OK
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Add
mountplatforms to rules for mount options.Rationale:
Closes #10504