Error "The conditional check ''nosuid' not in home_mount.options' failed" in fix-cat2.yml. Easy code fix. #448
Assignees
Comments
uk-bolly
added a commit
that referenced
this issue
Jan 26, 2024
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
Merged
uk-bolly
added a commit
that referenced
this issue
Feb 14, 2024
* Specify missing state parameter for package Signed-off-by: Anže Luzar <anze.luzar@xlab.si> * Correct with_items indentation for package Signed-off-by: Anže Luzar <anze.luzar@xlab.si> * Replace inline strings with module parameters Signed-off-by: Anže Luzar <anze.luzar@xlab.si> * updated link Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed old Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added new defined secrets file Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added pragma allow list Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated due to galaxy changes Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * moved file Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated path Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed quality badge since galaxy-ng Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Adding additional condition for rhel7stig_grub2_user_cfg for task Signed-off-by: layluke <layluke@protonmail.com> * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed file Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * lint update Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed logic on 20620 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated logic for uuid Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed extra line Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed doc dir Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](gitleaks/gitleaks@v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](ansible/ansible-lint@v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) * Issue #446 tag update to always - thanks to @prestonSeaman2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * conditional updated 021000 & 021010 #448 thanks @erosen03 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Anže Luzar <anze.luzar@xlab.si> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: layluke <layluke@protonmail.com> Co-authored-by: Anže Luzar <anze.luzar@xlab.si> Co-authored-by: layluke <layluke@protonmail.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
hi @erosen03 Thank you for taking the time to raise this Issue and thank you for the thorough and detaild explanation. This change has been merged to into devel and will be released into main over the coming days. Many thanks uk-bolly |
|
@uk-bolly, you're very welcome. Ansible-lockdown is awesome, and it was my pleasure to have the opportunity to contribute. |
uk-bolly
added a commit
that referenced
this issue
Mar 6, 2024
* Specify missing state parameter for package Signed-off-by: Anže Luzar <anze.luzar@xlab.si> * Correct with_items indentation for package Signed-off-by: Anže Luzar <anze.luzar@xlab.si> * Replace inline strings with module parameters Signed-off-by: Anže Luzar <anze.luzar@xlab.si> * updated link Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed old Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added new defined secrets file Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added pragma allow list Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated due to galaxy changes Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * moved file Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated path Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed quality badge since galaxy-ng Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Adding additional condition for rhel7stig_grub2_user_cfg for task Signed-off-by: layluke <layluke@protonmail.com> * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed file Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * lint update Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed logic on 20620 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated logic for uuid Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed extra line Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed doc dir Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](gitleaks/gitleaks@v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](ansible/ansible-lint@v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) * Issue #446 tag update to always - thanks to @prestonSeaman2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * conditional updated 021000 & 021010 #448 thanks @erosen03 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate (#451) updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](gitleaks/gitleaks@v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](ansible/ansible-lint@v6.22.2...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.34.0](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.34.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * [pre-commit.ci] pre-commit autoupdate (#454) updates: - [github.com/adrienverge/yamllint.git: v1.34.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.34.0...v1.35.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * Feb 24 updates (#455) * issue #452 addressed * issue #453 addressed * updated for galaxy_ng reqs --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Anže Luzar <anze.luzar@xlab.si> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: layluke <layluke@protonmail.com> Signed-off-by: uk-bolly <mark.bollyuk@gmail.com> Co-authored-by: Anže Luzar <anze.luzar@xlab.si> Co-authored-by: layluke <layluke@protonmail.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
hi @erosen03 I appreciate the feedback, we do try our best and it is with feedback like this we can continue to improve. Many thanks uk-bolly |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines 2043 and 2056 of fix-cat2.yml appear to have improper condition statements that cause the following error:
TASK [/etc/ansible/roles/ansible-lockdown/RHEL7-STIG : MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.] *** 2024-01-03 00:43:09 fatal: [x.x.x.20]: FAILED! => {"msg": "The conditional check ''nosuid' not in home_mount.options' failed. The error was: error while evaluating conditional ('nosuid' not in home_mount.options): 'home_mount' is undefined. 'home_mount' is undefined\n\nThe error appears to be in '/etc/ansible/roles/ansible-lockdown/RHEL7-STIG/tasks/fix-cat2.yml': line 2045, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: \"MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.\"\n ^ here\n"}Lines 2043 and 2056 refence the
home_mountvariable in the conditions, however the tasks are working with theremovable_mountandremovable_mount2variables, respectively. Making the following corrections fixes the issues:Lines 2043 - original
- "'nosuid' not in home_mounts.options"Lines 2043 - corrected
- "'nosuid' not in removable_mount.options"Lines 2056 - original
- "'nosuid' not in home_mounts.options"Lines 2056 - corrected
- "'nosuid' not in removable_mount2.options"The text was updated successfully, but these errors were encountered: