Do not disable vfat by default#96
Conversation
|
@rndmh3ro i understand it, but can we include a uefi option. if the uefi option is set then te vfat test is disabled. opinion? |
|
@rndmh3ro @mcgege @atomic111 do we have an easy and reliable way to detect uefi? We can look for a mountpoint, but I do not think this is really reliable and safe. Maybe we should allow vfat per default indeed.... |
|
Easiest way seems to check if |
On UEFI-systems the boot-partition is FAT by default (see [here](https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/System_partition)). If we disable vfat, these systems become unbootable. This has already bitten some users using ansible-os-hardening (dev-sec/ansible-collection-hardening#162, dev-sec/ansible-collection-hardening#145). Therefore I propose we do not check for a disabled vfat filesystem, if efi is used on these systems
|
I updated the control to only run when efi is not present on the system. |
| its(:content) { should match 'install vfat /bin/true' } | ||
| # if efi is active, do not disable vfat. otherwise the system | ||
| # won't boot anymore | ||
| unless Dir.exist?('/sys/firmware/efi') |
There was a problem hiding this comment.
@rndmh3ro maybe we have a bug here. Dir.exist? gets executed in the local context and not on the remote system. We should do this check via inspec resources
There was a problem hiding this comment.
Uh okay, I did not know this... I'll have to take a look.
3 participants
On UEFI-systems the boot-partition is FAT by default (see here).
If we disable vfat, these systems become unbootable. This has already bitten some users using ansible-os-hardening (dev-sec/ansible-collection-hardening#162, dev-sec/ansible-collection-hardening#145).
Therefore I propose we do not check for a disabled vfat filesystem as vfat is often used on newer systems.