From cc989d80a71d6d4bb766097d64af27e755822ee4 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Date: Sun, 1 Jul 2018 12:15:07 +0200
Subject: [PATCH] Do not disable vfat by default

On UEFI-systems the boot-partition is FAT by default (see [here](https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/System_partition)).

If we disable vfat, these systems become unbootable. This has already bitten some users using ansible-os-hardening (https://github.com/dev-sec/ansible-os-hardening/issues/162, https://github.com/dev-sec/ansible-os-hardening/issues/145).

Therefore I propose we do not check for a disabled vfat filesystem, if efi is used on these systems
---
 controls/os_spec.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/controls/os_spec.rb b/controls/os_spec.rb
index 09367de..65a065f 100644
--- a/controls/os_spec.rb
+++ b/controls/os_spec.rb
@@ -210,7 +210,11 @@
     its(:content) { should match 'install hfsplus /bin/true' }
     its(:content) { should match 'install squashfs /bin/true' }
     its(:content) { should match 'install udf /bin/true' }
-    its(:content) { should match 'install vfat /bin/true' }
+    # if efi is active, do not disable vfat. otherwise the system
+    # won't boot anymore
+    unless Dir.exist?('/sys/firmware/efi')
+      its(:content) { should match 'install vfat /bin/true' }
+    end
   end
 end