search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

Change platform for rules related to partitions #12562

Closed jan-cerny closed 2 weeks ago

jan-cerny commented 2 weeks ago

Change platforms for rules in disk_partitioning and partitions group. These rules check mount options or existence of separate partitions. These rules should not be applicable when building bootable containers and also should be applicable on a running image mode system. Bootable containers and immutable systems have a different filesystem layout where many paths are read-only.

github-actions[bot] commented 2 weeks ago

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] commented 2 weeks ago

This datastream diff is auto generated by the check Compare DS/Generate Diff. Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff ```diff Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_encrypt_partitions' --- xccdf_org.ssgproject.content_rule_encrypt_partitions +++ xccdf_org.ssgproject.content_rule_encrypt_partitions @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_boot' --- xccdf_org.ssgproject.content_rule_partition_for_boot +++ xccdf_org.ssgproject.content_rule_partition_for_boot @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm' --- xccdf_org.ssgproject.content_rule_partition_for_dev_shm +++ xccdf_org.ssgproject.content_rule_partition_for_dev_shm @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_home' --- xccdf_org.ssgproject.content_rule_partition_for_home +++ xccdf_org.ssgproject.content_rule_partition_for_home @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt' --- xccdf_org.ssgproject.content_rule_partition_for_opt +++ xccdf_org.ssgproject.content_rule_partition_for_opt @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv' --- xccdf_org.ssgproject.content_rule_partition_for_srv +++ xccdf_org.ssgproject.content_rule_partition_for_srv @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp' --- xccdf_org.ssgproject.content_rule_partition_for_tmp +++ xccdf_org.ssgproject.content_rule_partition_for_tmp @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr' --- xccdf_org.ssgproject.content_rule_partition_for_usr +++ xccdf_org.ssgproject.content_rule_partition_for_usr @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var' --- xccdf_org.ssgproject.content_rule_partition_for_var +++ xccdf_org.ssgproject.content_rule_partition_for_var @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log' --- xccdf_org.ssgproject.content_rule_partition_for_var_log +++ xccdf_org.ssgproject.content_rule_partition_for_var_log @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit' --- xccdf_org.ssgproject.content_rule_partition_for_var_log_audit +++ xccdf_org.ssgproject.content_rule_partition_for_var_log_audit @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp' --- xccdf_org.ssgproject.content_rule_partition_for_var_tmp +++ xccdf_org.ssgproject.content_rule_partition_for_var_tmp @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled' differs. --- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled +++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'tmp.mount' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled' differs. --- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled +++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled @@ -1,10 +1,6 @@ -- name: Enable mount tmp - ansible.builtin.systemd: - name: tmp.mount - enabled: 'yes' - state: started - masked: 'false' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-86890-1 - enable_strategy @@ -13,3 +9,21 @@ - low_severity - no_reboot_needed - systemd_tmp_mount_enabled + +- name: Enable mount tmp + ansible.builtin.systemd: + name: tmp.mount + enabled: 'yes' + state: started + masked: 'false' + when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + tags: + - CCE-86890-1 + - enable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - systemd_tmp_mount_enabled Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled' --- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled +++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { [ -d /sys/firmware/efi ]; }; then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid @@ -1,11 +1,28 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86038-7 + - DISA-STIG-RHEL-08-010572 + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_efi_nosuid + - no_reboot_needed + - name: 'Add nosuid Option to /boot/efi: Check information associated to mountpoint' command: findmnt --fstab '/boot/efi' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", - "container"] and "/boot/efi" in ansible_mounts | map(attribute="mount") | list - ) + when: + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-86038-7 - DISA-STIG-RHEL-08-010572 @@ -25,8 +42,10 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/boot/efi" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -55,8 +74,10 @@ - '' - defaults when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/boot/efi" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -78,8 +99,10 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/boot/efi" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-86038-7 @@ -101,8 +124,10 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/boot/efi" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' --- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid @@ -1,2 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 oval:ssg-system_boot_mode_is_uefi:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto +++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto +++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto @@ -1,9 +1,23 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83345-9 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noauto + - no_reboot_needed + - name: 'Add noauto Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-83345-9 - configure_strategy @@ -20,7 +34,9 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -45,7 +61,9 @@ - '' - defaults when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -64,7 +82,9 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noauto'' }) }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "noauto" not in mount_info.options tags: - CCE-83345-9 @@ -83,7 +103,9 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' --- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto +++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev +++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev +++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev @@ -1,9 +1,29 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82941-6 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nodev + - no_reboot_needed + - name: 'Add nodev Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-82941-6 - NIST-800-53-AC-6 @@ -26,7 +46,9 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -57,7 +79,9 @@ - '' - defaults when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -82,7 +106,9 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-82941-6 @@ -107,7 +133,9 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' --- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev +++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec +++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec +++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec @@ -1,9 +1,23 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83316-0 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noexec + - no_reboot_needed + - name: 'Add noexec Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-83316-0 - configure_strategy @@ -20,7 +34,9 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -45,7 +61,9 @@ - '' - defaults when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -64,7 +82,9 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83316-0 @@ -83,7 +103,9 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' --- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec +++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs. --- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid @@ -1,9 +1,30 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-81033-3 + - DISA-STIG-RHEL-08-010571 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nosuid + - no_reboot_needed + - name: 'Add nosuid Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-81033-3 - DISA-STIG-RHEL-08-010571 @@ -27,7 +48,9 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -59,7 +82,9 @@ - '' - defaults when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -85,7 +110,9 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-81033-3 @@ -111,7 +138,9 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' --- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs. --- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev +++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs. --- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev +++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev @@ -1,9 +1,30 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80837-8 + - DISA-STIG-RHEL-08-040120 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_dev_shm_nodev + - no_reboot_needed + - name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-80837-8 - DISA-STIG-RHEL-08-040120 @@ -27,7 +48,9 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -59,7 +82,9 @@ - tmpfs - defaults when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -85,7 +110,9 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-80837-8 @@ -111,7 +138,9 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' --- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev +++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs. --- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec +++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs. --- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec +++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec @@ -1,9 +1,30 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80838-6 + - DISA-STIG-RHEL-08-040122 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_dev_shm_noexec + - no_reboot_needed + - name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-80838-6 - DISA-STIG-RHEL-08-040122 @@ -27,7 +48,9 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -60,7 +83,9 @@ - tmpfs - defaults when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -86,7 +111,9 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-80838-6 @@ -112,7 +139,9 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' --- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec +++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs. --- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs. --- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid @@ -1,9 +1,30 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80839-4 + - DISA-STIG-RHEL-08-040121 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_dev_shm_nosuid + - no_reboot_needed + - name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-80839-4 - DISA-STIG-RHEL-08-040121 @@ -27,7 +48,9 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -60,7 +83,9 @@ - tmpfs - defaults when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -86,7 +111,9 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-80839-4 @@ -112,7 +139,9 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' --- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota +++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota +++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota @@ -1,10 +1,26 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86039-5 + - NIST-800-53-CM-6(b) + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_home_grpquota + - no_reboot_needed + - name: 'Add grpquota Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", - "container"] and "/home" in ansible_mounts | map(attribute="mount") | list ) + when: + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-86039-5 - NIST-800-53-CM-6(b) @@ -22,8 +38,10 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -49,8 +67,10 @@ - '' - defaults when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -70,8 +90,10 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',grpquota'' }) }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "grpquota" not in mount_info.options tags: - CCE-86039-5 @@ -91,8 +113,10 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' --- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota +++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota @@ -1,2 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 oval:ssg-installed_env_mount_home:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_nodev +++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_nodev +++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev @@ -1,10 +1,25 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-81048-1 + - configure_strategy + - high_disruption + - low_complexity + - mount_option_home_nodev + - no_reboot_needed + - unknown_severity + - name: 'Add nodev Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", - "container"] and "/home" in ansible_mounts | map(attribute="mount") | list ) + when: + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-81048-1 - configure_strategy @@ -21,8 +36,10 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -47,8 +64,10 @@ - '' - defaults when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -67,8 +86,10 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-81048-1 @@ -87,8 +108,10 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' --- xccdf_org.ssgproject.content_rule_mount_option_home_nodev +++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev @@ -1,2 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 oval:ssg-installed_env_mount_home:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_noexec +++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_noexec +++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec @@ -1,9 +1,25 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83328-5 + - DISA-STIG-RHEL-08-010590 + - NIST-800-53-CM-6(b) + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_home_noexec + - no_reboot_needed + - name: 'Add noexec Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-83328-5 - DISA-STIG-RHEL-08-010590 @@ -22,7 +38,9 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -49,7 +67,9 @@ - '' - defaults when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -70,7 +90,9 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83328-5 @@ -91,7 +113,9 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' --- xccdf_org.ssgproject.content_rule_mount_option_home_noexec +++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 + bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid @@ -1,10 +1,32 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-81050-7 + - DISA-STIG-RHEL-08-010570 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_home_nosuid + - no_reboot_needed + - name: 'Add nosuid Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", - "container"] and "/home" in ansible_mounts | map(attribute="mount") | list ) + when: + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-81050-7 - DISA-STIG-RHEL-08-010570 @@ -28,8 +50,10 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -61,8 +85,10 @@ - '' - defaults when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -88,8 +114,10 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-81050-7 @@ -115,8 +143,10 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' --- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid +++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid @@ -1,2 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 oval:ssg-installed_env_mount_home:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota +++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then +if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then function perform_remediation { ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs. --- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota +++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota @@ -1,10 +1,26 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86035-3 + - NIST-800-53-CM-6(b) + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_home_usrquota + - no_reboot_needed + - name: 'Add usrquota Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name failed_when: device_name.rc > 1 changed_when: false - when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", - "container"] and "/home" in ansible_mounts | map(attribute="mount") | list ) + when: + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-86035-3 - NIST-800-53-CM-6(b) @@ -22,8 +38,10 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -49,8 +67,10 @@ - '' - defaults when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -70,8 +90,10 @@ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',usrquota'' }) }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "usrquota" not in mount_info.options tags: - CCE-86035-3 @@ -91,8 +113,10 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: - - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - and "/home" in ansible_mounts | map(attribute="mount") | list ) + - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages + and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) + - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' --- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota +++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota @@ -1,2 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 oval:ssg-installed_env_mount_home:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_par ... The diff is trimmed here ... ```
jan-cerny commented 2 weeks ago

I have rebased this PR on the top of the latest upstream master branch.

matusmarhefka commented 2 weeks ago

What about moving the platform definitions into respective group.yml files?

jan-cerny commented 2 weeks ago

I have rebased this PR on the top of the latest upstream master branch. Then, I have moved the common platforms to group.yml.

codeclimate[bot] commented 2 weeks ago

Code Climate has analyzed commit b785ae35 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.