search

ansible-lockdown / RHEL7-STIG

Ansible role for Red Hat 7 STIG Baseline
MIT License
282 stars 144 forks source link

Error "The conditional check ''nosuid' not in home_mount.options' failed" in fix-cat2.yml. Easy code fix. #448

Closed erosen03 closed 4 months ago

erosen03 commented 8 months ago

Lines 2043 and 2056 of fix-cat2.yml appear to have improper condition statements that cause the following error:

TASK [/etc/ansible/roles/ansible-lockdown/RHEL7-STIG : MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.] *** 2024-01-03 00:43:09 fatal: [x.x.x.20]: FAILED! => {"msg": "The conditional check ''nosuid' not in home_mount.options' failed. The error was: error while evaluating conditional ('nosuid' not in home_mount.options): 'home_mount' is undefined. 'home_mount' is undefined\n\nThe error appears to be in '/etc/ansible/roles/ansible-lockdown/RHEL7-STIG/tasks/fix-cat2.yml': line 2045, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: \"MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.\"\n ^ here\n"}

Lines 2043 and 2056 refence the home_mount variable in the conditions, however the tasks are working with the removable_mount and removable_mount2 variables, respectively. Making the following corrections fixes the issues:

Lines 2043 - original - "'nosuid' not in home_mounts.options"

Lines 2043 - corrected - "'nosuid' not in removable_mount.options"

Lines 2056 - original - "'nosuid' not in home_mounts.options"

Lines 2056 - corrected - "'nosuid' not in removable_mount2.options"

uk-bolly commented 6 months ago

hi @erosen03

Thank you for taking the time to raise this Issue and thank you for the thorough and detaild explanation. This change has been merged to into devel and will be released into main over the coming days.

Many thanks

uk-bolly

erosen03 commented 6 months ago

@uk-bolly, you're very welcome. Ansible-lockdown is awesome, and it was my pleasure to have the opportunity to contribute.

uk-bolly commented 4 months ago

hi @erosen03

I appreciate the feedback, we do try our best and it is with feedback like this we can continue to improve. I believe this has now been merged, if you are happy the issues has been addressed we can close this issue?

Many thanks

uk-bolly