search

florianutz / Ubuntu1804-CIS

Ubuntu CIS Hardening Ansible Role
MIT License
212 stars 127 forks source link

Check mounts doesn't actually check mounts #50

Open andrefecto opened 4 years ago

andrefecto commented 4 years ago

The current setup for checking mounts doesn't actually check for mounts and will always return "OK."

For example, if you run the following playbook on a system that doesn't have /var as a mount:

- name: "SCORED | 1.1.5 | PATCH | Ensure separate partition exists for /var"
  shell: mount | grep "on /var "
  register: var_mounted
  changed_when: false
  failed_when: false
  when:
      - ubuntu1804cis_rule_1_1_5
  tags:
      - level2
      - scored
      - patch
      - rule_1.1.5
      - skip_ansible_lint

Then you'll see this:

TASK [SCORED | 1.1.5 | PATCH | Ensure separate partition exists for /var] ***************************************************************
[WARNING]: Consider using the mount module rather than running 'mount'.  If you need to use command because mount is insufficient you
can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.

ok: [127.0.0.1]

But if you run this:

- hosts: 127.0.0.1
  connection: local
  tasks:
  - name: See if /var is mounted
    fail:
      msg: "/var is not mounted"
    when: ansible_mounts | selectattr('mount','equalto',"/var") | list | length == 0
  vars:
   - mounts: "{{ansible_mounts}}"

You will get the following output:

fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "/var is not mounted"}

If you change /var to just / in the "when" statement of my playbook, you'll get "skipping: [127.0.0.1]" because / is mounted. So this method can correctly detect mounts.

There are ways to create mounts in Ansible using the mount module here but I'm not sure if you actually want to do that or want to just warn. Either way, I figured I would bring it up for consideration.

Note; I know a lot of people would do these mounts at OS install time so this is moot but I am using a VM from Digital Ocean which doesn't give you that option so you have to do it all using the CLI.

florianutz commented 4 years ago

Hi andrefecto. We had a lot of discussions regarding these topic. Long story short. Partitions should be defined during setup and not with a hardening role. IMHO, these rules for partitions should not apply to cloud images anyway. There is usually just one volatile partition for OS and a second bock-device for persistence if necessary.

andrefecto commented 4 years ago

@florianutz Thanks for the response. I agree that they shouldn't be done on cloud images because after some consideration I realized if I tried to resize my VM, it probably wouldn't work because of the partition table not being what it expects. However, for documenting which CIS rules a system isn't compliant with, it would still be helpful to have it at least warn that those directories aren't mounted.