Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mount_option_boot_nosuid fails to remediate with Ansible #11933

Closed
vojtapolasek opened this issue May 2, 2024 · 6 comments · Fixed by #11941
Closed

mount_option_boot_nosuid fails to remediate with Ansible #11933

vojtapolasek opened this issue May 2, 2024 · 6 comments · Fixed by #11941
Assignees
@jan-cerny
Labels
productization-issue Issue found in upstream stabilization process.
Milestone
0.1.73

Comments

@vojtapolasek
Copy link
Collaborator

vojtapolasek commented May 2, 2024
edited

Description of problem:

Remdiation of the rule mount_option_boot_nosuid does not happen because it gets skipped due to conditionals. But the scan after the remediation marks this rule as failing. That suggests that the remediation should happen.

Here is the relevant output from the Ansible playbook. This happens on RHEL 9.4 when anssi_bp28_high profile is selected:

TASK [Add nosuid Option to /boot: Check information associated to mountpoint] ***
ok: [localhost] => {"changed": false, "cmd": ["findmnt", "--fstab", "/boot"], "delta": "0:00:00.003191", "end": "2024-05-01 16:16:36.176566", "failed_when_result": false, "msg": "", "rc": 0, "start": "2024-05-01 16:16:36.173375", "stderr": "", "stderr_lines": [], "stdout": "TARGET SOURCE                                    FSTYPE OPTIONS\n/boot  UUID=14449e35-73b5-4911-b886-8f4e20a75b29 xfs    defaults,noexec", "stdout_lines": ["TARGET SOURCE                                    FSTYPE OPTIONS", "/boot  UUID=14449e35-73b5-4911-b886-8f4e20a75b29 xfs    defaults,noexec"]}

TASK [Add nosuid Option to /boot: Create mount_info dictionary variable] *******
ok: [localhost] => (item=['target', '/boot']) => {"ansible_facts": {"mount_info": {"fstype": "xfs", "options": "defaults,noexec", "source": "UUID=14449e35-73b5-4911-b886-8f4e20a75b29", "target": "/boot"}}, "ansible_loop_var": "item", "changed": false, "item": ["target", "/boot"]}
ok: [localhost] => (item=['source', 'UUID=14449e35-73b5-4911-b886-8f4e20a75b29']) => {"ansible_facts": {"mount_info": {"fstype": "xfs", "options": "defaults,noexec", "source": "UUID=14449e35-73b5-4911-b886-8f4e20a75b29", "target": "/boot"}}, "ansible_loop_var": "item", "changed": false, "item": ["source", "UUID=14449e35-73b5-4911-b886-8f4e20a75b29"]}
ok: [localhost] => (item=['fstype', 'xfs']) => {"ansible_facts": {"mount_info": {"fstype": "xfs", "options": "defaults,noexec", "source": "UUID=14449e35-73b5-4911-b886-8f4e20a75b29", "target": "/boot"}}, "ansible_loop_var": "item", "changed": false, "item": ["fstype", "xfs"]}
ok: [localhost] => (item=['options', 'defaults,noexec']) => {"ansible_facts": {"mount_info": {"fstype": "xfs", "options": "defaults,noexec", "source": "UUID=14449e35-73b5-4911-b886-8f4e20a75b29", "target": "/boot"}}, "ansible_loop_var": "item", "changed": false, "item": ["options", "defaults,noexec"]}

TASK [Add nosuid Option to /boot: If /boot not mounted, craft mount_info manually] ***
skipping: [localhost] => (item=['target', '/boot'])  => {"ansible_loop_var": "item", "changed": false, "item": ["target", "/boot"], "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=['source', ''])  => {"ansible_loop_var": "item", "changed": false, "item": ["source", ""], "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=['fstype', ''])  => {"ansible_loop_var": "item", "changed": false, "item": ["fstype", ""], "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=['options', 'defaults'])  => {"ansible_loop_var": "item", "changed": false, "item": ["options", "defaults"], "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}

TASK [Add nosuid Option to /boot: Make sure nosuid option is part of the to /boot options] ***
ok: [localhost] => (Redacted by Contest)

TASK [Add nosuid Option to /boot: Ensure /boot is mounted with nosuid option] ***
changed: [localhost] => {"backup_file": "", "boot": "yes", "changed": true, "dump": "0", "fstab": "/etc/fstab", "fstype": "xfs", "name": "/boot", "opts": "defaults,noexec,nosuid", "passno": "0", "src": "UUID=14449e35-73b5-4911-b886-8f4e20a75b29"}

SCAP Security Guide Version:

Stabilization-v0.1.73, commit 0b096bc

Operating System Version:

RHEL 8 and 9

Steps to Reproduce:

1.remediate anssi_bp28_high or stig through Ansible playbook
2.perform oscap scan of the same profile

Actual Results:

rule mount_option_boot_nosuid remediation is skipped but in the end the rule is reported as failed

Expected Results:

The remediation is performed correctly and the final scan shows rule as passing.

Additional Information/Debugging Steps:

Note that for ANSSI High profile, the similar thing happens for the rule mount_option_boot_noexec.
@vojtapolasek vojtapolasek added the productization-issue Issue found in upstream stabilization process. label May 2, 2024
@vojtapolasek vojtapolasek added this to the 0.1.73 milestone May 2, 2024
@jan-cerny
Copy link
Collaborator

From the Ansible output above we can see that only one task of the tasks was skipped and that was the one where the mount_info Ansible fact is created manually if it doesn't exist. But as we can see from the task right above the skipped task the mount_info fact exists in this case, and we can see that the task that actually contains the mount module invocation which is the last task in the output has been executed and ended in the changed state. So I think the remediation actually isn't skipped and even could be performed correctly.

We need to investigate if there is any interference of other tasks with this rules's tasks or anything happening between the time of remediation and a new scan.

@jan-cerny jan-cerny self-assigned this May 3, 2024
@jan-cerny
Copy link
Collaborator

I thinkt that the Ansible Tasks for the rule mount_option_boot_nosuid are in conflict with Ansible Task remediating rule mount_option_nodev_nonroot_local_partitions which is executed after them.

I have done an experiment in which I have removed mount_option_nodev_nonroot_local_partitions from the anssi controls file and rebuild content and executed the given contest test in a lab environment using this command:

tmt -c distro=rhel-9 run -vvva -e CONTEST_CONTENT=/root/content plans -n /plans/default provision -h connect -k ~/.ssh/id_rsa -u root -g $HOSTNAME  discover -h fmf -t /hardening/host-os/ansible/anssi_bp28_high report

In this experiment the rule mount_option_boot_nosuid is passing in the final scan.

Could it be that the Ansible Task for mount_option_nodev_nonroot_local_partitions reinserts the originally gathered ansible_facts but the reality changed meanwhile so it reinserts the original options?

Look to the beaker output in the original run:


TASK [Ensure non-root local partitions are mounted with nodev option] **********
skipping: [localhost] => (item={'mount': '/', 'device': '/dev/mapper/rhel_scap--t9-root', 'fstype': 'xfs', 'options': 'rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota', 'size_total': 37558423552, 'size_available': 34363658240, 'block_size': 4096, 'block_total': 9169537, 'block_available': 8389565, 'block_used': 779972, 'inode_total': 18348032, 'inode_available': 18298009, 'inode_used': 50023, 'uuid': 'e293e634-45dd-4d94-b7b4-39592fdcf8d0'})  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item.mount is match('/\\w')", "item": {"block_available": 8389565, "block_size": 4096, "block_total": 9169537, "block_used": 779972, "device": "/dev/mapper/rhel_scap--t9-root", "fstype": "xfs", "inode_available": 18298009, "inode_total": 18348032, "inode_used": 50023, "mount": "/", "options": "rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota", "size_available": 34363658240, "size_total": 37558423552, "uuid": "e293e634-45dd-4d94-b7b4-39592fdcf8d0"}, "skip_reason": "Conditional result was False"}
changed: [localhost] => (item={'mount': '/boot', 'device': '/dev/vda1', 'fstype': 'xfs', 'options': 'rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota', 'size_total': 1063256064, 'size_available': 824438784, 'block_size': 4096, 'block_total': 259584, 'block_available': 201279, 'block_used': 58305, 'inode_total': 524288, 'inode_available': 523978, 'inode_used': 310, 'uuid': '6ff757af-96dd-4022-aa8a-a5c79ca8dad0'}) => {"ansible_loop_var": "item", "backup_file": "", "boot": "yes", "changed": true, "dump": "0", "fstab": "/etc/fstab", "fstype": "xfs", "item": {"block_available": 201279, "block_size": 4096, "block_total": 259584, "block_used": 58305, "device": "/dev/vda1", "fstype": "xfs", "inode_available": 523978, "inode_total": 524288, "inode_used": 310, "mount": "/boot", "options": "rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota", "size_available": 824438784, "size_total": 1063256064, "uuid": "6ff757af-96dd-4022-aa8a-a5c79ca8dad0"}, "name": "/boot", "opts": "rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota,nodev", "passno": "0", "src": "/dev/vda1"}

jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue May 3, 2024
@jan-cerny
Recollect facts in mount_option_nodev_nonroot_local_partitions
c5235f4 
This patch changes the Ansible code for rule
mount_option_nodev_nonroot_local_partitions so that Ansible id forced to
refresh facts about mount points right before running the Ansible Task
for this rule.  The data in facts that were collected at the beginning
of the play can be outdated at point when this Ansible Task is executed
if there is some other Ansible Task that changes mount points, for
example if the Ansible Tasks for rule mount_option_boot_nosuid is before
the Ansible Task for rule mount_option_nodev_nonroot_local_partitions.

Fixes: ComplianceAsCode#11933
@jan-cerny jan-cerny mentioned this issue May 3, 2024
Merged
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue May 7, 2024
@jan-cerny
Recollect facts in mount_option_nodev_nonroot_local_partitions
caae6c9 
This patch changes the Ansible code for rule
mount_option_nodev_nonroot_local_partitions so that Ansible id forced to
refresh facts about mount points right before running the Ansible Task
for this rule.  The data in facts that were collected at the beginning
of the play can be outdated at point when this Ansible Task is executed
if there is some other Ansible Task that changes mount points, for
example if the Ansible Tasks for rule mount_option_boot_nosuid is before
the Ansible Task for rule mount_option_nodev_nonroot_local_partitions.

Fixes: ComplianceAsCode#11933
@jan-cerny jan-cerny mentioned this issue May 7, 2024
Merged
@Mab879
Copy link
Member

Mab879 commented May 7, 2024

In the latest runs, this still seems to be an issue.

@Mab879 Mab879 reopened this May 7, 2024
@Mab879
Copy link
Member

Mab879 commented May 7, 2024

There is a similar issue with image builder on this rule as well.

Is there a possibility they are related?

@vojtapolasek
Copy link
Collaborator Author

I can confirm the issue with the rule appears now in Imagebuilder tests during daily productization.

@vojtapolasek
Copy link
Collaborator Author

I created a different issue to track the problem with Imagebuilder. This issue was originally about Ansible remediation of the rule, Imagebuilder uses Bash remediation.
The new issue is https://github.com/ComplianceAsCode/content/issues/11996I can confirm the issue with the rule appears now in Imagebuilder tests during daily productization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jan-cerny jan-cerny

Labels
productization-issue Issue found in upstream stabilization process.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging a pull request may close this issue.

Recollect facts in mount_option_nodev_nonroot_local_partitions jan-cerny/scap-security-guide
3 participants
@Mab879 @vojtapolasek @jan-cerny