Recollect facts in mount_option_nodev_nonroot_local_partitions #11941
Conversation
This patch changes the Ansible code for rule mount_option_nodev_nonroot_local_partitions so that Ansible id forced to refresh facts about mount points right before running the Ansible Task for this rule. The data in facts that were collected at the beginning of the play can be outdated at point when this Ansible Task is executed if there is some other Ansible Task that changes mount points, for example if the Ansible Tasks for rule mount_option_boot_nosuid is before the Ansible Task for rule mount_option_nodev_nonroot_local_partitions. Fixes: ComplianceAsCode#11933
jan-cerny
added
the
productization-issue
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -1,3 +1,23 @@
+- name: 'Add nodev Option to Non-Root Local Partitions: Refresh facts'
+ setup:
+ gather_subset: mounts
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82069-6
+ - DISA-STIG-RHEL-08-010580
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_nodev_nonroot_local_partitions
+ - no_reboot_needed
+
- name: Ensure non-root local partitions are mounted with nodev option
mount:
path: '{{ item.mount }}' |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit c5235f4 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
Hi, I think that Automatus CI fails jobs because it's using the container back end. They pass locally if I run them on a virtual machine back end. |
This patch changes the Ansible code for rule
mount_option_nodev_nonroot_local_partitions so that Ansible is forced to refresh facts about mount points right before running the Ansible Task for this rule. The data in facts that were collected at the beginning of the play can be outdated at point when this Ansible Task is executed if there is some other Ansible Task that changes mount points, for example if the Ansible Tasks for rule mount_option_boot_nosuid is before the Ansible Task for rule mount_option_nodev_nonroot_local_partitions.
Fixes: #11933