Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions #11956

Merged
merged 1 commit into from
May 9, 2024
Merged

[stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions #11956

merged 1 commit into from
May 9, 2024

Conversation

jan-cerny
Copy link
Collaborator

This is a port of #11941 to the stabilization-v0.1.73 branch.

This patch changes the Ansible code for rule
mount_option_nodev_nonroot_local_partitions so that Ansible id forced to refresh facts about mount points right before running the Ansible Task for this rule. The data in facts that were collected at the beginning of the play can be outdated at point when this Ansible Task is executed if there is some other Ansible Task that changes mount points, for example if the Ansible Tasks for rule mount_option_boot_nosuid is before the Ansible Task for rule mount_option_nodev_nonroot_local_partitions.

Fixes: #11933

@jan-cerny
Recollect facts in mount_option_nodev_nonroot_local_partitions
caae6c9 
This patch changes the Ansible code for rule
mount_option_nodev_nonroot_local_partitions so that Ansible id forced to
refresh facts about mount points right before running the Ansible Task
for this rule.  The data in facts that were collected at the beginning
of the play can be outdated at point when this Ansible Task is executed
if there is some other Ansible Task that changes mount points, for
example if the Ansible Tasks for rule mount_option_boot_nosuid is before
the Ansible Task for rule mount_option_nodev_nonroot_local_partitions.

Fixes: ComplianceAsCode#11933
@jan-cerny jan-cerny added this to the 0.1.73 milestone May 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11956
This image was built from commit: caae6c9

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11956

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11956 make deploy-local

@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -1,3 +1,23 @@
+- name: 'Add nodev Option to Non-Root Local Partitions: Refresh facts'
+  setup:
+    gather_subset: mounts
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-82069-6
+  - DISA-STIG-RHEL-08-010580
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_nodev_nonroot_local_partitions
+  - no_reboot_needed
+
 - name: Ensure non-root local partitions are mounted with nodev option
   mount:
     path: '{{ item.mount }}'

@vojtapolasek vojtapolasek self-assigned this May 9, 2024
vojtapolasek
vojtapolasek approved these changes May 9, 2024
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested with Automatus in rule mode and profile mode on local VM and tests pass.

@vojtapolasek vojtapolasek merged commit 16fe2d1 into ComplianceAsCode:stabilization-v0.1.73 May 9, 2024
99 of 103 checks passed
@vojtapolasek vojtapolasek added bugfix Fixes to reported bugs. Ansible Ansible remediation update. labels May 9, 2024
@jan-cerny jan-cerny added the backported-into-stabilization PRs which were cherry-picked during stabilization process. label May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

@Mab879 Mab879 Awaiting requested review from Mab879

@mildas mildas Awaiting requested review from mildas

Assignees

@vojtapolasek vojtapolasek

Labels
Ansible Ansible remediation update. backported-into-stabilization PRs which were cherry-picked during stabilization process. bugfix Fixes to reported bugs.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jan-cerny @vojtapolasek