Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend mount_option_nodev_nonroot_local_partitions #12270

Merged
merged 1 commit into from
Aug 14, 2024

Conversation

jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Aug 6, 2024

Description:

The OVAL check is extended to read also data directly from the /etc/fstab file. This is useful in environments where the mount points are not mounted and OVAL partition objects don't match. For example, this happens in the Image Builder environment.

Similar to: #10200

Fixes: https://issues.redhat.com/browse/RHEL-45018

Review hints:

 python3 tests/automatus.py rule  --dontclean --libvirt qemu:///system ssgts_rhel9 mount_option_nodev_nonroot_local_partitions
cd ~/work/git/contest
tmt -c distro=rhel-9 -c arch=x86_64 run -vvva -e CONTEST_CONTENT_PR=12270 -e CONTEST_OSCAP_PR=2143 -e CONTEST_LEAVE_GUEST_RUNNING=1  plans -n /plans/default provision -h connect -k ~/.ssh/id_rsa -u root -g $YOUR_HOST_NAME -h fmf -t '/hardening/image-builder/anssi_bp28_high$' report -h html

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 6, 2024
Copy link

openshift-ci bot commented Aug 6, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Copy link

github-actions bot commented Aug 6, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

github-actions bot commented Aug 6, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1
+++ oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1
@@ -1,2 +1,3 @@
 criteria AND
 criterion oval:ssg-test_nodev_nonroot_local_partitions:tst:1
+criterion oval:ssg-test_nodev_nonroot_local_partitions_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -45,6 +45,9 @@
     fi
 done
 
+# Remediate unmounted /etc/fstab entries
+sed -i -E '/nodev/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5;' /etc/fstab
+
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -18,7 +18,8 @@
   - mount_option_nodev_nonroot_local_partitions
   - no_reboot_needed
 
-- name: Ensure non-root local partitions are mounted with nodev option
+- name: 'Add nodev Option to Non-Root Local Partitions: Ensure non-root local partitions
+    are mounted with nodev option'
   mount:
     path: '{{ item.mount }}'
     src: '{{ item.device }}'
@@ -46,3 +47,26 @@
   - medium_severity
   - mount_option_nodev_nonroot_local_partitions
   - no_reboot_needed
+
+- name: 'Add nodev Option to Non-Root Local Partitions: Ensure non-root local partitions
+    are present with nodev option in /etc/fstab'
+  ansible.builtin.replace:
+    path: /etc/fstab
+    regexp: ^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(?!nodev)(\S+)(.*)$
+    replace: \1 \2 \3 \4,nodev \5
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-82069-6
+  - DISA-STIG-RHEL-08-010580
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_nodev_nonroot_local_partitions
+  - no_reboot_needed

Copy link

github-actions bot commented Aug 6, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12270
This image was built from commit: 3361f8c

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12270

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12270 make deploy-local

@jan-cerny jan-cerny added the bugfix Fixes to reported bugs. label Aug 6, 2024
@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Aug 6, 2024

We are currently facing a problem that even though after this change the remediation fixes all items in /etc/fstab, there is still an offending /efi item which is a systemd automount defined in /run/systemd/generator.late/efi.mount.

There are possible solutions. Systemd generators will obey to whatever is written in /etc/fstab. So we either have to forcefully configure the partition, even if it is not present in /etc/fstab or change the rule to ignore the partition(s) in question.

@jan-cerny jan-cerny force-pushed the RHEL-45018 branch 5 times, most recently from f713e95 to 1c52e1b Compare August 8, 2024 13:37
The OVAL check is extended to read also data directly from the
`/etc/fstab` file. This is useful in environments where the
mount points are not mounted and OVAL partition objects don't
matech. For example, this happens in the Image Builder environment.

Similar to: ComplianceAsCode#10200

Resolves: RHEL-45018
@jan-cerny jan-cerny added this to the 0.1.75 milestone Aug 9, 2024
@jan-cerny
Copy link
Collaborator Author

I have improved the check so that it ignores the problematic special parts /boot and /efi which cause problems if used in OS installation. I have rebased the PR on the top of the latest master branch. I will mark it as ready for review.

@jan-cerny jan-cerny marked this pull request as ready for review August 9, 2024 08:36
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 9, 2024
Copy link

codeclimate bot commented Aug 9, 2024

Code Climate has analyzed commit 3361f8c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@vojtapolasek vojtapolasek self-assigned this Aug 12, 2024
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
I tested the rule on a local VM and I also ran the test mentioned in the "Hints" section and I confirm that the problem is fixed when compared with the master branch.
I am waiving the CI because it seems there is no /etc/fstab in containers which are used for testing.

@vojtapolasek vojtapolasek merged commit d468c12 into ComplianceAsCode:master Aug 14, 2024
92 of 97 checks passed
vojtapolasek added a commit to vojtapolasek/contest that referenced this pull request Aug 14, 2024
@jan-cerny jan-cerny deleted the RHEL-45018 branch August 14, 2024 18:32
comps pushed a commit to RHSecurityCompliance/contest that referenced this pull request Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bugfix Fixes to reported bugs.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants