Skip to content

Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation#11827

Merged
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
evgenyz:fix-nonroot-lp
Apr 16, 2024
Merged

Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation#11827
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
evgenyz:fix-nonroot-lp

Conversation

@evgenyz
Copy link
Copy Markdown
Member

@evgenyz evgenyz commented Apr 16, 2024

Description:

  • Don't try to create an fstab entry for /proc/* mtab items.

Rationale:

@evgenyz
Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation
363c557 
Don't try to create an fstab entry for '/proc/*' mtab items.
@evgenyz evgenyz added Bash Bash remediation update. STIG STIG Benchmark related. osbuild Related in some way to Image Builder. labels Apr 16, 2024
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -3,7 +3,7 @@
 
 MOUNT_OPTION="nodev"
 # Create array of local non-root partitions
-readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w")
+readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep -v "^/proc" | grep "\s/dev/\w")
 
 # Create array of polyinstantiated directories, in case one of them is found in mtab
 readarray -t polyinstantiated_dirs < \

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11827
This image was built from commit: 363c557

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11827

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11827 make deploy-local

@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Apr 16, 2024

Code Climate has analyzed commit 363c557 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.2% (0.0% change).

View more on Code Climate.

@evgenyz evgenyz added this to the 0.1.73 milestone Apr 16, 2024
@Mab879
Copy link
Copy Markdown
Member

Mab879 commented Apr 16, 2024 

Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/Developer/ComplianceAsCode/content/tests/logs/rule-custom-2024-04-16-1442/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script missing_multiple_nodev.fail.sh using profile (all) OK
INFO - Script missing_one_nodev.fail.sh using profile (all) OK
INFO - Script local_mounted_during_runtime.fail.sh using profile (all) OK
INFO - Script remote_without_nodev.pass.sh using profile (all) OK

Test pass locally.

@Mab879 Mab879 self-assigned this Apr 16, 2024
@Mab879 Mab879 merged commit 521db16 into ComplianceAsCode:master Apr 16, 2024
@evgenyz evgenyz deleted the fix-nonroot-lp branch April 17, 2024 20:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

Bash Bash remediation update. osbuild Related in some way to Image Builder. STIG STIG Benchmark related.

Projects

None yet

Milestone

0.1.73

Development

Successfully merging this pull request may close these issues.

Bash remediation against STIG for RHEL9 (maybe others) in Image Builder creates a bogus /etc/fstab entry

2 participants

@evgenyz @Mab879