Extend mount_option_nodev_nonroot_local_partitions

The OVAL check is extended to read also data directly from the `/etc/fstab` file. This is useful in environments where the mount points are not mounted and OVAL partition objects don't matech. For example, this happens in the Image Builder environment. Similar to: #10200 Resolves: RHEL-45018
ComplianceAsCode · Aug 6, 2024 · c1a358b · c1a358b
1 parent 0c4f15e
commit c1a358b
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 2 deletions.
diff --git a/...tem/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/...tem/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
@@ -8,7 +8,7 @@
   setup:
     gather_subset: mounts
 
-- name: Ensure non-root local partitions are mounted with nodev option
+- name: "{{{ rule_title }}}: Ensure non-root local partitions are mounted with nodev option"
   mount:
     path: "{{ item.mount }}"
     src: "{{ item.device }}"
@@ -20,3 +20,9 @@
     - "item.options is not search('nodev')"
   with_items:
     - "{{ ansible_facts.mounts }}"
+
+- name: "{{{ rule_title }}}: Ensure non-root local partitions are present with nodev option in /etc/fstab"
+  ansible.builtin.replace:
+    path: /etc/fstab
+    regexp: '^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$'
+    replace: '\1 \2 \3 \4,nodev \5'
diff --git a/.../system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/.../system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
@@ -23,3 +23,22 @@ for partition_record in "${partitions_records[@]}"; do
         {{{ bash_ensure_partition_is_mounted("$mount_point") | indent(8)}}}
     fi
 done
+
+# Remediate unmounted /etc/fstab entries
+for partition_record in $(grep -v "^#\|^\s*$" "/etc/fstab") ; do
+    # Get all important information from /etc/fstab
+    device="$(echo ${partition_record} | cut -d " " -f1)"
+    mount_point="$(echo ${partition_record} | cut -d " " -f2)"
+    device_type="$(echo ${partition_record} | cut -d " " -f3)"
+    if [[ "$mount_point" == "/" ]] ; then
+        continue
+    fi
+    if ! printf '%s\0' "${polyinstantiated_dirs[@]}" | grep -qxzF "$mount_point"; then
+        # device and device_type will be used only in case when the device doesn't have fstab record
+        {{{ bash_ensure_mount_option_in_fstab("$mount_point",
+                                              "$MOUNT_OPTION",
+                                              "$device",
+                                              "$device_type") | indent(8) }}}
+        {{{ bash_ensure_partition_is_mounted("$mount_point") | indent(8)}}}
+    fi
+done
diff --git a/...system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml b/...system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml
@@ -6,9 +6,11 @@
       should exist in the /dev directory on the root partition or within chroot
       jails built for system services. All other locations should not allow
       character and block devices.") }}}
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="nodev on local filesystems"
       test_ref="test_nodev_nonroot_local_partitions" negate="true" />
+      <criterion comment="nodev on local filesystems in /etc/fstab"
+      test_ref="test_nodev_nonroot_local_partitions_in_fstab" />
     </criteria>
   </definition>
   <linux:partition_test check="all" check_existence="all_exist"
@@ -28,4 +30,21 @@
     <linux:mount_options datatype="string" entity_check="all"
     operation="not equal">nodev</linux:mount_options>
   </linux:partition_state>
+
+  <ind:textfilecontent54_test check="all" version="1"
+    comment="nodev on local filesystems in /etc/fstab"
+    id="test_nodev_nonroot_local_partitions_in_fstab">
+    <ind:object object_ref="object_non_root_partitions_in_fstab" />
+    <ind:state state_ref="state_non_root_partitions_in_fstab" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object version="1" id="object_non_root_partitions_in_fstab">
+    <ind:filepath>/etc/fstab</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*(?!#)(?:/dev/\S+|UUID=\S+)\s+/\w\S*\s+\S+\s+(\S+)</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state version="1"
+    id="state_non_root_partitions_in_fstab">
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <ind:subexpression operation="pattern match">nodev</ind:subexpression>
+  </ind:textfilecontent54_state>
 </def-group>
diff --git a/...ns/partitions/mount_option_nodev_nonroot_local_partitions/tests/no_nodev_in_fstab.fail.sh b/...ns/partitions/mount_option_nodev_nonroot_local_partitions/tests/no_nodev_in_fstab.fail.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -i -e '/^#/d' -e '/^$/d' -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+    mount -o remount "$partition"
+done
+
+# partition intentionally not mounted to test /etc/fstab detection
+PARTITION="/dev/new_partition1"; create_partition
+make_fstab_given_partition_line "/tmp/partition1" ext2 defaults
+
+# partition intentionally not mounted to test /etc/fstab detection
+PARTITION="/dev/new_partition2"; create_partition
+make_fstab_given_partition_line "/tmp/partition2" ext2 defaults