Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change platform for rules related to partitions #12562

Merged

Conversation

jan-cerny
Copy link
Collaborator

Change platforms for rules in disk_partitioning and partitions group. These rules check mount options or existence of separate partitions. These rules should not be applicable when building bootable containers and also should be applicable on a running image mode system. Bootable containers and immutable systems have a different filesystem layout where many paths are read-only.

@jan-cerny jan-cerny added the Image Mode Bootable containers and Image Mode RHEL label Nov 1, 2024
@jan-cerny jan-cerny added this to the 0.1.75 milestone Nov 1, 2024
Copy link

github-actions bot commented Nov 1, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

github-actions bot commented Nov 1, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_encrypt_partitions'
--- xccdf_org.ssgproject.content_rule_encrypt_partitions
+++ xccdf_org.ssgproject.content_rule_encrypt_partitions
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_boot'
--- xccdf_org.ssgproject.content_rule_partition_for_boot
+++ xccdf_org.ssgproject.content_rule_partition_for_boot
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm'
--- xccdf_org.ssgproject.content_rule_partition_for_dev_shm
+++ xccdf_org.ssgproject.content_rule_partition_for_dev_shm
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_home'
--- xccdf_org.ssgproject.content_rule_partition_for_home
+++ xccdf_org.ssgproject.content_rule_partition_for_home
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt'
--- xccdf_org.ssgproject.content_rule_partition_for_opt
+++ xccdf_org.ssgproject.content_rule_partition_for_opt
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv'
--- xccdf_org.ssgproject.content_rule_partition_for_srv
+++ xccdf_org.ssgproject.content_rule_partition_for_srv
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'
--- xccdf_org.ssgproject.content_rule_partition_for_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_tmp
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr'
--- xccdf_org.ssgproject.content_rule_partition_for_usr
+++ xccdf_org.ssgproject.content_rule_partition_for_usr
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var'
--- xccdf_org.ssgproject.content_rule_partition_for_var
+++ xccdf_org.ssgproject.content_rule_partition_for_var
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log'
--- xccdf_org.ssgproject.content_rule_partition_for_var_log
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit'
--- xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'
--- xccdf_org.ssgproject.content_rule_partition_for_var_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_var_tmp
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled' differs.
--- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
+++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'tmp.mount'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled' differs.
--- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
+++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
@@ -1,10 +1,6 @@
-- name: Enable mount tmp
-  ansible.builtin.systemd:
-    name: tmp.mount
-    enabled: 'yes'
-    state: started
-    masked: 'false'
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+- name: Gather the package facts
+  package_facts:
+    manager: auto
   tags:
   - CCE-86890-1
   - enable_strategy
@@ -13,3 +9,21 @@
   - low_severity
   - no_reboot_needed
   - systemd_tmp_mount_enabled
+
+- name: Enable mount tmp
+  ansible.builtin.systemd:
+    name: tmp.mount
+    enabled: 'yes'
+    state: started
+    masked: 'false'
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  tags:
+  - CCE-86890-1
+  - enable_strategy
+  - low_complexity
+  - low_disruption
+  - low_severity
+  - no_reboot_needed
+  - systemd_tmp_mount_enabled

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled'
--- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
+++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { [ -d /sys/firmware/efi ]; }; then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -1,11 +1,28 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-86038-7
+  - DISA-STIG-RHEL-08-010572
+  - NIST-800-53-CM-6(b)
+  - NIST-800-53-CM-6.1(iv)
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_boot_efi_nosuid
+  - no_reboot_needed
+
 - name: 'Add nosuid Option to /boot/efi: Check information associated to mountpoint'
   command: findmnt --fstab '/boot/efi'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
-    "container"] and "/boot/efi" in ansible_mounts | map(attribute="mount") | list
-    )
+  when:
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -25,8 +42,10 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -55,8 +74,10 @@
     - ''
     - defaults
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -78,8 +99,10 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
       }) }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined and "nosuid" not in mount_info.options
   tags:
   - CCE-86038-7
@@ -101,8 +124,10 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
 oval:ssg-system_boot_mode_is_uefi:def:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
@@ -1,9 +1,23 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-83345-9
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_boot_noauto
+  - no_reboot_needed
+
 - name: 'Add noauto Option to /boot: Check information associated to mountpoint'
   command: findmnt --fstab '/boot'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   tags:
   - CCE-83345-9
   - configure_strategy
@@ -20,7 +34,9 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -45,7 +61,9 @@
     - ''
     - defaults
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -64,7 +82,9 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noauto''
       }) }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined and "noauto" not in mount_info.options
   tags:
   - CCE-83345-9
@@ -83,7 +103,9 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -1,9 +1,29 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-82941-6
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_boot_nodev
+  - no_reboot_needed
+
 - name: 'Add nodev Option to /boot: Check information associated to mountpoint'
   command: findmnt --fstab '/boot'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   tags:
   - CCE-82941-6
   - NIST-800-53-AC-6
@@ -26,7 +46,9 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -57,7 +79,9 @@
     - ''
     - defaults
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -82,7 +106,9 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
       }) }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined and "nodev" not in mount_info.options
   tags:
   - CCE-82941-6
@@ -107,7 +133,9 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
@@ -1,9 +1,23 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-83316-0
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_boot_noexec
+  - no_reboot_needed
+
 - name: 'Add noexec Option to /boot: Check information associated to mountpoint'
   command: findmnt --fstab '/boot'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   tags:
   - CCE-83316-0
   - configure_strategy
@@ -20,7 +34,9 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -45,7 +61,9 @@
     - ''
     - defaults
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -64,7 +82,9 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
       }) }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined and "noexec" not in mount_info.options
   tags:
   - CCE-83316-0
@@ -83,7 +103,9 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -1,9 +1,30 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-81033-3
+  - DISA-STIG-RHEL-08-010571
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_boot_nosuid
+  - no_reboot_needed
+
 - name: 'Add nosuid Option to /boot: Check information associated to mountpoint'
   command: findmnt --fstab '/boot'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   tags:
   - CCE-81033-3
   - DISA-STIG-RHEL-08-010571
@@ -27,7 +48,9 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -59,7 +82,9 @@
     - ''
     - defaults
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -85,7 +110,9 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
       }) }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined and "nosuid" not in mount_info.options
   tags:
   - CCE-81033-3
@@ -111,7 +138,9 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
@@ -1,9 +1,30 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-80837-8
+  - DISA-STIG-RHEL-08-040120
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_dev_shm_nodev
+  - no_reboot_needed
+
 - name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
   command: findmnt  '/dev/shm'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   tags:
   - CCE-80837-8
   - DISA-STIG-RHEL-08-040120
@@ -27,7 +48,9 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -59,7 +82,9 @@
     - tmpfs
     - defaults
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - ("" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -85,7 +110,9 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
       }) }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined and "nodev" not in mount_info.options
   tags:
   - CCE-80837-8
@@ -111,7 +138,9 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
     length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
@@ -1,9 +1,30 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-80838-6
+  - DISA-STIG-RHEL-08-040122
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_dev_shm_noexec
+  - no_reboot_needed
+
 - name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
   command: findmnt  '/dev/shm'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   tags:
   - CCE-80838-6
   - DISA-STIG-RHEL-08-040122
@@ -27,7 +48,9 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -60,7 +83,9 @@
     - tmpfs
     - defaults
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - ("" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -86,7 +111,9 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
       }) }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined and "noexec" not in mount_info.options
   tags:
   - CCE-80838-6
@@ -112,7 +139,9 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
     length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec'
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
@@ -1,9 +1,30 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-80839-4
+  - DISA-STIG-RHEL-08-040121
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_dev_shm_nosuid
+  - no_reboot_needed
+
 - name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
   command: findmnt  '/dev/shm'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   tags:
   - CCE-80839-4
   - DISA-STIG-RHEL-08-040121
@@ -27,7 +48,9 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -60,7 +83,9 @@
     - tmpfs
     - defaults
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - ("" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -86,7 +111,9 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
       }) }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined and "nosuid" not in mount_info.options
   tags:
   - CCE-80839-4
@@ -112,7 +139,9 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
     length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -1,10 +1,26 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-86039-5
+  - NIST-800-53-CM-6(b)
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_home_grpquota
+  - no_reboot_needed
+
 - name: 'Add grpquota Option to /home: Check information associated to mountpoint'
   command: findmnt --fstab '/home'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
-    "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
+  when:
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   tags:
   - CCE-86039-5
   - NIST-800-53-CM-6(b)
@@ -22,8 +38,10 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -49,8 +67,10 @@
     - ''
     - defaults
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -70,8 +90,10 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',grpquota''
       }) }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined and "grpquota" not in mount_info.options
   tags:
   - CCE-86039-5
@@ -91,8 +113,10 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota'
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
 oval:ssg-installed_env_mount_home:def:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -1,10 +1,25 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-81048-1
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - mount_option_home_nodev
+  - no_reboot_needed
+  - unknown_severity
+
 - name: 'Add nodev Option to /home: Check information associated to mountpoint'
   command: findmnt --fstab '/home'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
-    "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
+  when:
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   tags:
   - CCE-81048-1
   - configure_strategy
@@ -21,8 +36,10 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -47,8 +64,10 @@
     - ''
     - defaults
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -67,8 +86,10 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
       }) }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined and "nodev" not in mount_info.options
   tags:
   - CCE-81048-1
@@ -87,8 +108,10 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
 oval:ssg-installed_env_mount_home:def:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec
@@ -1,9 +1,25 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-83328-5
+  - DISA-STIG-RHEL-08-010590
+  - NIST-800-53-CM-6(b)
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_home_noexec
+  - no_reboot_needed
+
 - name: 'Add noexec Option to /home: Check information associated to mountpoint'
   command: findmnt --fstab '/home'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   tags:
   - CCE-83328-5
   - DISA-STIG-RHEL-08-010590
@@ -22,7 +38,9 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -49,7 +67,9 @@
     - ''
     - defaults
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -70,7 +90,9 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
       }) }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined and "noexec" not in mount_info.options
   tags:
   - CCE-83328-5
@@ -91,7 +113,9 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec'
--- xccdf_org.ssgproject.content_rule_mount_option_home_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -1,10 +1,32 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-81050-7
+  - DISA-STIG-RHEL-08-010570
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_home_nosuid
+  - no_reboot_needed
+
 - name: 'Add nosuid Option to /home: Check information associated to mountpoint'
   command: findmnt --fstab '/home'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
-    "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
+  when:
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   tags:
   - CCE-81050-7
   - DISA-STIG-RHEL-08-010570
@@ -28,8 +50,10 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -61,8 +85,10 @@
     - ''
     - defaults
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -88,8 +114,10 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
       }) }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined and "nosuid" not in mount_info.options
   tags:
   - CCE-81050-7
@@ -115,8 +143,10 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
 oval:ssg-installed_env_mount_home:def:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then
 
 function perform_remediation {
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -1,10 +1,26 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-86035-3
+  - NIST-800-53-CM-6(b)
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_home_usrquota
+  - no_reboot_needed
+
 - name: 'Add usrquota Option to /home: Check information associated to mountpoint'
   command: findmnt --fstab '/home'
   register: device_name
   failed_when: device_name.rc > 1
   changed_when: false
-  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
-    "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
+  when:
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   tags:
   - CCE-86035-3
   - NIST-800-53-CM-6(b)
@@ -22,8 +38,10 @@
   - '{{ device_name.stdout_lines[0].split() | list | lower }}'
   - '{{ device_name.stdout_lines[1].split() | list }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
   tags:
@@ -49,8 +67,10 @@
     - ''
     - defaults
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
@@ -70,8 +90,10 @@
     mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',usrquota''
       }) }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined and "usrquota" not in mount_info.options
   tags:
   - CCE-86035-3
@@ -91,8 +113,10 @@
     state: mounted
     fstype: '{{ mount_info.fstype }}'
   when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/home" in ansible_mounts | map(attribute="mount") | list )
+  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+    in ["docker", "lxc", "openvz", "podman", "container"] ) )
+  - '"/home" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota'
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
 oval:ssg-installed_env_mount_home:def:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_par

... The diff is trimmed here ...

Change platforms for rules in disk_partitioning and partitions group.
These rules check mount options or existence of separate partitions.
These rules should not be applicable when building bootable containers
and also should be applicable on a running image mode system. Bootable
containers and immutable systems have a different filesystem layout
where many paths are read-only.
@jan-cerny jan-cerny force-pushed the partition_and_mount branch from 5617586 to 7c5c608 Compare November 4, 2024 08:24
@jan-cerny
Copy link
Collaborator Author

I have rebased this PR on the top of the latest upstream master branch.

@matusmarhefka
Copy link
Member

What about moving the platform definitions into respective group.yml files?

The platform expression "not container and not bootc" is common for
all rules in the "partitions" group.
The platform expression "not container and not bootc" is common for
all rules in the "disk_partitioning" group.
@jan-cerny
Copy link
Collaborator Author

I have rebased this PR on the top of the latest upstream master branch. Then, I have moved the common platforms to group.yml.

Copy link

codeclimate bot commented Nov 4, 2024

Code Climate has analyzed commit b785ae3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

@matusmarhefka matusmarhefka self-assigned this Nov 4, 2024
@matusmarhefka matusmarhefka merged commit 57dc63d into ComplianceAsCode:master Nov 4, 2024
100 of 105 checks passed
@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Image Mode Bootable containers and Image Mode RHEL Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants