-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change platform for rules related to partitions #12562
Change platform for rules related to partitions #12562
Conversation
This datastream diff is auto generated by the check Click here to see the trimmed diffPlatform has been changed for rule 'xccdf_org.ssgproject.content_rule_encrypt_partitions'
--- xccdf_org.ssgproject.content_rule_encrypt_partitions
+++ xccdf_org.ssgproject.content_rule_encrypt_partitions
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_boot'
--- xccdf_org.ssgproject.content_rule_partition_for_boot
+++ xccdf_org.ssgproject.content_rule_partition_for_boot
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm'
--- xccdf_org.ssgproject.content_rule_partition_for_dev_shm
+++ xccdf_org.ssgproject.content_rule_partition_for_dev_shm
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_home'
--- xccdf_org.ssgproject.content_rule_partition_for_home
+++ xccdf_org.ssgproject.content_rule_partition_for_home
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt'
--- xccdf_org.ssgproject.content_rule_partition_for_opt
+++ xccdf_org.ssgproject.content_rule_partition_for_opt
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv'
--- xccdf_org.ssgproject.content_rule_partition_for_srv
+++ xccdf_org.ssgproject.content_rule_partition_for_srv
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'
--- xccdf_org.ssgproject.content_rule_partition_for_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_tmp
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr'
--- xccdf_org.ssgproject.content_rule_partition_for_usr
+++ xccdf_org.ssgproject.content_rule_partition_for_usr
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var'
--- xccdf_org.ssgproject.content_rule_partition_for_var
+++ xccdf_org.ssgproject.content_rule_partition_for_var
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log'
--- xccdf_org.ssgproject.content_rule_partition_for_var_log
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit'
--- xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'
--- xccdf_org.ssgproject.content_rule_partition_for_var_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_var_tmp
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled' differs.
--- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
+++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'tmp.mount'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled' differs.
--- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
+++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
@@ -1,10 +1,6 @@
-- name: Enable mount tmp
- ansible.builtin.systemd:
- name: tmp.mount
- enabled: 'yes'
- state: started
- masked: 'false'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-86890-1
- enable_strategy
@@ -13,3 +9,21 @@
- low_severity
- no_reboot_needed
- systemd_tmp_mount_enabled
+
+- name: Enable mount tmp
+ ansible.builtin.systemd:
+ name: tmp.mount
+ enabled: 'yes'
+ state: started
+ masked: 'false'
+ when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ tags:
+ - CCE-86890-1
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - systemd_tmp_mount_enabled
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled'
--- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
+++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { [ -d /sys/firmware/efi ]; }; then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -1,11 +1,28 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86038-7
+ - DISA-STIG-RHEL-08-010572
+ - NIST-800-53-CM-6(b)
+ - NIST-800-53-CM-6.1(iv)
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_boot_efi_nosuid
+ - no_reboot_needed
+
- name: 'Add nosuid Option to /boot/efi: Check information associated to mountpoint'
command: findmnt --fstab '/boot/efi'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] and "/boot/efi" in ansible_mounts | map(attribute="mount") | list
- )
+ when:
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-86038-7
- DISA-STIG-RHEL-08-010572
@@ -25,8 +42,10 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -55,8 +74,10 @@
- ''
- defaults
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -78,8 +99,10 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
}) }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-86038-7
@@ -101,8 +124,10 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-system_boot_mode_is_uefi:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
@@ -1,9 +1,23 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-83345-9
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_boot_noauto
+ - no_reboot_needed
+
- name: 'Add noauto Option to /boot: Check information associated to mountpoint'
command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-83345-9
- configure_strategy
@@ -20,7 +34,9 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -45,7 +61,9 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -64,7 +82,9 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noauto''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "noauto" not in mount_info.options
tags:
- CCE-83345-9
@@ -83,7 +103,9 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -1,9 +1,29 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-82941-6
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_boot_nodev
+ - no_reboot_needed
+
- name: 'Add nodev Option to /boot: Check information associated to mountpoint'
command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-82941-6
- NIST-800-53-AC-6
@@ -26,7 +46,9 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -57,7 +79,9 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -82,7 +106,9 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-82941-6
@@ -107,7 +133,9 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
@@ -1,9 +1,23 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-83316-0
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_boot_noexec
+ - no_reboot_needed
+
- name: 'Add noexec Option to /boot: Check information associated to mountpoint'
command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-83316-0
- configure_strategy
@@ -20,7 +34,9 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -45,7 +61,9 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -64,7 +82,9 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-83316-0
@@ -83,7 +103,9 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -1,9 +1,30 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-81033-3
+ - DISA-STIG-RHEL-08-010571
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_boot_nosuid
+ - no_reboot_needed
+
- name: 'Add nosuid Option to /boot: Check information associated to mountpoint'
command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-81033-3
- DISA-STIG-RHEL-08-010571
@@ -27,7 +48,9 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -59,7 +82,9 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -85,7 +110,9 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-81033-3
@@ -111,7 +138,9 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
@@ -1,9 +1,30 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-80837-8
+ - DISA-STIG-RHEL-08-040120
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nodev
+ - no_reboot_needed
+
- name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-80837-8
- DISA-STIG-RHEL-08-040120
@@ -27,7 +48,9 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -59,7 +82,9 @@
- tmpfs
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -85,7 +110,9 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-80837-8
@@ -111,7 +138,9 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
@@ -1,9 +1,30 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-80838-6
+ - DISA-STIG-RHEL-08-040122
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_noexec
+ - no_reboot_needed
+
- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-80838-6
- DISA-STIG-RHEL-08-040122
@@ -27,7 +48,9 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -60,7 +83,9 @@
- tmpfs
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -86,7 +111,9 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-80838-6
@@ -112,7 +139,9 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec'
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
@@ -1,9 +1,30 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-80839-4
+ - DISA-STIG-RHEL-08-040121
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nosuid
+ - no_reboot_needed
+
- name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-80839-4
- DISA-STIG-RHEL-08-040121
@@ -27,7 +48,9 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -60,7 +83,9 @@
- tmpfs
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -86,7 +111,9 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-80839-4
@@ -112,7 +139,9 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -1,10 +1,26 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86039-5
+ - NIST-800-53-CM-6(b)
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_home_grpquota
+ - no_reboot_needed
+
- name: 'Add grpquota Option to /home: Check information associated to mountpoint'
command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
+ when:
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-86039-5
- NIST-800-53-CM-6(b)
@@ -22,8 +38,10 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -49,8 +67,10 @@
- ''
- defaults
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -70,8 +90,10 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',grpquota''
}) }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "grpquota" not in mount_info.options
tags:
- CCE-86039-5
@@ -91,8 +113,10 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota'
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-installed_env_mount_home:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -1,10 +1,25 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-81048-1
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - mount_option_home_nodev
+ - no_reboot_needed
+ - unknown_severity
+
- name: 'Add nodev Option to /home: Check information associated to mountpoint'
command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
+ when:
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-81048-1
- configure_strategy
@@ -21,8 +36,10 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -47,8 +64,10 @@
- ''
- defaults
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -67,8 +86,10 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
}) }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-81048-1
@@ -87,8 +108,10 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev'
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-installed_env_mount_home:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec
@@ -1,9 +1,25 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-83328-5
+ - DISA-STIG-RHEL-08-010590
+ - NIST-800-53-CM-6(b)
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_home_noexec
+ - no_reboot_needed
+
- name: 'Add noexec Option to /home: Check information associated to mountpoint'
command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-83328-5
- DISA-STIG-RHEL-08-010590
@@ -22,7 +38,9 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -49,7 +67,9 @@
- ''
- defaults
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -70,7 +90,9 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
}) }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-83328-5
@@ -91,7 +113,9 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec'
--- xccdf_org.ssgproject.content_rule_mount_option_home_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -1,10 +1,32 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-81050-7
+ - DISA-STIG-RHEL-08-010570
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_home_nosuid
+ - no_reboot_needed
+
- name: 'Add nosuid Option to /home: Check information associated to mountpoint'
command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
+ when:
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-81050-7
- DISA-STIG-RHEL-08-010570
@@ -28,8 +50,10 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -61,8 +85,10 @@
- ''
- defaults
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -88,8 +114,10 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
}) }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-81050-7
@@ -115,8 +143,10 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid'
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-installed_env_mount_home:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then
function perform_remediation {
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -1,10 +1,26 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86035-3
+ - NIST-800-53-CM-6(b)
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_home_usrquota
+ - no_reboot_needed
+
- name: 'Add usrquota Option to /home: Check information associated to mountpoint'
command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] and "/home" in ansible_mounts | map(attribute="mount") | list )
+ when:
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-86035-3
- NIST-800-53-CM-6(b)
@@ -22,8 +38,10 @@
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
@@ -49,8 +67,10 @@
- ''
- defaults
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
@@ -70,8 +90,10 @@
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',usrquota''
}) }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "usrquota" not in mount_info.options
tags:
- CCE-86035-3
@@ -91,8 +113,10 @@
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/home" in ansible_mounts | map(attribute="mount") | list )
+ - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
+ in ["docker", "lxc", "openvz", "podman", "container"] ) )
+ - '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota'
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-installed_env_mount_home:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_par
... The diff is trimmed here ... |
Change platforms for rules in disk_partitioning and partitions group. These rules check mount options or existence of separate partitions. These rules should not be applicable when building bootable containers and also should be applicable on a running image mode system. Bootable containers and immutable systems have a different filesystem layout where many paths are read-only.
5617586
to
7c5c608
Compare
I have rebased this PR on the top of the latest upstream master branch. |
What about moving the platform definitions into respective |
The platform expression "not container and not bootc" is common for all rules in the "partitions" group.
The platform expression "not container and not bootc" is common for all rules in the "disk_partitioning" group.
I have rebased this PR on the top of the latest upstream master branch. Then, I have moved the common platforms to group.yml. |
Code Climate has analyzed commit b785ae3 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
57dc63d
into
ComplianceAsCode:master
Change platforms for rules in disk_partitioning and partitions group. These rules check mount options or existence of separate partitions. These rules should not be applicable when building bootable containers and also should be applicable on a running image mode system. Bootable containers and immutable systems have a different filesystem layout where many paths are read-only.