Add offline capability to the 'mount_option' OVAL template

The template will facilitate a check against /etc/fstab entries using textfilecontent54 test in addition to the partition test.
ComplianceAsCode · Feb 23, 2023 · dda7456 · dda7456
1 parent 7b54fba
commit dda7456
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 8 deletions.
diff --git a/shared/templates/mount_option/oval.template b/shared/templates/mount_option/oval.template
@@ -2,31 +2,66 @@
   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
     {{{ oval_metadata(MOUNTPOINT ~ " should be mounted with mount option " ~ MOUNTOPTION ~ ".") }}}
     <criteria operator="OR">
-      <criterion comment="{{{ MOUNTOPTION }}} on {{{ MOUNTPOINT }}}"
-        test_ref="test_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}"/>
+      <criteria operator="AND">
+         <!-- In case the mount point must exist in the system we look in both /proc/mounts and /etc/fstab
+              configuration for proper mount options to make sure the mount point is configured correctly
+              now and also it will be configured correctly after reboot -->
+         <criterion comment="{{{ MOUNTOPTION }}} on {{{ MOUNTPOINT }}}"
+           test_ref="test_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}"/>
+         <criterion comment="{{{ MOUNTOPTION }}} on {{{ MOUNTPOINT }}} in /etc/fstab"
+           test_ref="test_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}_fstab"/>
+      </criteria>
     {{% if MOUNT_HAS_TO_EXIST == "no" %}}
-      <criterion comment="{{{ MOUNTPOINT }}} does not exist"
-        test_ref="test_{{{ POINTID }}}_no_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}"
-        negate="true" />
+      <criteria operator="AND">
+         <!-- When a mountpoint is not expected to always be present in the system we make sure that it
+              is not present in both /proc/mounts and /etc/fstab -->
+         <criterion comment="{{{ MOUNTPOINT }}} does not exist"
+           test_ref="test_{{{ POINTID }}}_no_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}"
+           negate="true" />
+         <criterion comment="{{{ MOUNTPOINT }}} does not exist in /etc/fstab"
+           test_ref="test_{{{ POINTID }}}_no_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}_fstab"
+           negate="true" />
+      </criteria>
     {{% endif %}}
     </criteria>
   </definition>
 
+
   <linux:partition_object version="1"
     id="object_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}">
     <linux:mount_point>{{{ MOUNTPOINT }}}</linux:mount_point>
   </linux:partition_object>
 
+  <ind:textfilecontent54_object version="1"
+    id="object_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}_fstab">
+    <ind:filepath>/etc/fstab</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*[\S]+[\s]+{{{ POINTREGEX }}}[\s]+[\S]+[\s]+([\S]+)</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
   <linux:partition_state version="1"
     id="state_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}">
 {{% if not MOUNTOPTION_ARG_VAR %}}
     <linux:mount_options datatype="string" entity_check="at least one" operation="equals">{{{ MOUNTOPTION }}}</linux:mount_options>
-  </linux:partition_state>
 {{% else %}}
     <linux:mount_options datatype="string" entity_check="at least one" operation="equals"
       var_ref="local_var_mountoption_{{{ MOUNTOPTION }}}_with_value"/>
+{{% endif %}}
   </linux:partition_state>
 
+  <ind:textfilecontent54_state version="1"
+    id="state_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}_fstab">
+    <ind:instance datatype="int">2</ind:instance>
+{{% if not MOUNTOPTION_ARG_VAR %}}
+    <ind:subexpression entity_check="at least one" operation="pattern match">{{{ MOUNTOPTION }}}</ind:subexpression>
+{{% else %}}
+    <ind:subexpression entity_check="at least one" operation="pattern match"
+       var_ref="local_var_mountoption_{{{ MOUNTOPTION }}}_with_value"/>
+{{% endif %}}
+  </ind:textfilecontent54_state>
+
+{{% if MOUNTOPTION_ARG_VAR %}}
   <external_variable datatype="string" id="{{{ MOUNTOPTION_ARG_VAR }}}" version="1"
                      comment="Variable defining the value the argument should have"/>
 
@@ -40,18 +75,33 @@
   </local_variable>
 {{% endif %}}
 
+
   <linux:partition_test check="all" check_existence="all_exist" version="2"
     comment="{{{ MOUNTOPTION }}} on {{{ MOUNTPOINT }}} optional {{{ MOUNT_HAS_TO_EXIST }}}"
     id="test_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}">
     <linux:object object_ref="object_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}"/>
     <linux:state state_ref="state_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}"/>
   </linux:partition_test>
 
-  {{% if MOUNT_HAS_TO_EXIST == "no" %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+    comment="{{{ MOUNTOPTION }}} on {{{ MOUNTPOINT }}} optional {{{ MOUNT_HAS_TO_EXIST }}} in /etc/fstab"
+    id="test_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}_fstab">
+    <ind:object object_ref="object_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}_fstab" />
+    <ind:state state_ref="state_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}_fstab" />
+  </ind:textfilecontent54_test>
+
+
+{{% if MOUNT_HAS_TO_EXIST == "no" %}}
   <linux:partition_test check="all" check_existence="all_exist" version="1"
     comment="{{{ MOUNTPOINT }}} exists"
     id="test_{{{ POINTID }}}_no_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}">
     <linux:object object_ref="object_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}"/>
   </linux:partition_test>
-  {{% endif %}}
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+    comment="{{{ MOUNTPOINT }}} exists in /etc/fstab"
+    id="test_{{{ POINTID }}}_no_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}_fstab">
+    <ind:object object_ref="object_{{{ POINTID }}}_partition_{{{ MOUNTOPTIONID }}}_optional_{{{ MOUNT_HAS_TO_EXIST }}}_fstab" />
+  </ind:textfilecontent54_test>
+{{% endif %}}
 </def-group>
diff --git a/shared/templates/mount_option/template.py b/shared/templates/mount_option/template.py
@@ -5,6 +5,7 @@
 def _mount_option(data, lang):
     if lang == "oval":
         data["pointid"] = ssg.utils.escape_id(data["mountpoint"])
+        data["pointregex"] = ssg.utils.escape_regex(data["mountpoint"])
     else:
         data["mountoption"] = re.sub(" ", ",", data["mountoption"])
     return data