Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount option rules have inconsistent results after remediation #10508

Open
j-ode opened this issue Apr 27, 2023 · 2 comments
Open

Mount option rules have inconsistent results after remediation #10508

j-ode opened this issue Apr 27, 2023 · 2 comments
Labels
CPE-AL CPE Applicability Language Update Rule Issues or pull requests related to Rules updates.

Comments

@j-ode
Copy link
Collaborator

j-ode commented Apr 27, 2023

Description of problem:

When implementing a new Fedora profile in #10506, I originally included the following mount option rules:

  • mount_option_home_nodev
  • mount_option_home_nosuid
  • mount_option_tmp_nodev
  • mount_option_tmp_nosuid
  • mount_option_tmp_noexec
  • mount_option_var_nodev
  • mount_option_var_nosuid
  • mount_option_var_noexec
  • mount_option_var_tmp_nodev
  • mount_option_var_tmp_nosuid
  • mount_option_var_tmp_noexec
  • mount_option_var_log_nodev
  • mount_option_var_log_nosuid
  • mount_option_var_log_noexec

However, after scanning and remediating a fresh installation of Fedora using the cusp_fedora profile with these rules included, the results were inconsistent. See the attached openscap-report screenshot:
image

The system only had /home on a separate partition, so both rules were correctly fixed. However, the rest of the directories were not on separate filesystems, so they could not have mount options set on them. The report shows that some resulted in notapplicable, pass or fix failed. They should all either end up notapplicable or failed. This is related to #10431, where the behavior for /tmp and /var/tmp was fixed and the rest of the mount option rules were omitted, but from the remediation results in the screenshot, it seems that the fix both does not work for /tmp, only for /var/tmp.

SCAP Security Guide Version:

latest master, OpenSCAP 1.3.7

Operating System Version:

Fedora 37 fresh install VM with 4GB RAM, Fedora 38 fresh install on laptop with 16GB RAM

Steps to Reproduce:

  1. Use commit 00ad481 of branch in PR Introduce Fedora and Firefox CaC profiles for common workstation users #10506
  2. Build the fedora product
  3. Try to scan and remediate a fresh fedora system using oscap/workbench with the cusp_fedora profile

Actual Results:

remediation of mount option rules results in pass or fix failed when the respective directories are not on a separate partition

Expected Results:

remediation of mount option rules result either in failed or notapplicable if the respective directory is not on a separate filesystem

Additional Information/Debugging Steps:
@j-ode j-ode assigned j-ode and unassigned j-ode Apr 27, 2023
@Mab879
Copy link
Member

Mab879 commented Apr 27, 2023

It appears that #10504 is closely related to this.

@jan-cerny
Copy link
Collaborator

I agree that adding the mount platform as requested in #10504 should improve the situation. But here we also have problem with rules for /tmp which already have the mount platform.

@marcusburghardt marcusburghardt added Update Rule Issues or pull requests related to Rules updates. CPE-AL CPE Applicability Language labels Aug 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CPE-AL CPE Applicability Language Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Mab879 @marcusburghardt @jan-cerny @j-ode