You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When implementing a new Fedora profile in #10506, I originally included the following mount option rules:
mount_option_home_nodev
mount_option_home_nosuid
mount_option_tmp_nodev
mount_option_tmp_nosuid
mount_option_tmp_noexec
mount_option_var_nodev
mount_option_var_nosuid
mount_option_var_noexec
mount_option_var_tmp_nodev
mount_option_var_tmp_nosuid
mount_option_var_tmp_noexec
mount_option_var_log_nodev
mount_option_var_log_nosuid
mount_option_var_log_noexec
However, after scanning and remediating a fresh installation of Fedora using the cusp_fedora profile with these rules included, the results were inconsistent. See the attached openscap-report screenshot:
The system only had /home on a separate partition, so both rules were correctly fixed. However, the rest of the directories were not on separate filesystems, so they could not have mount options set on them. The report shows that some resulted in notapplicable, pass or fix failed. They should all either end up notapplicable or failed. This is related to #10431, where the behavior for /tmp and /var/tmp was fixed and the rest of the mount option rules were omitted, but from the remediation results in the screenshot, it seems that the fix both does not work for /tmp, only for /var/tmp.
SCAP Security Guide Version:
latest master, OpenSCAP 1.3.7
Operating System Version:
Fedora 37 fresh install VM with 4GB RAM, Fedora 38 fresh install on laptop with 16GB RAM
I agree that adding the mount platform as requested in #10504 should improve the situation. But here we also have problem with rules for /tmp which already have the mount platform.
Description of problem:
When implementing a new Fedora profile in #10506, I originally included the following mount option rules:
However, after scanning and remediating a fresh installation of Fedora using the cusp_fedora profile with these rules included, the results were inconsistent. See the attached openscap-report screenshot:
The system only had /home on a separate partition, so both rules were correctly fixed. However, the rest of the directories were not on separate filesystems, so they could not have mount options set on them. The report shows that some resulted in notapplicable, pass or fix failed. They should all either end up notapplicable or failed. This is related to #10431, where the behavior for /tmp and /var/tmp was fixed and the rest of the mount option rules were omitted, but from the remediation results in the screenshot, it seems that the fix both does not work for /tmp, only for /var/tmp.
SCAP Security Guide Version:
latest master, OpenSCAP 1.3.7
Operating System Version:
Fedora 37 fresh install VM with 4GB RAM, Fedora 38 fresh install on laptop with 16GB RAM
Steps to Reproduce:
Actual Results:
remediation of mount option rules results in pass or fix failed when the respective directories are not on a separate partition
Expected Results:
remediation of mount option rules result either in failed or notapplicable if the respective directory is not on a separate filesystem
Additional Information/Debugging Steps:
The text was updated successfully, but these errors were encountered: