Add offline capability to the 'mount_option' OVAL template

[evgenyz]

Description:

• The template will facilitate a check against /etc/fstab entries using textfilecontent54 test in addition to the partition test.

Rationale:

• When the system is offline /proc/mounts is inaccessible (which renders partition test unusable).

• We'll back it up with information from /etc/fstab.

• Mount points that are instantiated by systemd process must always have proper /etc/fstab entries.

  • until the moment we could be able to reliably check and modify systemd's mount units, esp. for offline systems.

• Fixes Offline remediation of fstab permissions fails #9342.

Review Hints:

This PR has grown a bit, let's break down what happened here:

• [shared/templates/mount_option]:
  • mount_has_to_exist becomes a boolean argument with true as default value. This harmonizes the template structure with similar templates taking switch-type arguments. Default value allows us to get rid of repetitions.
  • bash and Ansible templates only receive minor changes related to the new type of MOUNT_HAS_TO_EXIST argument.
  • OVAL template receives a new pair of tests (test for proper config ORed with test for absence of the record) based on /etc/fstab entries.
  • the MOUNT_HAS_TO_EXIST parameter now exclusively affects the /etc/fstab-based test.
  • tests/runtime.pass.sh is now properly handles all mount options (fixes problems with mount_option_home_grpquota, mount_option_home_usrquota, mount_option_var_tmp_bind, mount_option_proc_hidepid).
  • tests/separate.fail.sh is renamed to tests/separate.pass.sh as this scenario is now considered as correct configuration.
• [linux_os/guide/system/permissions/partitions/]
  • mount_option_boot_* looses its 'yes' because it is the default value now.
  • mount_option_home_*, mount_option_opt_nosuid, mount_option_srv_nosuid, mount_option_tmp_*, mount_option_var_*** — ditto.
  • mount_option_var_tmp_bind looses its template definition because it in fact is not based on this template and has custom checks and remediations.
  • mount_option_proc_hidepid tests get properly fixed for RHEL9 and the runtime-only scenario is now properly marked as a failing case (no /etc/fstab + mount_has_to_exist: false in the rule).
  • mount_option_dev_shm_* the runtime-only scenario is now properly marked as a failing case (no /etc/fstab + mount_has_to_exist: false in the rule).
  • mount_option_boot_efi_nosuid looses its mount_has_to_exist: no (default: true) as we don't care about mount options if it does not exist in the system.

This new behaviour is important for /dev/shm and /proc (hidepid requirement) as they are configured and instantiated by the systemd process. Without a proper /etc/fstab entry their configuration can not be considered as correct, even if they are momentarily mounted with proper options.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[jan-cerny]

@evgenyz I have found that some test scenarios that pass in the current upstream master are broken by this PR.

[jcerny@thinkpad scap-security-guide{pr/10200}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 mount_option_tmp_nodev
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-02-27-1328/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
INFO - Script fstab.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in error, instead of expected fixed during remediation stage 
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev'.
ERROR - Script runtime.pass.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in fail, instead of expected pass during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev'.
WARNING - Script separate.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev evaluation resulted in notapplicable
[jcerny@thinkpad scap-security-guide{pr/10200}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible mount_option_tmp_nodev
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-02-27-1334/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
INFO - Script fstab.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 4 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev'.
WARNING - Script separate.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev evaluation resulted in notapplicable
ERROR - Script runtime.pass.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in fail, instead of expected pass during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev'.

Please take a look.

[jan-cerny]

@evgenyz Any success? Are you able to reproduce this problem?

[evgenyz]

Still working on fixes for tests (in the template) and also testing for side-effects in real rules across profiles.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- oval:ssg-mount_option_boot_efi_nosuid:def:1
+++ oval:ssg-mount_option_boot_efi_nosuid:def:1
@@ -1,3 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_boot_efi_partition_nosuid_optional_no:tst:1
-criterion oval:ssg-test_boot_efi_no_partition_nosuid_optional_no:tst:1
+criterion oval:ssg-test_boot_efi_partition_nosuid_optional:tst:1
+criterion oval:ssg-test_boot_efi_partition_nosuid_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_boot_efi_partition_nosuid_optional_in_fstab:tst:1
+criterion oval:ssg-test_boot_efi_partition_nosuid_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -2,20 +2,26 @@
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -f /sys/firmware/efi ] ); then
 
 function perform_remediation {
+ 
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/boot/efi")"
+
+ grep "$mount_point_match_regexp" -q /etc/fstab \
+ || { echo "The mount point '/boot/efi' is not even in /etc/fstab, so we can't set up mount options" >&2;
+ echo "Not remediating, because there is no record of /boot/efi in /etc/fstab" >&2; return 1; }
 
 
 
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /boot/efi)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /boot/efi defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
 fi
@@ -24,8 +30,6 @@
 if mkdir -p "/boot/efi"; then
 if mountpoint -q "/boot/efi"; then
 mount -o remount --target "/boot/efi"
- else
- mount --target "/boot/efi"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -1,5 +1,5 @@
 - name: 'Add nosuid Option to /boot/efi: Check information associated to mountpoint'
- command: findmnt '/boot/efi'
+ command: findmnt --fstab '/boot/efi'
 register: device_name
 failed_when: device_name.rc > 1
 changed_when: false
@@ -57,7 +57,7 @@
 when:
 - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
- - ("" | length == 0)
+ - ("--fstab" | length == 0)
 - (device_name.stdout | length == 0)
 tags:
 - CCE-86038-7
@@ -97,13 +97,13 @@
 path: /boot/efi
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 and "/boot/efi" in ansible_mounts | map(attribute="mount") | list )
- - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
- length == 0)
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
+ | length == 0)
 tags:
 - CCE-86038-7
 - DISA-STIG-RHEL-08-010572

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs.
--- oval:ssg-mount_option_boot_noauto:def:1
+++ oval:ssg-mount_option_boot_noauto:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_boot_partition_noauto_optional_yes:tst:1
+criterion oval:ssg-test_boot_partition_noauto_optional:tst:1
+criterion oval:ssg-test_boot_partition_noauto_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_boot_partition_noauto_optional_in_fstab:tst:1
+criterion oval:ssg-test_boot_partition_noauto_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /boot)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|noauto)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /boot defaults,${previous_mount_opts}noauto 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noauto")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noauto"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noauto|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/boot"; then
 if mountpoint -q "/boot"; then
 mount -o remount --target "/boot"
- else
- mount --target "/boot"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noauto' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
@@ -79,7 +79,7 @@
 path: /boot
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs.
--- oval:ssg-mount_option_boot_nodev:def:1
+++ oval:ssg-mount_option_boot_nodev:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_boot_partition_nodev_optional_yes:tst:1
+criterion oval:ssg-test_boot_partition_nodev_optional:tst:1
+criterion oval:ssg-test_boot_partition_nodev_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_boot_partition_nodev_optional_in_fstab:tst:1
+criterion oval:ssg-test_boot_partition_nodev_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /boot)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /boot defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/boot"; then
 if mountpoint -q "/boot"; then
 mount -o remount --target "/boot"
- else
- mount --target "/boot"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -103,7 +103,7 @@
 path: /boot
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs.
--- oval:ssg-mount_option_boot_noexec:def:1
+++ oval:ssg-mount_option_boot_noexec:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_boot_partition_noexec_optional_yes:tst:1
+criterion oval:ssg-test_boot_partition_noexec_optional:tst:1
+criterion oval:ssg-test_boot_partition_noexec_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_boot_partition_noexec_optional_in_fstab:tst:1
+criterion oval:ssg-test_boot_partition_noexec_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /boot)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /boot defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/boot"; then
 if mountpoint -q "/boot"; then
 mount -o remount --target "/boot"
- else
- mount --target "/boot"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
@@ -79,7 +79,7 @@
 path: /boot
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs.
--- oval:ssg-mount_option_boot_nosuid:def:1
+++ oval:ssg-mount_option_boot_nosuid:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_boot_partition_nosuid_optional_yes:tst:1
+criterion oval:ssg-test_boot_partition_nosuid_optional:tst:1
+criterion oval:ssg-test_boot_partition_nosuid_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_boot_partition_nosuid_optional_in_fstab:tst:1
+criterion oval:ssg-test_boot_partition_nosuid_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /boot)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /boot defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/boot"; then
 if mountpoint -q "/boot"; then
 mount -o remount --target "/boot"
- else
- mount --target "/boot"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -107,7 +107,7 @@
 path: /boot
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs.
--- oval:ssg-mount_option_dev_shm_nodev:def:1
+++ oval:ssg-mount_option_dev_shm_nodev:def:1
@@ -1,3 +1,6 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_dev_shm_partition_nodev_optional_no:tst:1
-criterion oval:ssg-test_dev_shm_no_partition_nodev_optional_no:tst:1
+criterion oval:ssg-test_dev_shm_partition_nodev_expected:tst:1
+criterion oval:ssg-test_dev_shm_partition_nodev_expected_exist:tst:1
+criteria OR
+criterion oval:ssg-test_dev_shm_partition_nodev_expected_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
@@ -8,14 +8,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
 fi
@@ -24,8 +24,6 @@
 if mkdir -p "/dev/shm"; then
 if mountpoint -q "/dev/shm"; then
 mount -o remount --target "/dev/shm"
- else
- mount --target "/dev/shm"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
@@ -107,7 +107,7 @@
 path: /dev/shm
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs.
--- oval:ssg-mount_option_dev_shm_noexec:def:1
+++ oval:ssg-mount_option_dev_shm_noexec:def:1
@@ -1,3 +1,6 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_dev_shm_partition_noexec_optional_no:tst:1
-criterion oval:ssg-test_dev_shm_no_partition_noexec_optional_no:tst:1
+criterion oval:ssg-test_dev_shm_partition_noexec_expected:tst:1
+criterion oval:ssg-test_dev_shm_partition_noexec_expected_exist:tst:1
+criteria OR
+criterion oval:ssg-test_dev_shm_partition_noexec_expected_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
@@ -8,14 +8,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
 fi
@@ -24,8 +24,6 @@
 if mkdir -p "/dev/shm"; then
 if mountpoint -q "/dev/shm"; then
 mount -o remount --target "/dev/shm"
- else
- mount --target "/dev/shm"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
@@ -108,7 +108,7 @@
 path: /dev/shm
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs.
--- oval:ssg-mount_option_dev_shm_nosuid:def:1
+++ oval:ssg-mount_option_dev_shm_nosuid:def:1
@@ -1,3 +1,6 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_dev_shm_partition_nosuid_optional_no:tst:1
-criterion oval:ssg-test_dev_shm_no_partition_nosuid_optional_no:tst:1
+criterion oval:ssg-test_dev_shm_partition_nosuid_expected:tst:1
+criterion oval:ssg-test_dev_shm_partition_nosuid_expected_exist:tst:1
+criteria OR
+criterion oval:ssg-test_dev_shm_partition_nosuid_expected_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
@@ -8,14 +8,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
 fi
@@ -24,8 +24,6 @@
 if mkdir -p "/dev/shm"; then
 if mountpoint -q "/dev/shm"; then
 mount -o remount --target "/dev/shm"
- else
- mount --target "/dev/shm"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
@@ -108,7 +108,7 @@
 path: /dev/shm
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.
--- oval:ssg-mount_option_home_grpquota:def:1
+++ oval:ssg-mount_option_home_grpquota:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_home_partition_grpquota_optional_yes:tst:1
+criterion oval:ssg-test_home_partition_grpquota_optional:tst:1
+criterion oval:ssg-test_home_partition_grpquota_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_home_partition_grpquota_optional_in_fstab:tst:1
+criterion oval:ssg-test_home_partition_grpquota_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|grpquota)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /home defaults,${previous_mount_opts}grpquota 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "grpquota")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "grpquota"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,grpquota|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/home"; then
 if mountpoint -q "/home"; then
 mount -o remount --target "/home"
- else
- mount --target "/home"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_grpquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
@@ -83,7 +83,7 @@
 path: /home
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.
--- oval:ssg-mount_option_home_nodev:def:1
+++ oval:ssg-mount_option_home_nodev:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_home_partition_nodev_optional_yes:tst:1
+criterion oval:ssg-test_home_partition_nodev_optional:tst:1
+criterion oval:ssg-test_home_partition_nodev_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_home_partition_nodev_optional_in_fstab:tst:1
+criterion oval:ssg-test_home_partition_nodev_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /home defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/home"; then
 if mountpoint -q "/home"; then
 mount -o remount --target "/home"
- else
- mount --target "/home"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nodev
@@ -79,7 +79,7 @@
 path: /home
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs.
--- oval:ssg-mount_option_home_noexec:def:1
+++ oval:ssg-mount_option_home_noexec:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_home_partition_noexec_optional_yes:tst:1
+criterion oval:ssg-test_home_partition_noexec_optional:tst:1
+criterion oval:ssg-test_home_partition_noexec_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_home_partition_noexec_optional_in_fstab:tst:1
+criterion oval:ssg-test_home_partition_noexec_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /home defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/home"; then
 if mountpoint -q "/home"; then
 mount -o remount --target "/home"
- else
- mount --target "/home"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_home_noexec
@@ -87,7 +87,7 @@
 path: /home
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.
--- oval:ssg-mount_option_home_nosuid:def:1
+++ oval:ssg-mount_option_home_nosuid:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_home_partition_nosuid_optional_yes:tst:1
+criterion oval:ssg-test_home_partition_nosuid_optional:tst:1
+criterion oval:ssg-test_home_partition_nosuid_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_home_partition_nosuid_optional_in_fstab:tst:1
+criterion oval:ssg-test_home_partition_nosuid_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /home defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/home"; then
 if mountpoint -q "/home"; then
 mount -o remount --target "/home"
- else
- mount --target "/home"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
@@ -107,7 +107,7 @@
 path: /home
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.
--- oval:ssg-mount_option_home_usrquota:def:1
+++ oval:ssg-mount_option_home_usrquota:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_home_partition_usrquota_optional_yes:tst:1
+criterion oval:ssg-test_home_partition_usrquota_optional:tst:1
+criterion oval:ssg-test_home_partition_usrquota_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_home_partition_usrquota_optional_in_fstab:tst:1
+criterion oval:ssg-test_home_partition_usrquota_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|usrquota)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /home defaults,${previous_mount_opts}usrquota 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "usrquota")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "usrquota"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,usrquota|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/home"; then
 if mountpoint -q "/home"; then
 mount -o remount --target "/home"
- else
- mount --target "/home"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_home_usrquota' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
+++ xccdf_org.ssgproject.content_rule_mount_option_home_usrquota
@@ -83,7 +83,7 @@
 path: /home
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -20,22 +20,20 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" $mount_point)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|$MOUNT_OPTION)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo "$device $mount_point $device_type defaults,${previous_mount_opts}$MOUNT_OPTION 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "$MOUNT_OPTION")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "$MOUNT_OPTION"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$MOUNT_OPTION|" /etc/fstab
 fi
 if mkdir -p "$mount_point"; then
 if mountpoint -q "$mount_point"; then
 mount -o remount --target "$mount_point"
- else
- mount --target "$mount_point"
 fi
 fi
 fi

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid' differs.
--- oval:ssg-mount_option_opt_nosuid:def:1
+++ oval:ssg-mount_option_opt_nosuid:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_opt_partition_nosuid_optional_yes:tst:1
+criterion oval:ssg-test_opt_partition_nosuid_optional:tst:1
+criterion oval:ssg-test_opt_partition_nosuid_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_opt_partition_nosuid_optional_in_fstab:tst:1
+criterion oval:ssg-test_opt_partition_nosuid_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /opt)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /opt defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/opt"; then
 if mountpoint -q "/opt"; then
 mount -o remount --target "/opt"
- else
- mount --target "/opt"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
@@ -79,7 +79,7 @@
 path: /opt
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid' differs.
--- oval:ssg-mount_option_proc_hidepid:def:1
+++ oval:ssg-mount_option_proc_hidepid:def:1
@@ -1,3 +1,6 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_proc_partition_hidepid_optional_no:tst:1
-criterion oval:ssg-test_proc_no_partition_hidepid_optional_no:tst:1
+criterion oval:ssg-test_proc_partition_hidepid_expected:tst:1
+criterion oval:ssg-test_proc_partition_hidepid_expected_exist:tst:1
+criteria OR
+criterion oval:ssg-test_proc_partition_hidepid_expected_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid
+++ xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid
@@ -11,14 +11,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /proc)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|$mountoption)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo "proc /proc proc defaults,${previous_mount_opts}$mountoption 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "$mountoption")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "$mountoption"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$mountoption|" /etc/fstab
 fi
@@ -27,8 +27,6 @@
 if mkdir -p "/proc"; then
 if mountpoint -q "/proc"; then
 mount -o remount --target "/proc"
- else
- mount --target "/proc"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid
+++ xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid
@@ -85,7 +85,7 @@
 path: /proc
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid' differs.
--- oval:ssg-mount_option_srv_nosuid:def:1
+++ oval:ssg-mount_option_srv_nosuid:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_srv_partition_nosuid_optional_yes:tst:1
+criterion oval:ssg-test_srv_partition_nosuid_optional:tst:1
+criterion oval:ssg-test_srv_partition_nosuid_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_srv_partition_nosuid_optional_in_fstab:tst:1
+criterion oval:ssg-test_srv_partition_nosuid_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /srv)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /srv defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/srv"; then
 if mountpoint -q "/srv"; then
 mount -o remount --target "/srv"
- else
- mount --target "/srv"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
@@ -79,7 +79,7 @@
 path: /srv
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev' differs.
--- oval:ssg-mount_option_tmp_nodev:def:1
+++ oval:ssg-mount_option_tmp_nodev:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_tmp_partition_nodev_optional_yes:tst:1
+criterion oval:ssg-test_tmp_partition_nodev_optional:tst:1
+criterion oval:ssg-test_tmp_partition_nodev_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_tmp_partition_nodev_optional_in_fstab:tst:1
+criterion oval:ssg-test_tmp_partition_nodev_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null ); then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 function perform_remediation {
 
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /tmp)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nodev"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/tmp"; then
 if mountpoint -q "/tmp"; then
 mount -o remount --target "/tmp"
- else
- mount --target "/tmp"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
@@ -3,8 +3,7 @@
 register: device_name
 failed_when: device_name.rc > 1
 changed_when: false
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-82623-0
 - DISA-STIG-RHEL-08-040123
@@ -28,8 +27,7 @@
 - '{{ device_name.stdout_lines[0].split() | list | lower }}'
 - '{{ device_name.stdout_lines[1].split() | list }}'
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - device_name.stdout is defined and device_name.stdout_lines is defined
 - (device_name.stdout | length > 0)
 tags:
@@ -61,8 +59,7 @@
 - ''
 - defaults
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - ("--fstab" | length == 0)
 - (device_name.stdout | length == 0)
 tags:
@@ -86,8 +83,7 @@
 mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
 }) }}'
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - mount_info is defined and "nodev" not in mount_info.options
 tags:
 - CCE-82623-0
@@ -110,11 +106,10 @@
 path: /tmp
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
 | length == 0)
 tags:

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec' differs.
--- oval:ssg-mount_option_tmp_noexec:def:1
+++ oval:ssg-mount_option_tmp_noexec:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_tmp_partition_noexec_optional_yes:tst:1
+criterion oval:ssg-test_tmp_partition_noexec_optional:tst:1
+criterion oval:ssg-test_tmp_partition_noexec_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_tmp_partition_noexec_optional_in_fstab:tst:1
+criterion oval:ssg-test_tmp_partition_noexec_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null ); then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 function perform_remediation {
 
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /tmp)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/tmp"; then
 if mountpoint -q "/tmp"; then
 mount -o remount --target "/tmp"
- else
- mount --target "/tmp"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
+++ xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
@@ -3,8 +3,7 @@
 register: device_name
 failed_when: device_name.rc > 1
 changed_when: false
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-82139-7
 - DISA-STIG-RHEL-08-040125
@@ -28,8 +27,7 @@
 - '{{ device_name.stdout_lines[0].split() | list | lower }}'
 - '{{ device_name.stdout_lines[1].split() | list }}'
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - device_name.stdout is defined and device_name.stdout_lines is defined
 - (device_name.stdout | length > 0)
 tags:
@@ -61,8 +59,7 @@
 - ''
 - defaults
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - ("--fstab" | length == 0)
 - (device_name.stdout | length == 0)
 tags:
@@ -87,8 +84,7 @@
 mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
 }) }}'
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - mount_info is defined and "noexec" not in mount_info.options
 tags:
 - CCE-82139-7
@@ -111,11 +107,10 @@
 path: /tmp
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
 | length == 0)
 tags:

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid' differs.
--- oval:ssg-mount_option_tmp_nosuid:def:1
+++ oval:ssg-mount_option_tmp_nosuid:def:1
@@ -1,2 +1,7 @@
+criteria AND
 criteria OR
-criterion oval:ssg-test_tmp_partition_nosuid_optional_yes:tst:1
+criterion oval:ssg-test_tmp_partition_nosuid_optional:tst:1
+criterion oval:ssg-test_tmp_partition_nosuid_optional_exist:tst:1
+criteria OR
+criterion oval:ssg-test_tmp_partition_nosuid_optional_in_fstab:tst:1
+criterion oval:ssg-test_tmp_partition_nosuid_optional_exist_in_fstab:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null ); then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 function perform_remediation {
 
@@ -14,14 +14,14 @@
 mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /tmp)"
 
 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
- if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ if ! grep "$mount_point_match_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
 [ "$previous_mount_opts" ] && previous_mount_opts+=","
 echo " /tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
 # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
- elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "nosuid"; then
 previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
 fi
@@ -30,8 +30,6 @@
 if mkdir -p "/tmp"; then
 if mountpoint -q "/tmp"; then
 mount -o remount --target "/tmp"
- else
- mount --target "/tmp"
 fi
 fi
 }

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
@@ -3,8 +3,7 @@
 register: device_name
 failed_when: device_name.rc > 1
 changed_when: false
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-82140-5
 - DISA-STIG-RHEL-08-040124
@@ -28,8 +27,7 @@
 - '{{ device_name.stdout_lines[0].split() | list | lower }}'
 - '{{ device_name.stdout_lines[1].split() | list }}'
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - device_name.stdout is defined and device_name.stdout_lines is defined
 - (device_name.stdout | length > 0)
 tags:
@@ -61,8 +59,7 @@
 - ''
 - defaults
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - ("--fstab" | length == 0)
 - (device_name.stdout | length == 0)
 tags:
@@ -87,8 +84,7 @@
 mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
 }) }}'
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - mount_info is defined and "nosuid" not in mount_info.options
 tags:
 - CCE-82140-5
@@ -111,11 +107,10 @@
 path: /tmp
 src: '{{ mount_info.source }}'
 opts: '{{ mount_info.options }}'
- state: mounted
+ state: present
 fstype: '{{ mount_info.fstype }}'
 when:
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
 | length == 0)
 tags:

OVAL for rule 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev' differs.
--- oval:ssg-mount_option_var_log_audit_n

... The diff is trimmed here ...

[evgenyz]

@evgenyz I have found that some test scenarios that pass in the current upstream master are broken by this PR.

All tests for mount_option-based rules now pass.

Edit: In VM. In a container they seem to be still failing according to our CI.

[jan-cerny]

/retest

[jan-cerny]

@evgenyz Thanks for investigating this!

The changes look great!

It fixed the Automatus runs locally for me:

[jcerny@thinkpad scap-security-guide{master}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 mount_option_tmp_nodev
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-03-14-1400/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
WARNING - Script separate.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev evaluation resulted in notapplicable
INFO - Script runtime.pass.sh using profile (all) OK
INFO - Script fstab.fail.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{master}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 mount_option_dev_shm_nodev
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-03-14-1402/test_suite.log
WARNING - Script separate.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
INFO - Script fstab.fail.sh using profile (all) OK
INFO - Script runtime.pass.sh using profile (all) OK
INFO - Script no_partition.pass.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{master}]$ 

However, I find very suspicious the error that we can see in the Automatus CS8 GitHub CI output:

/xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec.sh: line 37: [: : integer expression expected

It seems to me a bug in the Bash code

[evgenyz]

It's not exactly a bug. These rules are not supposed to be executed in a container and they are not ready for /etc/fstab to be non-existent. But we should fix it if just for sake of testing capabilities. Stay tuned.

[openshift-ci]

@evgenyz: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ocp4-high-node	8ec5e52	link	true	/test e2e-aws-ocp4-high-node
ci/prow/e2e-aws-rhcos4-moderate	8ec5e52	link	true	/test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-rhcos4-e8	8ec5e52	link	true	/test e2e-aws-rhcos4-e8
ci/prow/e2e-aws-rhcos4-high	8ec5e52	link	true	/test e2e-aws-rhcos4-high
ci/prow/e2e-aws-ocp4-moderate	8ec5e52	link	true	/test e2e-aws-ocp4-moderate
ci/prow/e2e-aws-ocp4-high	8ec5e52	link	true	/test e2e-aws-ocp4-high
ci/prow/e2e-aws-ocp4-stig	8ec5e52	link	true	/test e2e-aws-ocp4-stig

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jan-cerny]

@evgenyz What is the Automatus fail?

[codeclimate]

Code Climate has analyzed commit 76706cd and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.9% (0.0% change).

View more on Code Climate.

[evgenyz]

So, the tests that still failing are connected to either broken template tests that are not in the scope of this PR or to template's tests inability to perform in a container environment (/proc options).

[jan-cerny]

Thanks for the clarification!