Exclude remote mounted filesystems from local partition nodev tasks

[ev-not-eve]

Description:

Added task to set excluded fstypes to keep remote partitions from beng remounted with nodev when only local partitions are meant to be targeted

Rationale:

Previous version of shared.yml would target remote mounted filesystems; explicitly excluding known remote filesystem types should help ensure only local partitions are targeted.

Review Hints:

Including a remote mount (my case used autofs) and testing with both the original and new shared.yml should show that the original will error out while the new one properly skips the partition.

[openshift-ci]

Hi @ev-not-eve. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -9,38 +9,73 @@
 readarray -t polyinstantiated_dirs < \
     <(grep -oP "^\s*[^#\s]+\s+\S+" /etc/security/namespace.conf | grep -oP "(?<=\s)\S+?(?=/?\$)")
 
+# Define excluded non-local file systems
+excluded_fstypes=(
+    afs
+    autofs
+    ceph
+    cifs
+    smb3
+    smbfs
+    sshfs
+    ncpfs
+    ncp
+    nfs
+    nfs4
+    gfs
+    gfs2
+    glusterfs
+    gpfs
+    pvfs2
+    ocfs2
+    lustre
+    davfs
+    fuse.sshfs
+)
 
 for partition_record in "${partitions_records[@]}"; do
     # Get all important information for fstab
-    mount_point="$(echo ${partition_record} | cut -d " " -f1)"
-    device="$(echo ${partition_record} | cut -d " " -f2)"
-    device_type="$(echo ${partition_record} | cut -d " " -f3)"
-    if ! printf '%s\0' "${polyinstantiated_dirs[@]}" | grep -qxzF "$mount_point"; then
-        # device and device_type will be used only in case when the device doesn't have fstab record
-        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" $mount_point)"
+    mount_point="$(echo "${partition_record}" | cut -d " " -f1)"
+    device="$(echo "${partition_record}" | cut -d " " -f2)"
+    device_type="$(echo "${partition_record}" | cut -d " " -f3)"
 
-        # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
-        if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
-            # runtime opts without some automatic kernel/userspace-added defaults
-            previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                        | sed -E "s/(rw|defaults|seclabel|$MOUNT_OPTION)(,|$)//g;s/,$//")
-            [ "$previous_mount_opts" ] && previous_mount_opts+=","
-            # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
-            # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
-            fs_type="$device_type"
-            if [  "$fs_type" == "iso9660" ] ; then
-                previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
-            fi
-            echo "$device $mount_point $device_type defaults,${previous_mount_opts}$MOUNT_OPTION 0 0" >> /etc/fstab
-        # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-        elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "$MOUNT_OPTION"; then
-            previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-            sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$MOUNT_OPTION|" /etc/fstab
+    # Skip polyinstantiated directories
+    if printf '%s\0' "${polyinstantiated_dirs[@]}" | grep -qxzF "$mount_point"; then
+        continue
+    fi
+
+    # Skip any non-local filesystem
+    for excluded_fstype in "${excluded_fstypes[@]}"; do
+        if [[ "$device_type" == "$excluded_fstype" ]]; then
+            # jump out of both loops and move to next partition_record
+            continue 2
         fi
-        if mkdir -p "$mount_point"; then
-            if mountpoint -q "$mount_point"; then
-                mount -o remount --target "$mount_point"
-            fi
+    done
+
+    # If we reach here, it's a local, non-root partition that isn't excluded.
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" $mount_point)"
+
+    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
+        # runtime opts without some automatic kernel/userspace-added defaults
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
+                    | sed -E "s/(rw|defaults|seclabel|$MOUNT_OPTION)(,|$)//g;s/,$//")
+        [ "$previous_mount_opts" ] && previous_mount_opts+=","
+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
+        fs_type="$device_type"
+        if [  "$fs_type" == "iso9660" ] ; then
+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
+        fi
+        echo "$device $mount_point $device_type defaults,${previous_mount_opts}$MOUNT_OPTION 0 0" >> /etc/fstab
+    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "$MOUNT_OPTION"; then
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$MOUNT_OPTION|" /etc/fstab
+    fi
+    if mkdir -p "$mount_point"; then
+        if mountpoint -q "$mount_point"; then
+            mount -o remount --target "$mount_point"
         fi
     fi
 done

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -40,6 +40,50 @@
   - mount_option_nodev_nonroot_local_partitions
   - no_reboot_needed
 
+- name: 'Add nodev Option to Non-Root Local Partitions: Define excluded (non-local)
+    file systems'
+  ansible.builtin.set_fact:
+    excluded_fstypes:
+    - afs
+    - autofs
+    - ceph
+    - cifs
+    - smb3
+    - smbfs
+    - sshfs
+    - ncpfs
+    - ncp
+    - nfs
+    - nfs4
+    - gfs
+    - gfs2
+    - glusterfs
+    - gpfs
+    - pvfs2
+    - ocfs2
+    - lustre
+    - davfs
+    - fuse.sshfs
+  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+    and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
+    ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman",
+    "container"] ) )
+  tags:
+  - CCE-82069-6
+  - DISA-STIG-RHEL-08-010580
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_nodev_nonroot_local_partitions
+  - no_reboot_needed
+
 - name: 'Add nodev Option to Non-Root Local Partitions: Ensure non-root local partitions
     are mounted with nodev option'
   mount:
@@ -55,6 +99,7 @@
     "container"] ) )
   - item.mount is match('/\w')
   - item.options is not search('nodev')
+  - item.fstype not in excluded_fstypes
   with_items:
   - '{{ ansible_facts.mounts }}'
   tags:

[jan-cerny]

@ev-not-eve I think that the Bash and OVAL would become misaligned with Ansible after this change. Do you think it would make sense to do a similar change also for Bash and OVAL? Can you look into that?

[ev-not-eve]

@ev-not-eve I think that the Bash and OVAL would become misaligned with Ansible after this change. Do you think it would make sense to do a similar change also for Bash and OVAL? Can you look into that?

I agree; I'll check out how the Bash and OVAL are currently written and align them with the Ansible changes.

[ev-not-eve]

@jan-cerny OK, Bash and OVAL are included now. Could use a sanity check, especially on the OVAL as I don't work with that normally, but I believe the changes should be good to go.

[qlty-cloud-legacy]

Code Climate has analyzed commit 77726f9 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.1% change).

View more on Code Climate.

[jan-cerny]

jcerny@fedora:~/work/git/scap-security-guide (pr/13530)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 mount_option_nodev_nonroot_local_partitions
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-06-04-1654/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
INFO - Script complex.fail.sh using profile (all) OK
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script local_mounted_during_runtime.fail.sh using profile (all) OK
INFO - Script missing_multiple_nodev.fail.sh using profile (all) OK
INFO - Script missing_one_nodev.fail.sh using profile (all) OK
INFO - Script no_nodev_in_fstab.fail.sh using profile (all) OK
INFO - Script remote_without_nodev.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/13530)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible mount_option_nodev_nonroot_local_partitions
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-06-04-1659/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
INFO - Script complex.fail.sh using profile (all) OK
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script local_mounted_during_runtime.fail.sh using profile (all) OK
INFO - Script missing_multiple_nodev.fail.sh using profile (all) OK
INFO - Script missing_one_nodev.fail.sh using profile (all) OK
INFO - Script no_nodev_in_fstab.fail.sh using profile (all) OK
INFO - Script remote_without_nodev.pass.sh using profile (all) OK