-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ansible remediation to mount_option_home template #12546
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
# platform = multi_platform_all | ||
# reboot = false | ||
# strategy = configure | ||
# complexity = low | ||
# disruption = high | ||
|
||
- name: "Initialize variables" | ||
ansible.builtin.set_fact: | ||
non_allowed_partitions: ["/", "/lib", "/opt", "/usr", "/bin", "/sbin", "/boot", "/dev", "/proc"] | ||
home_directories: [] | ||
allowed_mount_point: [] | ||
fstab_mount_point_info: [] | ||
|
||
- name: "Get home directories from passwd" | ||
ansible.builtin.getent: | ||
database: passwd | ||
|
||
- name: "Filter home directories based on UID range" | ||
ansible.builtin.set_fact: | ||
home_directories: "{{ home_directories + [item.data[4]] }}" | ||
when: | ||
- item.data[4] is defined | ||
- item.data[2]|int >= {{{ uid_min }}} | ||
- item.data[2]|int != {{{ nobody_uid }}} | ||
- item.data[4] not in non_allowed_partitions | ||
with_items: "{{ ansible_facts.getent_passwd | dict2items(key_name='user', value_name='data')}}" | ||
|
||
- name: "Gather mount points" | ||
ansible.builtin.setup: | ||
filter: ansible_mounts | ||
|
||
- name: "Ensure mount options for home directories" | ||
block: | ||
|
||
- name: "Obtain mount point using df and shell" | ||
ansible.builtin.shell: | | ||
df {{ item }} | awk '/^\/dev/ {print $6}' | ||
register: df_output | ||
with_items: "{{ home_directories }}" | ||
|
||
- name: "Set mount point for each home directory" | ||
ansible.builtin.set_fact: | ||
allowed_mount_point: "{{ allowed_mount_point + [item.stdout_lines[0]] }}" | ||
with_items: "{{ df_output.results }}" | ||
when: item.stdout_lines[0] != "" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thank you for the review, I updated this |
||
|
||
- name: "Obtain full mount information for allowed mount point" | ||
ansible.builtin.set_fact: | ||
fstab_mount_point_info: "{{ fstab_mount_point_info + [ ansible_mounts | selectattr('mount', 'equalto', item) | first ]}}" | ||
with_items: "{{ allowed_mount_point }}" | ||
when: allowed_mount_point is defined | ||
|
||
- name: "Ensure mount option {{{ MOUNTOPTION }}} is in fstab for allowed mount point" | ||
ansible.builtin.mount: | ||
path: "{{ item.mount }}" | ||
src: "{{ item.device }}" | ||
opts: "{{ item.options }},{{{ MOUNTOPTION }}}" | ||
state: mounted | ||
fstype: "{{ item.fstype }}" | ||
with_items: "{{ fstab_mount_point_info }}" | ||
when: | ||
- allowed_mount_point is defined | ||
- item.mount not in non_allowed_partitions | ||
- "'{{{ MOUNTOPTION }}}' not in item.options" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
supported_languages: | ||
- bash | ||
- oval | ||
- ansible |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_all | ||
|
||
. $SHARED/partition.sh | ||
|
||
mkdir -p /srv/home | ||
awk -F':' '{if ($3>={{{ uid_min }}} && $3!= {{{ nobody_uid }}}) print $1}' /etc/passwd \ | ||
| xargs -I{} userdel -r {} | ||
|
||
umount /srv || true # no problem if not mounted | ||
|
||
clean_up_partition /srv | ||
|
||
create_partition | ||
|
||
{{% if MOUNTOPTION != "nodev" %}} | ||
make_fstab_given_partition_line /srv ext2 nodev | ||
{{% else %}} | ||
make_fstab_given_partition_line /srv ext2 noexec | ||
{{% endif %}} | ||
|
||
mount_partition /srv | ||
|
||
mkdir -p /srv/home | ||
useradd -m -d /srv/home/testUser1 testUser1 | ||
|
||
useradd -m -d /home/testUser2 testUser2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add
{{{ rule_title }}}:
to each Ansible Task name so that the same Ansible Tasks can be distinguished between rules.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the review, I updated this