Merge pull request #10438 from Mab879/backport_10431

Backport of #10431
ComplianceAsCode · Apr 6, 2023 · 0313d3b · 0313d3b
2 parents c1a56a6 + 716cf71
commit 0313d3b
Show file tree

Hide file tree

Showing 16 changed files with 68 additions and 49 deletions.
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -50,7 +50,7 @@ references:
     stigid@ol8: OL08-00-040123
     stigid@rhel8: RHEL-08-040123
 
-platform: machine
+platform: machine and mount[tmp]
 
 template:
     name: mount_option

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -49,7 +49,7 @@ references:
     stigid@ol8: OL08-00-040125
     stigid@rhel8: RHEL-08-040125
 
-platform: machine
+platform: machine and mount[tmp]
 
 template:
     name: mount_option

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -50,7 +50,7 @@ references:
     stigid@ol8: OL08-00-040124
     stigid@rhel8: RHEL-08-040124
 
-platform: machine
+platform: machine and mount[tmp]
 
 template:
     name: mount_option

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -44,7 +44,7 @@ references:
     stigid@rhel8: RHEL-08-040132
 
 platforms:
-  - machine
+  - machine and mount[var-tmp]
 
 template:
     name: mount_option

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -43,7 +43,7 @@ references:
     stigid@ol8: OL08-00-040134
     stigid@rhel8: RHEL-08-040134
 
-platform: machine
+platform: machine and mount[var-tmp]
 
 template:
     name: mount_option

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -43,7 +43,7 @@ references:
     stigid@ol8: OL08-00-040133
     stigid@rhel8: RHEL-08-040133
 
-platform: machine
+platform: machine and mount[var-tmp]
 
 template:
     name: mount_option

diff --git a/shared/applicability/mount.yml b/shared/applicability/mount.yml
@@ -0,0 +1,12 @@
+name: "cpe:/a:mount-{arg}"
+title: "The {mountpoint} mountpoint is active (mounted) or configured in /etc/fstab"
+check_id: installed_env_mount_{arg}
+bash_conditional: {{{ bash_mount_conditional("{mountpoint}") }}}
+ansible_conditional: {{{ ansible_mount_conditional("{mountpoint}") }}}
+template:
+  name: platform_mount
+args:
+  tmp:
+    mountpoint: /tmp
+  var-tmp:
+    mountpoint: /var/tmp
diff --git a/shared/applicability/oval/installed_env_mounts_tmp.xml b/shared/applicability/oval/installed_env_mounts_tmp.xml
diff --git a/shared/applicability/oval/installed_env_mounts_var_tmp.xml b/shared/applicability/oval/installed_env_mounts_var_tmp.xml
diff --git a/shared/applicability/partition-tmp.yml b/shared/applicability/partition-tmp.yml
diff --git a/shared/applicability/partition-var-tmp.yml b/shared/applicability/partition-var-tmp.yml
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
@@ -1547,6 +1547,6 @@ Part of the grub2_bootloader_argument_absent template.
 {{%- endmacro -%}}
 
 
-{{%- macro ansible_partition_conditional(path) -%}}
+{{%- macro ansible_mount_conditional(path) -%}}
 '"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list'
 {{%- endmacro -%}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
@@ -2216,8 +2216,8 @@ fi
 {{%- endmacro -%}}
 
 
-{{%- macro bash_partition_conditional(path) -%}}
-'findmnt --kernel "{{{ path }}}" > /dev/null'
+{{%- macro bash_mount_conditional(path) -%}}
+'findmnt --kernel "{{{ path }}}" > /dev/null || findmnt --fstab "{{{ path }}}" > /dev/null'
 {{%- endmacro -%}}
 
 

diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
@@ -1001,21 +1001,41 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 {{%- endmacro %}}
 
 
-{{%- macro partition_exists_criterion(path) %}}
-{{%- set escaped_path = path | escape_id %}}
-      <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path  }}}_exists" />
+{{%- macro mount_active_criterion(path) %}}
+   <criterion comment="The path {{{ path }}} is an active (mounted) mount point"
+     test_ref="test_mount_active_{{{ path | escape_id }}}_exists" />
+{{%- endmacro %}}
+
+{{%- macro mount_configured_fstab_criterion(path) %}}
+   <criterion comment="The path {{{ path }}} is a mount point configured in /etc/fstab"
+     test_ref="test_mount_configured_fstab_{{{ path | escape_id }}}_exists" />
 {{%- endmacro %}}
 
-{{%- macro partition_exists_test_object(path) %}}
+{{%- macro mount_active_test_object(path) %}}
 {{%- set escaped_path = path | escape_id %}}
-  <linux:partition_test check="all" check_existence="all_exist"
-      comment="Partition {{{ path }}} exists"
-      id="test_partition_{{{ escaped_path }}}_exists"
-  version="1">
-    <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
+  <linux:partition_test check="all" check_existence="all_exist" version="1"
+      comment="Mountpoint {{{ path }}} exists"
+      id="test_mount_active_{{{ escaped_path }}}_exists">
+    <linux:object object_ref="object_mount_active_{{{ escaped_path }}}_exists" />
   </linux:partition_test>
 
-  <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
+  <linux:partition_object id="object_mount_active_{{{ escaped_path }}}_exists" version="1">
     <linux:mount_point>{{{ path }}}</linux:mount_point>
   </linux:partition_object>
 {{%- endmacro %}}
+
+{{%- macro mount_configured_fstab_test_object(path) %}}
+{{%- set escaped_path = path | escape_id %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+      comment="Mountpoint {{{ path }}} is configured"
+      id="test_mount_configured_fstab_{{{ escaped_path }}}_exists">
+    <ind:object object_ref="object_mount_configured_fstab_{{{ escaped_path }}}_exists" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_mount_configured_fstab_{{{ escaped_path }}}_exists" version="1">
+    <ind:filepath>/etc/fstab</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*[\S]+[\s]+{{{ path | escape_regex }}}[\s]+[\S]+[\s]+([\S]+)</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{%- endmacro %}}
+
diff --git a/shared/templates/platform_mount/oval.template b/shared/templates/platform_mount/oval.template
@@ -0,0 +1,15 @@
+<def-group>
+  <definition class="inventory" id="installed_env_{{{ _RULE_ID }}}" version="1">
+    {{{ oval_metadata("", title="Mountpoint " + MOUNTPOINT + " is active (mounted) or configured in /etc/fstab", affected_platforms=[full_name]) }}}
+    <criteria operator="OR">
+      <criteria>
+        {{{ mount_active_criterion(MOUNTPOINT) }}}
+      </criteria>
+      <criteria>
+        {{{ mount_configured_fstab_criterion(MOUNTPOINT) }}}
+      </criteria>
+    </criteria>
+  </definition>
+  {{{ mount_active_test_object(MOUNTPOINT) }}}
+  {{{ mount_configured_fstab_test_object(MOUNTPOINT) }}}
+</def-group>
diff --git a/shared/templates/platform_mount/template.yml b/shared/templates/platform_mount/template.yml
@@ -0,0 +1,2 @@
+supported_languages:
+  - oval