Skip to content

[Debian 13] mount_option remediation fails: mount_info dictionary creation iterates over characters instead of words #14259

New issue
New issue
Open
Open
[Debian 13] mount_option remediation fails: mount_info dictionary creation iterates over characters instead of words#14259
Labels
triaged
@trocster

Description

@trocster
trocster
opened on Dec 23, 2025

Description of problem:

The Ansible remediation for mount options (specifically mount_option_boot_noexec and mount_option_boot_nosuid) fails on Debian 13. The logic in the shared/templates/mount_option/ansible.template used to create the mount_info dictionary is flawed. It uses with_together on a string that is not being correctly interpreted as a list, causing Ansible to iterate over individual characters (e.g., item=['t', 'ext4']) instead of space-delimited words. This results in a malformed or empty mount_info variable, preventing the subsequent line-in-file tasks from executing correctly.

SCAP Security Guide Version:

0.1.79

Operating System Version:

Debian 13 "trixie"

Steps to Reproduce:

  1. Build the SCAP content for Debian 13 from source.
  2. Generate an Ansible remediation playbook for the ANSSI BP-028 profile (e.g., ansible-playbook -i localhost, anssi-bp028-remediation.yml
  3. Observe the output of the task: Add nosuid Option to /boot: Create mount_info dictionary variable.

Actual Results:

TASK [Add nosuid Option to /boot: Create mount_info dictionary variable] *****************************************************************************************************************
[DEPRECATION WARNING]: INJECT_FACTS_AS_VARS default to `True` is deprecated, top-level facts will not be auto injected after the change. This feature will be removed from ansible-core v.
Origin:  ./anssi-bp028-remediation.yml:11041:9

11039       - '{{ device_name.stdout_lines[1].split() | list }}'
11040       when:
11041       - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
              ^ column 9

Use `ansible_facts["fact_name"]` (no `ansible_` prefix) instead.

ok: [127.0.0.1] => (item=['[', '/boot'])
ok: [127.0.0.1] => (item=["'", 'UUID=93bd4547-e832-4439-af2d-67f1aa35d1d2'])
ok: [127.0.0.1] => (item=['t', 'ext4'])
ok: [127.0.0.1] => (item=['a', 'nodev,nosuid,noexec'])
ok: [127.0.0.1] => (item=['r', None])
ok: [127.0.0.1] => (item=['g', None])
ok: [127.0.0.1] => (item=['e', None])
ok: [127.0.0.1] => (item=['t', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=[',', None])
ok: [127.0.0.1] => (item=[' ', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=['s', None])
ok: [127.0.0.1] => (item=['o', None])
ok: [127.0.0.1] => (item=['u', None])
ok: [127.0.0.1] => (item=['r', None])
ok: [127.0.0.1] => (item=['c', None])
ok: [127.0.0.1] => (item=['e', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=[',', None])
ok: [127.0.0.1] => (item=[' ', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=['f', None])
ok: [127.0.0.1] => (item=['s', None])
ok: [127.0.0.1] => (item=['t', None])
ok: [127.0.0.1] => (item=['y', None])
ok: [127.0.0.1] => (item=['p', None])
ok: [127.0.0.1] => (item=['e', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=[',', None])
ok: [127.0.0.1] => (item=[' ', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=['o', None])
ok: [127.0.0.1] => (item=['p', None])
ok: [127.0.0.1] => (item=['t', None])
ok: [127.0.0.1] => (item=['i', None])
ok: [127.0.0.1] => (item=['o', None])
ok: [127.0.0.1] => (item=['n', None])
ok: [127.0.0.1] => (item=['s', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=[']', None])

Expected Results:

TASK [Add noexec Option to /tmp: Create mount_info dictionary variable] ******************************************************************************************************************
[DEPRECATION WARNING]: INJECT_FACTS_AS_VARS default to `True` is deprecated, top-level facts will not be auto injected after the change. This feature will be removed from ansible-core v.
Origin: /home/tom/build/bu-trixie-ansible/playbooks/anssi-bp028-remediation.yml:11881:9

11879       - '{{ device_name.stdout_lines[1].split() | list }}'
11880       when:
11881       - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
              ^ column 9

Use `ansible_facts["fact_name"]` (no `ansible_` prefix) instead.

[DEPRECATION WARNING]: INJECT_FACTS_AS_VARS default to `True` is deprecated, top-level facts will not be auto injected after the change. This feature will be removed from ansible-core v.
Origin: /home/tom/build/bu-trixie-ansible/playbooks/anssi-bp028-remediation.yml:11885:9

11883         and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
11884         ["docker", "lxc", "openvz", "podman", "container"] ) )
11885       - '"/tmp" in ansible_mounts | map(attribute="mount") | list'
              ^ column 9

Use `ansible_facts["fact_name"]` (no `ansible_` prefix) instead.

skipping: [127.0.0.1]

Additional Information/Debugging Steps:

Fixed with:

      - "{{ device_name.stdout_lines[0].split() | map('lower') | list }}"
      - "{{ device_name.stdout_lines[1].split() }}"

Metadata

Metadata

Assignees

No one assigned

    Labels

    triaged

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions