Merge pull request #12546 from mrkanon/ansible-mount_option_home

Add ansible remediation to mount_option_home template

Author: jan-cerny

shared/templates/mount_option_home/ansible.template

@@ -0,0 +1,67 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = high
+
+-   name: "{{{ rule_title }}} - Initialize variables"
+    ansible.builtin.set_fact:
+        non_allowed_partitions: ["/", "/lib", "/opt", "/usr", "/bin", "/sbin", "/boot", "/dev", "/proc"]
+        home_directories: []
+        allowed_mount_point: []
+        fstab_mount_point_info: []
+
+-   name: "{{{ rule_title }}} - Get home directories from passwd"
+    ansible.builtin.getent:
+        database: passwd
+
+-   name: "{{{ rule_title }}} - Filter home directories based on UID range"
+    ansible.builtin.set_fact:
+        home_directories: "{{ home_directories + [item.data[4]] }}"
+    when:
+        - item.data[4] is defined
+        - item.data[2]|int >= {{{ uid_min }}}
+        - item.data[2]|int != {{{ nobody_uid }}}
+        - item.data[4] not in non_allowed_partitions
+    with_items: "{{ ansible_facts.getent_passwd | dict2items(key_name='user', value_name='data')}}"
+
+-   name: "{{{ rule_title }}} - Gather mount points"
+    ansible.builtin.setup:
+        filter: ansible_mounts
+
+-   name: "{{{ rule_title }}} - Ensure mount options for home directories"
+    block:
+
+    -   name: " {{{ rule_title }}} - Obtain mount point using df and shell"
+        ansible.builtin.shell: |
+            df {{ item }} | awk '/^\/dev/ {print $6}'
+        register: df_output
+        with_items: "{{ home_directories }}"
+
+    -   name: "{{{ rule_title }}} - Set mount point for each home directory"
+        ansible.builtin.set_fact:
+            allowed_mount_point: "{{ allowed_mount_point + [item.stdout_lines[0]] }}"
+        with_items: "{{ df_output.results }}"
+        when: 
+            - item.stdout_lines is defined
+            - item.stdout_lines | length > 0
+            - item.stdout_lines[0] != ""
+
+    -   name: "{{{ rule_title }}} - Obtain full mount information for allowed mount point"
+        ansible.builtin.set_fact:
+            fstab_mount_point_info: "{{ fstab_mount_point_info + [ ansible_mounts | selectattr('mount', 'equalto', item) | first ]}}"
+        with_items: "{{ allowed_mount_point }}"
+        when: allowed_mount_point is defined
+
+    -   name: "{{{ rule_title }}} - Ensure mount option {{{ MOUNTOPTION }}} is in fstab for allowed mount point"
+        ansible.builtin.mount:
+            path: "{{ item.mount }}"
+            src: "{{ item.device }}"
+            opts: "{{ item.options }},{{{ MOUNTOPTION }}}"
+            state: mounted
+            fstype: "{{ item.fstype }}"
+        with_items: "{{ fstab_mount_point_info }}"
+        when:
+            - allowed_mount_point is defined
+            - item.mount not in non_allowed_partitions
+            - "'{{{ MOUNTOPTION }}}' not in item.options"

shared/templates/mount_option_home/template.yml

@@ -1,3 +1,4 @@
 supported_languages:
   - bash
   - oval
+  - ansible

shared/templates/mount_option_home/tests/fstab_multiple_users_template.fail.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+. $SHARED/partition.sh
+
+mkdir -p /srv/home
+awk -F':' '{if ($3>={{{ uid_min }}} && $3!= {{{ nobody_uid }}}) print $1}' /etc/passwd \
+        | xargs -I{} userdel -r {}
+
+umount /srv || true  # no problem if not mounted
+
+clean_up_partition /srv
+
+create_partition
+
+{{% if MOUNTOPTION != "nodev" %}}
+make_fstab_given_partition_line /srv ext2 nodev
+{{% else %}}
+make_fstab_given_partition_line /srv ext2 noexec
+{{% endif %}}
+
+mount_partition /srv
+
+mkdir -p /srv/home
+useradd -m -d /srv/home/testUser1 testUser1
+
+useradd -m -d /home/testUser2 testUser2