Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check mounts doesn't actually check mounts #50

Open
andrefecto opened this issue Dec 8, 2019 · 2 comments
Open

Check mounts doesn't actually check mounts #50

andrefecto opened this issue Dec 8, 2019 · 2 comments

Comments

@andrefecto
Copy link

andrefecto commented Dec 8, 2019
edited
Loading

The current setup for checking mounts doesn't actually check for mounts and will always return "OK."

For example, if you run the following playbook on a system that doesn't have /var as a mount:

- name: "SCORED | 1.1.5 | PATCH | Ensure separate partition exists for /var"
  shell: mount | grep "on /var "
  register: var_mounted
  changed_when: false
  failed_when: false
  when:
      - ubuntu1804cis_rule_1_1_5
  tags:
      - level2
      - scored
      - patch
      - rule_1.1.5
      - skip_ansible_lint

Then you'll see this:

TASK [SCORED | 1.1.5 | PATCH | Ensure separate partition exists for /var] ***************************************************************
[WARNING]: Consider using the mount module rather than running 'mount'.  If you need to use command because mount is insufficient you
can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.

ok: [127.0.0.1]

But if you run this:

- hosts: 127.0.0.1
  connection: local
  tasks:
  - name: See if /var is mounted
    fail:
      msg: "/var is not mounted"
    when: ansible_mounts | selectattr('mount','equalto',"/var") | list | length == 0
  vars:
   - mounts: "{{ansible_mounts}}"

You will get the following output:

fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "/var is not mounted"}

If you change /var to just / in the "when" statement of my playbook, you'll get "skipping: [127.0.0.1]" because / is mounted. So this method can correctly detect mounts.

There are ways to create mounts in Ansible using the mount module here but I'm not sure if you actually want to do that or want to just warn. Either way, I figured I would bring it up for consideration.

Note; I know a lot of people would do these mounts at OS install time so this is moot but I am using a VM from Digital Ocean which doesn't give you that option so you have to do it all using the CLI.
@florianutz
Copy link
Owner

Hi andrefecto. We had a lot of discussions regarding these topic. Long story short. Partitions should be defined during setup and not with a hardening role. IMHO, these rules for partitions should not apply to cloud images anyway. There is usually just one volatile partition for OS and a second bock-device for persistence if necessary.

@andrefecto
Copy link
Author

@florianutz Thanks for the response. I agree that they shouldn't be done on cloud images because after some consideration I realized if I tried to resize my VM, it probably wouldn't work because of the partition table not being what it expects. However, for documenting which CIS rules a system isn't compliant with, it would still be helpful to have it at least warn that those directories aren't mounted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrefecto @florianutz