You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the Issue
The grep statement that populates register rhel8stig_040126_var_log_status does not match when the /var/log line has 1 trailing space followed by a word. This is a standard syntax for /etc/fstab.
ansible.builtin.shell: mount | grep -w "/var/log "
The -w switch is utilized on the grep command, so the regex will match when the search string is surrounded by non-word constituent characters. But since a trailing space is included in the search string, this regex will only match when /var/log is followed by a space then another non-word character. If there is only 1 space following /var/log, and then a word, this regex will not match.
When the grep statement does not match any lines, the rhel8stig_040126_var_log_status register is unpopulated, and the script does not add the nodev,nosuid,noexec options to the mountpoint.
Expected Behavior
Expected to match outputs of the mount command that contain /var/log, but not /var/log/audit. Expected to change the /var/log mount options to include nodev,nosuid,noexec.
Actual Behavior
Does not match any lines in our current deployment. The /var/log line output of mount on a test machine is: /dev/mapper/VolGroup-lv_log on /var/log type xfs (rw,relatime)
After running the playbook, the options on /var/log are left the same.
Describe the Issue
The grep statement that populates register
rhel8stig_040126_var_log_status
does not match when the /var/log line has 1 trailing space followed by a word. This is a standard syntax for /etc/fstab.The grep command in question:
RHEL8-STIG/tasks/fix-cat2.yml
Line 6297 in 54f296f
The
-w
switch is utilized on the grep command, so the regex will match when the search string is surrounded by non-word constituent characters. But since a trailing space is included in the search string, this regex will only match when /var/log is followed by a space then another non-word character. If there is only 1 space following /var/log, and then a word, this regex will not match.When the grep statement does not match any lines, the
rhel8stig_040126_var_log_status
register is unpopulated, and the script does not add thenodev,nosuid,noexec
options to the mountpoint.Expected Behavior
Expected to match outputs of the
mount
command that contain /var/log, but not /var/log/audit. Expected to change the /var/log mount options to includenodev,nosuid,noexec
.Actual Behavior
Does not match any lines in our current deployment. The /var/log line output of
mount
on a test machine is:/dev/mapper/VolGroup-lv_log on /var/log type xfs (rw,relatime)
After running the playbook, the options on /var/log are left the same.
Control(s) Affected
RHEL-08-040126, RHEL-08-040127, RHEL-08-040128
Possible Solution
Change grep statement in fix-cat2.yml, line 6297. Either:
-w
switch. Change line to just:ansible.builtin.shell: mount | grep "/var/log "
ansible.builtin.shell: mount | grep '\s\+/var/log\s\+'
The text was updated successfully, but these errors were encountered: