RHEL-08-040126 - Grep command fails matching due to '-w' switch

[derekbentson]

Describe the Issue
The grep statement that populates register rhel8stig_040126_var_log_status does not match when the /var/log line has 1 trailing space followed by a word. This is a standard syntax for /etc/fstab.

The grep command in question:

RHEL8-STIG/tasks/fix-cat2.yml

Line 6297 in 54f296f

ansible.builtin.shell: mount | grep -w "/var/log "

The -w switch is utilized on the grep command, so the regex will match when the search string is surrounded by non-word constituent characters. But since a trailing space is included in the search string, this regex will only match when /var/log is followed by a space then another non-word character. If there is only 1 space following /var/log, and then a word, this regex will not match.

When the grep statement does not match any lines, the rhel8stig_040126_var_log_status register is unpopulated, and the script does not add the nodev,nosuid,noexec options to the mountpoint.

Expected Behavior
Expected to match outputs of the mount command that contain /var/log, but not /var/log/audit. Expected to change the /var/log mount options to include nodev,nosuid,noexec.

Actual Behavior
Does not match any lines in our current deployment. The /var/log line output of mount on a test machine is:
/dev/mapper/VolGroup-lv_log on /var/log type xfs (rw,relatime)
After running the playbook, the options on /var/log are left the same.

Control(s) Affected
RHEL-08-040126, RHEL-08-040127, RHEL-08-040128

Possible Solution
Change grep statement in fix-cat2.yml, line 6297. Either:

1. Remove the -w switch. Change line to just:
   ansible.builtin.shell: mount | grep "/var/log "
2. If desired to handle tabs as well, utilize whitespace matching in regex. Something like:
   ansible.builtin.shell: mount | grep '\s\+/var/log\s\+'