From 8af275942f8a294ab601629549a9bef2e63fc98f Mon Sep 17 00:00:00 2001 From: layluke Date: Sat, 28 Sep 2024 14:58:40 -0400 Subject: [PATCH 1/2] Added selectattr value to select only nfs mounts Signed-off-by: layluke --- tasks/Cat2/RHEL-09-23xxxx.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index a6e4e65..3e1b1b0 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -215,7 +215,7 @@ path: "{{ item.mount }}" src: "{{ item.device }}" state: present - loop: "{{ ansible_facts.mounts }}" + loop: "{{ ansible_facts.mounts | selectattr('fstype', 'equalto', 'nfs') | list }}" loop_control: label: "{{ item.device }}" @@ -240,7 +240,7 @@ path: "{{ item.mount }}" src: "{{ item.device }}" state: present - loop: "{{ ansible_facts.mounts }}" + loop: "{{ ansible_facts.mounts | selectattr('fstype', 'equalto', 'nfs') | list }}" loop_control: label: "{{ item.device }}" @@ -265,7 +265,7 @@ path: "{{ item.mount }}" src: "{{ item.device }}" state: present - loop: "{{ ansible_facts.mounts }}" + loop: "{{ ansible_facts.mounts | selectattr('fstype', 'equalto', 'nfs') | list }}" loop_control: label: "{{ item.device }}" From 32fb1a21145f3eec3395c6df6959de73ed5b8464 Mon Sep 17 00:00:00 2001 From: layluke Date: Mon, 30 Sep 2024 12:10:26 -0400 Subject: [PATCH 2/2] Updated with changes to search for everything contianing nfs Signed-off-by: layluke --- tasks/Cat2/RHEL-09-23xxxx.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index 3e1b1b0..dbd7af9 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -197,7 +197,6 @@ - name: "MEDIUM | RHEL-09-231065 | PATCH | RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS)." when: - rhel_09_231065 - - ansible_facts['mounts']| selectattr('fstype', '==', 'nfs') - "'nfs-utils' in ansible_facts.packages" - "'nodev' not in item.options" - rhel9stig_disruption_high @@ -215,14 +214,13 @@ path: "{{ item.mount }}" src: "{{ item.device }}" state: present - loop: "{{ ansible_facts.mounts | selectattr('fstype', 'equalto', 'nfs') | list }}" + loop: "{{ ansible_facts.mounts | selectattr('fstype', 'contains', 'nfs') | list }}" loop_control: label: "{{ item.device }}" - name: "MEDIUM | RHEL-09-231070 | PATCH | RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS)." when: - rhel_09_231070 - - ansible_facts['mounts']| selectattr('fstype', '==', 'nfs') - "'nfs-utils' in ansible_facts.packages" - "'noexec' not in item.options" - rhel9stig_disruption_high @@ -240,14 +238,13 @@ path: "{{ item.mount }}" src: "{{ item.device }}" state: present - loop: "{{ ansible_facts.mounts | selectattr('fstype', 'equalto', 'nfs') | list }}" + loop: "{{ ansible_facts.mounts | selectattr('fstype', 'contains', 'nfs') | list }}" loop_control: label: "{{ item.device }}" - name: "MEDIUM | RHEL-09-231075 | PATCH | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." when: - rhel_09_231075 - - ansible_facts['mounts']| selectattr('fstype', '==', 'nfs') - "'nfs-utils' in ansible_facts.packages" - "'nosuid' not in item.options" - rhel9stig_disruption_high @@ -265,7 +262,7 @@ path: "{{ item.mount }}" src: "{{ item.device }}" state: present - loop: "{{ ansible_facts.mounts | selectattr('fstype', 'equalto', 'nfs') | list }}" + loop: "{{ ansible_facts.mounts | selectattr('fstype', 'contains', 'nfs') | list }}" loop_control: label: "{{ item.device }}"