You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Task: "Configure hardened options for mount {{ mount.path }}" in Task File minimize_access_fs.yml overrides all UUID, PARTUUID or LABEL entries in /etc/fstab with the device path.
Impact: this behaviour potentially renders virtual machines with multiple disks unbootable
fstab source entries of all mounts that are touched by this tasks are overridden to the device path (e.g. /dev/sdxy)
fstab before play: UUID=780690c3-3687-439c-a61d-6a97dfaee640 /boot ext4 rw,nosuid,nodev,noexec 1 2
fstab after play: /dev/sda2 /boot ext4 rw,nosuid,nodev,noexec 1 2
Expected Behavior
Task respects source information of /etc/fstab (e.g. Source is UUID, PARTUUID or Label) or is configurable to use Label, UUID or PartUUID of disks.
Does it work if you override with os_mnt_boot_srcUUID=780690c3-3687-439c-a61d-6a97dfaee640?
Yes it works with that override but I think the default behaviour is quite dangerous. Maybe it would be a safe default to use the UUID as source in any case? Or at least make it configurable.
I guess a real fix would be more complicated as it would require a comparison of fstab contents and actual mounts.
Description
Task: "Configure hardened options for mount {{ mount.path }}" in Task File minimize_access_fs.yml overrides all UUID, PARTUUID or LABEL entries in /etc/fstab with the device path.
Impact: this behaviour potentially renders virtual machines with multiple disks unbootable
Reproduction steps
--- - hosts: all vars: os_mnt_boot_enabled: true roles: - role: devsec.hardening.os_hardening
Current Behavior
fstab source entries of all mounts that are touched by this tasks are overridden to the device path (e.g. /dev/sdxy)
fstab before play:
UUID=780690c3-3687-439c-a61d-6a97dfaee640 /boot ext4 rw,nosuid,nodev,noexec 1 2
fstab after play:
/dev/sda2 /boot ext4 rw,nosuid,nodev,noexec 1 2
Expected Behavior
Task respects source information of /etc/fstab (e.g. Source is UUID, PARTUUID or Label) or is configurable to use Label, UUID or PartUUID of disks.
OS / Environment
Tested with:
Ansible Version
Collection Version
Additional information
No response
The text was updated successfully, but these errors were encountered: