[Open-scap] Using the mount_options within partition_state
Daniel Kopecek
dkopecek at redhat.com
Mon Oct 31 11:33:56 UTC 2011
Hello,
On 10/30/2011 07:45 PM, Sven Vermeulen wrote:
> I'm trying to get a test working to validate if two mount options are given
> (for instance, ensure that /tmp is mounted with nosuid and noexec). This
> works nicely when I use a generic textfilecontent54_state expression, but
> I'd like to use the partition_state information.
>
> However, I fail to be able to select the proper mount_options and I'm not
> sure how to proceed. The following is what I hope to achieve:
>
> <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:10001" version="1" comment="The file system is tmpfs">
> <lin-def:fs_type>TMPFS_MAGIC</lin-def:fs_type>
> <lin-def:mount_options>nosuid</lin-def:mount_options>
> <lin-def:mount_options>noexec</lin-def:mount_options>
> </lin-def:partition_state>
>
> Now, I am aware that the schema doesn't allow multiple mount_options to be
> declared, although this is of course the case with most partitions (that
> multiple mount options are declared). But even using a single option to test
> (nosuid) still gives a failure.
See the attached content. I think there are several ways how to
implement the test you want in OVAL. I've used multiple states in the
attached content, but I think it could be done using variables too.
> So, unless someone knows how to handle the mount_options variable...
>
> Is there a way for OpenSCAP to show why a failure occurred (rather than just
> that the test failed)? If I pull a report using oscap (the oval results)
> then it shows the state as having multiple "mount options" (including nosuid
> and noexec, not also "rw" and such).
>
> It would be nice if it showed something like:
>
> "Result: fail"
> "Reason: Got '{rw},{nosuid},{noexec}', expected 'nosuid'"
No.
Dan K.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: partition-tmp.xml
Type: text/xml
Size: 2501 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20111031/034549d8/attachment.xml>
More information about the Open-scap-list
mailing list