diff --git a/linux_os/guide/system/permissions/partitions/group.yml b/linux_os/guide/system/permissions/partitions/group.yml index 6771fb42db6..4d9cbc3d3f3 100644 --- a/linux_os/guide/system/permissions/partitions/group.yml +++ b/linux_os/guide/system/permissions/partitions/group.yml @@ -7,3 +7,5 @@ description: |- that limit what files on those partitions can do. These options are set in the /etc/fstab configuration file, and can be used to make certain types of malicious behavior more difficult. + +platform: not container and not bootc diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml index cd07e93340a..87623a39c8c 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml @@ -28,7 +28,7 @@ references: stigid@ol8: OL08-00-010572 stigid@rhel8: RHEL-08-010572 -platform: machine and uefi +platform: uefi template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml index 8b98d3df553..38fc986f49e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml @@ -22,7 +22,6 @@ identifiers: cce@rhel8: CCE-83345-9 -platform: machine template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml index c42e1654563..8e8d2b85353 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml @@ -31,7 +31,6 @@ references: nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 -platform: machine template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml index 8926b65397c..cbd94166472 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml @@ -24,7 +24,6 @@ identifiers: cce@sle12: CCE-91541-3 cce@sle15: CCE-91234-5 -platform: machine template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml index a6727c94ade..ab03c0740d3 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml @@ -33,7 +33,6 @@ references: stigid@ol8: OL08-00-010571 stigid@rhel8: RHEL-08-010571 -platform: machine template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml index a29bff32dda..a719912d925 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol8: OL08-00-040120 stigid@rhel8: RHEL-08-040120 -platform: machine template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml index 4994a966861..7db04406610 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml @@ -46,7 +46,6 @@ references: stigid@ol8: OL08-00-040122 stigid@rhel8: RHEL-08-040122 -platform: machine fixtext: |- {{{ fixtext_mount_option("/dev/shm", "noexec") }}} diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml index 84e40b798be..489b8d49075 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol8: OL08-00-040121 stigid@rhel8: RHEL-08-040121 -platform: machine template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml index 32c801c5520..06f224b6521 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml @@ -48,13 +48,12 @@ warnings: {{% endif %}} {{% if "ol" in product %}} -platform: machine template: name: mount_option_home vars: mountoption: grpquota {{% else %}} -platform: machine and mount[home] +platform: mount[home] template: name: mount_option vars: diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml index 275252fa319..1c9cacb28d1 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml @@ -36,7 +36,7 @@ references: disa: CCI-001764 srg: SRG-OS-000368-GPOS-00154 -platform: machine and mount[home] +platform: mount[home] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml index 6dc6c6256a5..6890b0be528 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml @@ -29,7 +29,6 @@ references: stigid@ol8: OL08-00-010590 stigid@rhel8: RHEL-08-010590 -platform: machine {{{ complete_ocil_entry_mount_option("/home", "noexec") }}} diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index a85068edf41..3e6f52571eb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -49,14 +49,13 @@ fixtext: |- srg_requirement: '{{{ srg_requirement_mount_option("/home", "nosuid") }}}' {{% if "ol" not in product %}} -platform: machine and mount[home] +platform: mount[home] template: name: mount_option vars: mountpoint: /home mountoption: nosuid {{% else %}} -platform: machine warnings: - functionality: |- OVAL looks for partitions whose mount point is a substring of any interactive user's home diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml index b952496bd88..b70f1a62eaf 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml @@ -48,13 +48,12 @@ warnings: {{% endif %}} {{% if "ol" in product %}} -platform: machine template: name: mount_option_home vars: mountoption: usrquota {{% else %}} -platform: machine and mount[home] +platform: mount[home] template: name: mount_option vars: diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml index 4eefec1d656..d40dfb95b6b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol8: OL08-00-010580 stigid@rhel8: RHEL-08-010580 -platform: machine fixtext: |- Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml index de840af4ecb..8022a01641b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol8: OL08-00-010600 stigid@rhel8: RHEL-08-010600 -platform: machine ocil_clause: 'a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml index 33a8c1a7ea8..ad918962240 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml @@ -54,7 +54,6 @@ fixtext: |- srg_requirement: '{{{ full_name }}} must prevent code from being executed on file systems that are used with removable media.' -platform: machine template: name: mount_option_removable_partitions diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml index 847ecc29632..f409eaabef8 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml @@ -47,7 +47,6 @@ references: stigid@sle12: SLES-12-010800 stigid@sle15: SLES-15-040150 -platform: machine ocil_clause: 'file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml index 7b6e66455fd..d5493739a92 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle12: CCE-91584-3 cce@sle15: CCE-91270-9 -platform: machine and mount[opt] +platform: mount[opt] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml index 8c6f6be47cf..a018658fea5 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml @@ -39,7 +39,6 @@ identifiers: cce@rhel9: CCE-85883-7 -platform: machine template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml index fe6ad15a2f3..f5f66509d8a 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle12: CCE-91585-0 cce@sle15: CCE-91271-7 -platform: machine and mount[srv] +platform: mount[srv] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml index 7594876035f..dc812a92e9e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml @@ -43,7 +43,7 @@ references: stigid@ol8: OL08-00-040123 stigid@rhel8: RHEL-08-040123 -platform: machine and mount[tmp] +platform: mount[tmp] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml index 9a05c8cee85..46aedbad421 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml @@ -42,7 +42,7 @@ references: stigid@ol8: OL08-00-040125 stigid@rhel8: RHEL-08-040125 -platform: machine and mount[tmp] +platform: mount[tmp] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml index ec91cda40d2..3a16538b1b4 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml @@ -43,7 +43,7 @@ references: stigid@ol8: OL08-00-040124 stigid@rhel8: RHEL-08-040124 -platform: machine and mount[tmp] +platform: mount[tmp] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml index 1f93eb6f99f..1a14ae6615e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml @@ -34,7 +34,7 @@ references: stigid@ol8: OL08-00-040129 stigid@rhel8: RHEL-08-040129 -platform: machine and mount[var-log-audit] +platform: mount[var-log-audit] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml index ee95bfed84a..12fd9b470b6 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml @@ -32,7 +32,7 @@ references: stigid@ol8: OL08-00-040131 stigid@rhel8: RHEL-08-040131 -platform: machine and mount[var-log-audit] +platform: mount[var-log-audit] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml index ee46895d9ff..06d864887ed 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml @@ -33,7 +33,7 @@ references: stigid@ol8: OL08-00-040130 stigid@rhel8: RHEL-08-040130 -platform: machine and mount[var-log-audit] +platform: mount[var-log-audit] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml index d80bf759136..442b0a1e199 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml @@ -34,7 +34,7 @@ references: stigid@ol8: OL08-00-040126 stigid@rhel8: RHEL-08-040126 -platform: machine and mount[var-log] +platform: mount[var-log] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml index 31ca08db718..e827606dd2a 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml @@ -34,7 +34,7 @@ references: stigid@ol8: OL08-00-040128 stigid@rhel8: RHEL-08-040128 -platform: machine and mount[var-log] +platform: mount[var-log] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml index 5421cacec63..c83aad9076c 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml @@ -35,7 +35,7 @@ references: stigid@ol8: OL08-00-040127 stigid@rhel8: RHEL-08-040127 -platform: machine and mount[var-log] +platform: mount[var-log] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml index 01b23f208c6..5eccd2f4af7 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml @@ -32,7 +32,7 @@ references: nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 -platform: machine and mount[var] +platform: mount[var] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml index 620c629e195..1900132c63d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@sle12: CCE-91590-0 cce@sle15: CCE-91276-6 -platform: machine and mount[var] +platform: mount[var] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml index cbb3c43857b..7455172ff36 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml @@ -26,7 +26,7 @@ references: severity: medium -platform: machine and mount[var] +platform: mount[var] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml index 3cb6ff2a449..d68320bd0e6 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml @@ -27,4 +27,4 @@ references: nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-3 -platform: machine and mount[var-tmp] +platform: mount[var-tmp] diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml index bdd7e10e243..50d6983342c 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml @@ -36,8 +36,7 @@ references: stigid@ol8: OL08-00-040132 stigid@rhel8: RHEL-08-040132 -platforms: - - machine and mount[var-tmp] +platform: mount[var-tmp] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml index 3c76c9fd6ec..86ee150563c 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -36,7 +36,7 @@ references: stigid@ol8: OL08-00-040134 stigid@rhel8: RHEL-08-040134 -platform: machine and mount[var-tmp] +platform: mount[var-tmp] template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml index d594413c3c1..10058289965 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -36,7 +36,7 @@ references: stigid@ol8: OL08-00-040133 stigid@rhel8: RHEL-08-040133 -platform: machine and mount[var-tmp] +platform: mount[var-tmp] template: name: mount_option diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml index 691dbc954fa..dcd2011ed63 100644 --- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml @@ -101,7 +101,6 @@ ocil: |- The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. -platform: machine fixtext: |- Configure {{{ full_name }}} to prevent unauthorized modification of all information at rest by using disk encryption. diff --git a/linux_os/guide/system/software/disk_partitioning/group.yml b/linux_os/guide/system/software/disk_partitioning/group.yml index b4dc99a33a2..426bff4375c 100644 --- a/linux_os/guide/system/software/disk_partitioning/group.yml +++ b/linux_os/guide/system/software/disk_partitioning/group.yml @@ -25,3 +25,5 @@ description: |- scheme was used, it is possible but nontrivial to modify it to create separate logical volumes for the directories listed above. The Logical Volume Manager (LVM) makes this possible. + +platform: not container and not bootc diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml index 34bba8f32f7..01c898effa8 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml @@ -16,7 +16,6 @@ rationale: |- severity: medium -platform: machine identifiers: cce@rhel8: CCE-83336-8 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml index 102d2df72c7..c921b84c80c 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml @@ -35,7 +35,6 @@ references: fixtext: '{{{ fixtext_separate_partition(part="/dev/shm") }}}' -platform: machine warnings: - general: |- diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml index 98341adcfff..44f415f0570 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml @@ -52,7 +52,6 @@ fixtext: |- srg_requirement: 'A separate {{{ full_name }}} filesystem must be used for user home directories (such as /home or an equivalent).' -platform: machine template: name: mount diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml index 17829e75f42..20a2f2d614a 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml @@ -15,7 +15,6 @@ rationale: |- severity: medium -platform: machine identifiers: cce@rhel8: CCE-83340-0 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml index e76e606f629..871ce4fc85e 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: unknown -platform: machine identifiers: diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml index 5b787ebfc5c..4ac7375e068 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml @@ -45,7 +45,6 @@ fixtext: '{{{ fixtext_separate_partition(part="/tmp") }}}' srg_requirement: '{{{ srg_requirement_separate_partition("/tmp") }}}' -platform: machine template: name: mount diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml index 47038641b29..7157aa17531 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml @@ -14,7 +14,6 @@ rationale: |- severity: medium -platform: machine identifiers: cce@rhel8: CCE-83343-4 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml index adaabdd03b5..509a3ae7e7e 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml @@ -50,7 +50,6 @@ fixtext: '{{{ fixtext_separate_partition(part="/var") }}}' srg_requirement: '{{{ srg_requirement_separate_partition("/var") }}}' -platform: machine template: name: mount diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml index 93a76085a3a..2aa64e3b092 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml @@ -46,7 +46,6 @@ fixtext: '{{{ fixtext_separate_partition(part="/var/log") }}}' srg_requirement: '{{{ srg_requirement_separate_partition("/var/log") }}}' -platform: machine # (jhrozek): at the moment, the mount probe checks the /proc filesystem # even if openscap looks at a chroot, which doesn't allow to check for diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml index b0301c09dbf..1cbfe4024ad 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml @@ -58,7 +58,6 @@ fixtext: |- srg_requirement: |- {{{ full_name }}} must use a separate file system for the system audit data path. -platform: machine # (jhrozek): at the moment, the mount probe checks the /proc filesystem # even if openscap looks at a chroot, which doesn't allow to check for diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml index 17b47564d36..0fe3f728af8 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml @@ -40,7 +40,6 @@ fixtext: '{{{ fixtext_separate_partition(part="/var/tmp") }}}' srg_requirement: '{{{ srg_requirement_separate_partition("/var/tmp") }}}' -platform: machine template: name: mount diff --git a/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml b/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml index 73f7e4b265c..6f6532637e1 100644 --- a/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml @@ -26,7 +26,6 @@ ocil: |- ocil_clause: "the tmp.mount unit is masked or disabled" -platform: machine template: name: systemd_mount_enabled diff --git a/shared/applicability/bootc.yml b/shared/applicability/bootc.yml index e651ae954bf..edc7d5067ad 100644 --- a/shared/applicability/bootc.yml +++ b/shared/applicability/bootc.yml @@ -15,5 +15,5 @@ title: Bootable containers # containers don't contain kernel. # check_id: bootc -bash_conditional: "{ rpm --quiet -q kernel } && { rpm --quiet -q rpm-ostree } && { rpm --quiet -q bootc }" +bash_conditional: "{ rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;}" ansible_conditional: '"kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages'