Mountpoint settings always skipped for /dev/shm in RHEL-08-040120 - 040122

[derekbentson]

Describe the Issue
The mount settings for /dev/shm in the checks for RHEL-08-040120 – 040122 are not being set on our target RHEL8 VMs. The /dev/shm mount is not included in the ansible_facts.mounts list, so this check is always skipped.

Expected Behavior
It is expected that the /dev/shm is found as a mountpoint, and the nodev,nosuid,noexec options are applied to it.

Actual Behavior
The issue is with the block starting on line 6174 of fix-cat2.yml, where the procedure loops through ansible_facts.mounts:

        loop: "{{ ansible_facts.mounts }}"
        when:
            - item.mount == '/dev/shm'
            - rhel8stig_040120_dev_shm_status.stdout | length > 0

But the /dev/shm mountpoint is not included in the ansible_facts.mounts variable on our target machines, so we observe that this check is skipped because there are no matching mountpoints.
To check the mounts found by the ansible_facts module, I ran this command against my test VM and verified that /dev/shm is missing:
ansible testhost -m setup -a “filter=ansible_mounts”

It appears that ansible_facts only gathers disk mounts, and there are a whole bunch of other system mounts present with the mount command that ansible_mounts does not include.

Control(s) Affected
RHEL-08-040120, RHEL-08-040121, RHEL-08-040122

Environment (please complete the following information):

• branch being used: main, Release 3.3.3, STIG V1R13 release
• Ansible Version: 2.16.3
• Host Python Version: 3.12.8
• Ansible Server Python Version: 3.12.8
• Additional Details: Target OS is RHEL 8.10 (Ootpa)

Possible Solution
Because it appears that the issue is that the ansible built-in module intentionally omits system mountpoints such as /dev/shm, this section of the script should be rewritten to not utilize that module.

The Facter fact-gathering module does find the /dev/shm mountpoint, it is gathered as part of the “facter_mountpoints” variable:
ansible testhost -m setup -a “filter=facter_mountpoints”
The facter discovery module is included in the community.general collection, which is listed as a dependency of this project, so utilizing that set of mountpoints gathered by facter could be a solution.

Alternately, the script could be rewritten to utilize standard shell commands for parsing the mountpoint.

[uk-bolly]

Hi @derekbentson

Thank you for taking the time to raise this issue. The fix has now been merged into the main branch.

Many thanks

uk-bolly