[Debian 13] mount_option remediation fails: mount_info dictionary creation iterates over characters instead of words #14259
Description
Description of problem:
The Ansible remediation for mount options (specifically mount_option_boot_noexec and mount_option_boot_nosuid) fails on Debian 13. The logic in the shared/templates/mount_option/ansible.template used to create the mount_info dictionary is flawed. It uses with_together on a string that is not being correctly interpreted as a list, causing Ansible to iterate over individual characters (e.g., item=['t', 'ext4']) instead of space-delimited words. This results in a malformed or empty mount_info variable, preventing the subsequent line-in-file tasks from executing correctly.
SCAP Security Guide Version:
0.1.79
Operating System Version:
Debian 13 "trixie"
Steps to Reproduce:
- Build the SCAP content for Debian 13 from source.
- Generate an Ansible remediation playbook for the ANSSI BP-028 profile (e.g., ansible-playbook -i localhost, anssi-bp028-remediation.yml
- Observe the output of the task: Add nosuid Option to /boot: Create mount_info dictionary variable.
Actual Results:
TASK [Add nosuid Option to /boot: Create mount_info dictionary variable] *****************************************************************************************************************
[DEPRECATION WARNING]: INJECT_FACTS_AS_VARS default to `True` is deprecated, top-level facts will not be auto injected after the change. This feature will be removed from ansible-core v.
Origin: ./anssi-bp028-remediation.yml:11041:9
11039 - '{{ device_name.stdout_lines[1].split() | list }}'
11040 when:
11041 - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
^ column 9
Use `ansible_facts["fact_name"]` (no `ansible_` prefix) instead.
ok: [127.0.0.1] => (item=['[', '/boot'])
ok: [127.0.0.1] => (item=["'", 'UUID=93bd4547-e832-4439-af2d-67f1aa35d1d2'])
ok: [127.0.0.1] => (item=['t', 'ext4'])
ok: [127.0.0.1] => (item=['a', 'nodev,nosuid,noexec'])
ok: [127.0.0.1] => (item=['r', None])
ok: [127.0.0.1] => (item=['g', None])
ok: [127.0.0.1] => (item=['e', None])
ok: [127.0.0.1] => (item=['t', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=[',', None])
ok: [127.0.0.1] => (item=[' ', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=['s', None])
ok: [127.0.0.1] => (item=['o', None])
ok: [127.0.0.1] => (item=['u', None])
ok: [127.0.0.1] => (item=['r', None])
ok: [127.0.0.1] => (item=['c', None])
ok: [127.0.0.1] => (item=['e', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=[',', None])
ok: [127.0.0.1] => (item=[' ', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=['f', None])
ok: [127.0.0.1] => (item=['s', None])
ok: [127.0.0.1] => (item=['t', None])
ok: [127.0.0.1] => (item=['y', None])
ok: [127.0.0.1] => (item=['p', None])
ok: [127.0.0.1] => (item=['e', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=[',', None])
ok: [127.0.0.1] => (item=[' ', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=['o', None])
ok: [127.0.0.1] => (item=['p', None])
ok: [127.0.0.1] => (item=['t', None])
ok: [127.0.0.1] => (item=['i', None])
ok: [127.0.0.1] => (item=['o', None])
ok: [127.0.0.1] => (item=['n', None])
ok: [127.0.0.1] => (item=['s', None])
ok: [127.0.0.1] => (item=["'", None])
ok: [127.0.0.1] => (item=[']', None])
Expected Results:
TASK [Add noexec Option to /tmp: Create mount_info dictionary variable] ******************************************************************************************************************
[DEPRECATION WARNING]: INJECT_FACTS_AS_VARS default to `True` is deprecated, top-level facts will not be auto injected after the change. This feature will be removed from ansible-core v.
Origin: /home/tom/build/bu-trixie-ansible/playbooks/anssi-bp028-remediation.yml:11881:9
11879 - '{{ device_name.stdout_lines[1].split() | list }}'
11880 when:
11881 - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
^ column 9
Use `ansible_facts["fact_name"]` (no `ansible_` prefix) instead.
[DEPRECATION WARNING]: INJECT_FACTS_AS_VARS default to `True` is deprecated, top-level facts will not be auto injected after the change. This feature will be removed from ansible-core v.
Origin: /home/tom/build/bu-trixie-ansible/playbooks/anssi-bp028-remediation.yml:11885:9
11883 and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
11884 ["docker", "lxc", "openvz", "podman", "container"] ) )
11885 - '"/tmp" in ansible_mounts | map(attribute="mount") | list'
^ column 9
Use `ansible_facts["fact_name"]` (no `ansible_` prefix) instead.
skipping: [127.0.0.1]
Additional Information/Debugging Steps:
Fixed with:
- "{{ device_name.stdout_lines[0].split() | map('lower') | list }}"
- "{{ device_name.stdout_lines[1].split() }}"