Search for SUID extends to NFS mount directories

[tedunder237]

Describe the Issue
Our systems automount home directories which are listed to be searched for SUID exec. First, this is probably not the intent of the code since in 6.1.12 task the --local flag is used in df, and second the find command is taking a long time to run. Also suspect the CIS guidelines is to only perform checks on local filesystems.

Expected Behavior
Task should only include local filesystems

Actual Behavior
Task is including all found filesystems include NFS mounts

Control(s) Affected
6.1.13, 6.1.14

Environment (please complete the following information):

• branch being used: 1.3.1
• Ansible Version: 2.4.19
• Host Python Version: 3.9.18
• Additional Details: Rocky 9

Possible Solution
Add the local flag to df to prevent including external filesystems tasks/section_6/cis_6.1.x.yml

For 6.1.13, line 261, add flag:
ansible.builtin.shell: df {{ item.mount }} --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
For 6.1.14, line line 304, add flag:
ansible.builtin.shell: df {{ item.mount }} --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000

Tested on Rocky 9

[uk-bolly]

hi @tedunder237

You should find this has been released to both devel a while ago and main over the last week. I will therefore close this issue, please reopen if you still experience the same issue.

many thanks

uk-bolly