Ubuntu 22.04 sed error when run on multiple checks

[modem7]

Description of problem:

When running the remediation script for content_rule_mount_option_home_nosuid I get the following:

sed: -e expression #1, char 35: unterminated `s' command

SCAP Security Guide Version:

CIS Ubuntu 22.04 Level 1 Server Benchmark
This baseline aligns to the Center for Internet Security
Ubuntu 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.

Operating System Version:

Ubuntu 22.04

Steps to Reproduce:

1. Run code snippet in https://static.open-scap.org/ssg-guides/ssg-ubuntu2204-guide-cis_level1_server.html#xccdf_org.ssgproject.content_rule_mount_option_home_nosuid

#!/bin/bash

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/home")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /home  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
    fi


    if mkdir -p "/home"; then
        if mountpoint -q "/home"; then
            mount -o remount --target "/home"
        else
            mount --target "/home"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Actual Results:

sed: -e expression #1, char 35: unterminated `s' command

Additional Information/Debugging Steps:

I'm also getting similar results in:

• content_rule_mount_option_tmp_nodev
• content_rule_mount_option_tmp_noexec
• content_rule_mount_option_tmp_nosuid
• content_rule_mount_option_var_log_audit_nodev
• content_rule_mount_option_var_log_audit_noexec
• content_rule_mount_option_var_log_audit_nosuid
• content_rule_mount_option_var_log_nodev
• content_rule_mount_option_var_log_noexec
• content_rule_mount_option_var_log_nosuid
• content_rule_mount_option_var_nodev
• content_rule_mount_option_var_tmp_nodev
• content_rule_mount_option_var_tmp_noexec
• content_rule_mount_option_var_tmp_nosuid

Possibly similar to #2196?

[marcusburghardt]

@dodys

[dodys]

can you share your logs and fstab?
I cannot reproduce it locally.

[cueball23]

@dodys I can reproduce this error. My fstab:

grep /home /etc/fstab
# /home was on /dev/vg_sys/lv_home during curtin installation
/dev/disk/by-id/dm-uuid-LVM-xyz  /home ext4 defaults 0 1

previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
evaluates to

previous_mount_opts="on
defaults"

thus breaks the sed command.

In my opinion "mount_point_match_regexp" should be

mount_point_match_regexp="$(printf "[^#].*[[:space:]]%s[[:space:]]" /home)"

as this would ignore comments before the match.

[dodys]

@dodys I can reproduce this error. My fstab:

grep /home /etc/fstab
# /home was on /dev/vg_sys/lv_home during curtin installation
/dev/disk/by-id/dm-uuid-LVM-xyz  /home ext4 defaults 0 1

previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') evaluates to

previous_mount_opts="on
defaults"

thus breaks the sed command.

In my opinion "mount_point_match_regexp" should be

mount_point_match_regexp="$(printf "[^#].*[[:space:]]%s[[:space:]]" /home)"

as this would ignore comments before the match.

thanks @cueball23
I've created a PR with your suggestion of fix.