`mount_option_nodev_nonroot_local_partitions` makes UEFI systems unbootable

[comps]

Description of problem:

Sometimes, when remediating the rule, the system fails to reboot with

[    5.330253] systemd[1]: Mounting /efi...
[    5.655505] FAT-fs (xvda2): Unrecognized mount option "fd=48" or missing value
[    5.366304] mount[537]: mount: /efi: wrong fs type, bad option, bad superblock on /dev/xvda2, missing codepage or helper program, or other error.
[    5.369516] systemd[1]: efi.mount: Mount process exited, code=exited, status=32/n/a
[    5.370832] systemd[1]: efi.mount: Failed with result 'exit-code'.
[    5.373153] systemd[1]: Failed to mount /efi.

due to this newly added /etc/fstab entry:

/dev/xvda2 /efi vfat defaults,relatime,fd=48,pgrp=1,timeout=120,minproto=5,maxproto=5,direct,pipe_ino=15005,nodev 0 0

The remediation uses findmnt to iterate over and adds new entries to /etc/fstab for any filesystem it finds, and, typically, /efi is an autofs type:

systemd-1 on /efi type autofs (rw,relatime,fd=46,pgrp=1,timeout=120,minproto=5,maxproto=5,direct,pipe_ino=15005)

so it is excluded by the remediation-hardcoded list of filesystems:

# Define excluded non-local file systems
excluded_fstypes=(
    afs
    autofs
    ceph
    ...

and replacing the {{{ bash_... }}} lines in https://github.com/ComplianceAsCode/content/blob/5c7b63ed27ba3d85591561e2fbf21e386e346b9e/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh with a simple echo "$mount_point" ,, "$MOUNT_OPTION" ,, "$device" ,, "$device_type" confirms this works as expected:

# bash remediation.sh
/boot ,, nodev ,, /dev/xvda3 ,, xfs
/boot/efi ,, nodev ,, /dev/xvda2 ,, vfat

BUT autofs just means the filesystem gets mounted on-demand when being accessed, so if we access it first and then run the remediation:

# ls /efi
EFI

# bash remediation.sh 
/boot ,, nodev ,, /dev/xvda3 ,, xfs
/boot/efi ,, nodev ,, /dev/xvda2 ,, vfat
/efi ,, nodev ,, /dev/xvda2 ,, vfat

we see that it found the real non-autofs mountpoint,

# mount | grep efi
systemd-1 on /efi type autofs (rw,relatime,fd=46,pgrp=1,timeout=120,minproto=5,maxproto=5,direct,pipe_ino=15005)
/dev/xvda2 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)
/dev/xvda2 on /efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)

Presumably, we don't want to remediate and hard-mount autofs-based mountpoints.

So please either hardcode an exclusion for /efi into the remediation(s), or double check whether there's an autofs entry for the same mountpoint and if so, don't remediate the real mount.

(Alternatively, don't ever add new mountpoints to /etc/fstab that don't already exist - only add nodev to existing ones, as adding new ones can probably break more stuff.)

SCAP Security Guide Version:

master @ 5c7b63e

Operating System Version:

RHEL-9 on UEFI systems
(but can be probably reproduced on other RHELs - we just haven't hit it due to the specific order remediation scripts run in)

Steps to Reproduce:

1. ls /efi
2. oscap xccdf eval --remediate --profile stig --results-arf arf.xml build/ssg-rhel9-ds.xml

[Mab879]

I'm have trouble reproducing this locally. Is this something in the test environment? I have installed a few different RHEL versions and I have not seen the /efi mount point.