From 00ab71cc2ed606f0e6f5e59b9d360f0be6f525f5 Mon Sep 17 00:00:00 2001 From: samson Date: Thu, 6 Dec 2018 14:45:31 +0800 Subject: [PATCH] Fix some bugs for mount options of tmp partition --- bin/hardening/2.2_tmp_nodev.sh | 32 ++++++++++-- bin/hardening/2.3_tmp_nosuid.sh | 86 +++++++++++++++--------------- bin/hardening/2.4_tmp_noexec.sh | 92 +++++++++++++++++---------------- 3 files changed, 121 insertions(+), 89 deletions(-) diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index 1c0a6e5..18cfe8f 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -22,7 +22,6 @@ SERVICENAME="tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { - info "Verifying that $PARTITION is a partition/filesystem" FNRET=0 #If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist @@ -32,7 +31,14 @@ audit () { has_mount_option $PARTITION $OPTION if [ $FNRET -eq 0 ]; then ok "$PARTITION has $OPTION in fstab" - FNRET=0 + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=4 + else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi else crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 @@ -46,7 +52,14 @@ audit () { FNRET=3 else ok "$PARTITION has $OPTION in systemd service" - FNRET=0 + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=5 + else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi fi else crit "$TMPMOUNTO is not exist!" @@ -72,9 +85,20 @@ apply () { remount_partition $PARTITION fi elif [ $FNRET = 3 ]; then - info "Remounting $PARTITION from systemd" + info "Adding $OPTION to systemd" add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION + elif [ $FNRET = 4 ]; then + info "Remounting $PARTITION from fstab" + is_mounted $PARTITION + if [ $FNRET = 1 ]; then + mount $PARTITION + else + remount_partition $PARTITION + fi + elif [ $FNRET = 5 ]; then + info "Remounting $PARTITION from systemd" + remount_partition_by_systemd $SERVICENAME $PARTITION fi } diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index f4dc647..b90deb2 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -1,11 +1,12 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit Debian 7/8/9 Hardening +# Modify by: Samson-W (sccxboy@gmail.com) # # -# 2.3 Set nosuid option for /tmp filesystem/Partition (Scored) +# 2.3 Set nosuid option for /tmp Partition/filesystem (Scored) # set -e # One error, it's over @@ -21,52 +22,48 @@ SERVICENAME="tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { - info "Verifying that $PARTITION is a filesystem/partition" + info "Verifying that $PARTITION is a partition/filesystem" FNRET=0 - is_debian_9 - if [ $FNRET -gt 0 ]; then - is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then - crit "$PARTITION is not a partition" - FNRET=2 - else - ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + #If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist + is_a_partition "$PARTITION" + if [ $FNRET -eq 0 ]; then + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -eq 0 ]; then + ok "$PARTITION has $OPTION in fstab" + has_mounted_option $PARTITION $OPTION if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in fstab!" - FNRET=1 + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=4 else - ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 - else - ok "$PARTITION mounted with $OPTION" - fi - fi - fi + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi + else + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + fi else - is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then - crit "$PARTITION is not mounted" - FNRET=4 - else + warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" + if [ -e $SERVICEPATH ]; then has_mount_option_systemd $SERVICEPATH $OPTION if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=5 + FNRET=3 else ok "$PARTITION has $OPTION in systemd service" has_mounted_option $PARTITION $OPTION if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=6 + FNRET=5 else ok "$PARTITION mounted with $OPTION" + FNRET=0 fi - fi + else + crit "$TMPMOUNTO is not exist!" + FNRET=2 fi fi } @@ -81,18 +78,25 @@ apply () { info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + is_mounted $PARTITION + if [ $FNRET = 1 ]; then + mount $PARTITION + else + remount_partition $PARTITION + fi elif [ $FNRET = 3 ]; then - info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 4 ]; then - info "Remounting $PARTITION from systemd" - remount_partition_by_systemd $SERVICENAME $PARTITION - elif [ $FNRET = 5 ]; then - info "Remounting $PARTITION from systemd" + info "Adding $OPTION to systemd" add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION - elif [ $FNRET = 6 ]; then + elif [ $FNRET = 4 ]; then + info "Remounting $PARTITION from fstab" + is_mounted $PARTITION + if [ $FNRET = 1 ]; then + mount $PARTITION + else + remount_partition $PARTITION + fi + elif [ $FNRET = 5 ]; then info "Remounting $PARTITION from systemd" remount_partition_by_systemd $SERVICENAME $PARTITION fi diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index 0d6eb9e..cf29255 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -1,17 +1,18 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit Debian 7/8/9 Hardening +# Modify by: Samson-W (sccxboy@gmail.com) # # -# 2.4 Set noexec option for /tmp filesystem/Partition (Scored) +# 2.4 Set noexec option for /tmp Partition/filesystem (Scored) # set -e # One error, it's over set -u # One variable unset, it's over -HARDENING_LEVEL=3 +HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" @@ -21,53 +22,49 @@ SERVICENAME="tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { - info "Verifying that $PARTITION is a filesystem/partition" + info "Verifying that $PARTITION is a partition/filesystem" FNRET=0 - is_debian_9 - if [ $FNRET -gt 0 ]; then - is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then - crit "$PARTITION is not a partition" - FNRET=2 - else - ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + #If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist + is_a_partition "$PARTITION" + if [ $FNRET -eq 0 ]; then + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -eq 0 ]; then + ok "$PARTITION has $OPTION in fstab" + has_mounted_option $PARTITION $OPTION if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in fstab!" - FNRET=1 + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=4 else - ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 - else - ok "$PARTITION mounted with $OPTION" - fi - fi - fi - else - is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then - crit "$PARTITION is not mounted" - FNRET=4 - else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi + else + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + fi + else + warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" + if [ -e $SERVICEPATH ]; then has_mount_option_systemd $SERVICEPATH $OPTION if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=5 + FNRET=3 else ok "$PARTITION has $OPTION in systemd service" has_mounted_option $PARTITION $OPTION if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=6 + FNRET=5 else ok "$PARTITION mounted with $OPTION" + FNRET=0 fi - fi - fi + else + crit "$TMPMOUNTO is not exist!" + FNRET=2 + fi fi } @@ -81,18 +78,25 @@ apply () { info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + is_mounted $PARTITION + if [ $FNRET = 1 ]; then + mount $PARTITION + else + remount_partition $PARTITION + fi elif [ $FNRET = 3 ]; then - info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 4 ]; then - info "Remounting $PARTITION from systemd" - remount_partition_by_systemd $SERVICENAME $PARTITION - elif [ $FNRET = 5 ]; then - info "Remounting $PARTITION from systemd" + info "Adding $OPTION to systemd" add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION - elif [ $FNRET = 6 ]; then + elif [ $FNRET = 4 ]; then + info "Remounting $PARTITION from fstab" + is_mounted $PARTITION + if [ $FNRET = 1 ]; then + mount $PARTITION + else + remount_partition $PARTITION + fi + elif [ $FNRET = 5 ]; then info "Remounting $PARTITION from systemd" remount_partition_by_systemd $SERVICENAME $PARTITION fi