From 0e20379c95aae9e90aaaa2f88d12cea303855a58 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Sat, 25 Aug 2018 05:09:03 +0800 Subject: [PATCH] Modify apply method of 2.2, add add_option_to_systemd and remount_partition_by_systemd methods. --- .gitignore | 1 + bin/hardening/2.2_tmp_nodev.sh | 12 +++++++----- etc/.gitignore | 2 ++ lib/utils.sh | 23 +++++++++++++++++++++++ 4 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 .gitignore create mode 100644 etc/.gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1fb9ef5 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +tmp/* diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index d63ad2a..2b8c620 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -16,7 +16,8 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="nodev" -SERVICENAME="/etc/systemd/system/tmp.mount" +SERVICEPATH="/etc/systemd/system/tmp.mount" +SERVICENAME="tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -51,7 +52,7 @@ audit () { crit "$PARTITION is not mounted" FNRET=4 else - has_mount_option_systemd $SERVICENAME $OPTION + has_mount_option_systemd $SERVICEPATH $OPTION if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in systemd service!" FNRET=5 @@ -87,13 +88,14 @@ apply () { remount_partition $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from systemd" - remount_partition $PARTITION + remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 5 ]; then info "Remounting $PARTITION from systemd" - remount_partition $PARTITION + add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 6 ]; then info "Remounting $PARTITION from systemd" - remount_partition $PARTITION + remount_partition_by_systemd $SERVICENAME $PARTITION fi } diff --git a/etc/.gitignore b/etc/.gitignore new file mode 100644 index 0000000..3a46f5f --- /dev/null +++ b/etc/.gitignore @@ -0,0 +1,2 @@ +*.cfg + diff --git a/lib/utils.sh b/lib/utils.sh index 4c90a10..f3ce39e 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -334,6 +334,29 @@ remount_partition() { mount -o remount $PARTITION } +# Setup mount option in systemd +add_option_to_systemd() { + local SERVICEPATH=$1 + local OPTION=$2 + local SERVICENAME=$3 + debug "Setting $OPTION for in systemd" + backup_file "$SERVICEPATH" + systemctl stop $SERVICENAME + # For example : + # Options=mode=1777,strictatime,nosuid + # Options=mode=1777,strictatime,nosuid,nodev + #debug "Sed command : sed -ie "s;\(^Options.*=mode=[1,2,4,7][1,2,4,7][1,2,4,7][1,2,4,7].*\);\1,$OPTION;\" $SERVICEPATH" + sed -ie "s;\(^Options.*=mode=[1,2,4,7][1,2,4,7][1,2,4,7][1,2,4,7].*\);\1,$OPTION;" $SERVICEPATH + systemctl daemon-reload +} + +remount_partition_by_systemd() { + local SERVICENAME=$1 + local PARTITION=$2 + debug "Remounting $PARTITION by systemd" + systemctl start $SERVICENAME +} + # # APT #