From 214c11a0cd262cfea0a24c04c7f7454676c6ac24 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 24 Aug 2018 03:25:46 +0800 Subject: [PATCH] Modify audit method of 2.2, and add has_mount_option_systemd method. --- bin/hardening/2.2_tmp_nodev.sh | 70 +++++++++++++++++++++++++--------- lib/utils.sh | 13 +++++++ 2 files changed, 66 insertions(+), 17 deletions(-) diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index 1e907d4..d63ad2a 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -1,11 +1,11 @@ #!/bin/bash # -# CIS Debian 7/8 Hardening +# harbian audit Debian 7/8/9 Hardening # # -# 2.2 Set nodev option for /tmp Partition (Scored) +# 2.2 Set nodev option for /tmp Partition/filesystem (Scored) # set -e # One error, it's over @@ -16,32 +16,59 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="nodev" +SERVICENAME="/etc/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { - info "Verifying that $PARTITION is a partition" + info "Verifying that $PARTITION is a partition/filesystem" FNRET=0 - is_a_partition "$PARTITION" + is_debian_9 if [ $FNRET -gt 0 ]; then - crit "$PARTITION is not a partition" - FNRET=2 - else - ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + is_a_partition "$PARTITION" if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in fstab!" - FNRET=1 + crit "$PARTITION is not a partition" + FNRET=2 else - ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 else - ok "$PARTITION mounted with $OPTION" + ok "$PARTITION has $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi + else + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not mounted" + FNRET=4 + else + has_mount_option_systemd $SERVICENAME $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=5 + else + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=6 + else + ok "$PARTITION mounted with $OPTION" + fi + fi - fi + fi fi + } # This function will be called if the script status is on enabled mode @@ -58,6 +85,15 @@ apply () { elif [ $FNRET = 3 ]; then info "Remounting $PARTITION from fstab" remount_partition $PARTITION + elif [ $FNRET = 4 ]; then + info "Remounting $PARTITION from systemd" + remount_partition $PARTITION + elif [ $FNRET = 5 ]; then + info "Remounting $PARTITION from systemd" + remount_partition $PARTITION + elif [ $FNRET = 6 ]; then + info "Remounting $PARTITION from systemd" + remount_partition $PARTITION fi } diff --git a/lib/utils.sh b/lib/utils.sh index 4a73582..4c90a10 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -289,6 +289,19 @@ has_mount_option() { fi } +# Verify option $2 in $1 service +has_mount_option_systemd() { + local SERVICENAME=$1 + local OPTION=$2 + if $(grep -i "options" "$SERVICENAME" | grep -vE "^#" | grep -q "$2"); then + debug "$OPTION has been detected in systemd service $SERVICENAME" + FNRET=0 + else + debug "Unable to find $OPTION in systemd service $SERVICENAME" + FNRET=1 + fi +} + # Verify $1 has the proper option $2 at runtime has_mounted_option() { local PARTITION=$1