From 2772e8a55f6159324d881d06f5bdd163686f7a15 Mon Sep 17 00:00:00 2001
From: samson <sccxboy@gmail.com>
Date: Thu, 6 Dec 2018 02:41:44 +0800
Subject: [PATCH] Fix some bugs for mount options check of removable device

---
 bin/hardening/2.11_removable_device_nodev.sh  | 25 ++++++++++--------
 bin/hardening/2.12_removable_device_noexec.sh | 25 ++++++++++--------
 bin/hardening/2.13_removable_device_nosuid.sh | 26 +++++++++++--------
 lib/utils.sh                                  |  2 +-
 4 files changed, 44 insertions(+), 34 deletions(-)

diff --git a/bin/hardening/2.11_removable_device_nodev.sh b/bin/hardening/2.11_removable_device_nodev.sh
index a58e4ff..8117591 100755
--- a/bin/hardening/2.11_removable_device_nodev.sh
+++ b/bin/hardening/2.11_removable_device_nodev.sh
@@ -2,10 +2,11 @@
 
 #
 # harbian audit 7/8/9  Hardening
+# Modify by: Samson-W (sccxboy@gmail.com)
 #
 
 #
-# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
+# 2.11 Add nodev Option to Removable Media Partitions (Scored)
 #
 
 set -e # One error, it's over
@@ -16,25 +17,26 @@ HARDENING_LEVEL=2
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 
 # Quick factoring as many script use the same logic
-PARTITION="/media\S*"
+PARTITION_PATTERN="/media\S*"
 OPTION="nodev"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    info "Verifying if there is $PARTITION like partition"
+    info "Verifying if there is $PARTITION_PATTERN like partition"
     FNRET=0
-    is_a_partition "$PARTITION"
+    is_a_partition "$PARTITION_PATTERN"
     if [ $FNRET -gt 0 ]; then
-        ok "There is no partition like $PARTITION"
+        ok "There is no partition like $PARTITION_PATTERN"
         FNRET=0
     else
-        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+		MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
+        info "detected $PARTITION_PATTERN like"
+        has_mount_option $MEDIA_PARNAME $OPTION
         if [ $FNRET -gt 0 ]; then
-            crit "$PARTITION has no option $OPTION in fstab!"
+            crit "$MEDIA_PARNAME has no option $OPTION in fstab!"
             FNRET=1
         else
-            ok "$PARTITION has $OPTION in fstab"
+            ok "$MEDIA_PARNAME has $OPTION in fstab"
         fi       
     fi
 }
@@ -42,10 +44,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     if [ $FNRET = 0 ]; then
-        ok "$PARTITION is correctly set"
+        ok "$PARTITION_PATTERN is correctly set"
     elif [ $FNRET = 1 ]; then
+		MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab $MEDIA_PARNAME $OPTION
     fi 
 }
 
diff --git a/bin/hardening/2.12_removable_device_noexec.sh b/bin/hardening/2.12_removable_device_noexec.sh
index 546c738..a13d0f6 100755
--- a/bin/hardening/2.12_removable_device_noexec.sh
+++ b/bin/hardening/2.12_removable_device_noexec.sh
@@ -2,10 +2,11 @@
 
 #
 # harbian audit 7/8/9  Hardening
+# Modify by: Samson-W (sccxboy@gmail.com)
 #
 
 #
-# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
+# 2.12 Add noexec Option to Removable Media Partitions (Scored)
 #
 
 set -e # One error, it's over
@@ -16,25 +17,26 @@ HARDENING_LEVEL=2
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 
 # Quick factoring as many script use the same logic
-PARTITION="/media\S*"
+PARTITION_PATTERN="/media\S*"
 OPTION="noexec"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    info "Verifying if there is $PARTITION like partition"
+    info "Verifying if there is $PARTITION_PATTERN like partition"
     FNRET=0
-    is_a_partition "$PARTITION"
+    is_a_partition "$PARTITION_PATTERN"
     if [ $FNRET -gt 0 ]; then
-        ok "There is no partition like $PARTITION"
+        ok "There is no partition like $PARTITION_PATTERN"
         FNRET=0
     else
-        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+		MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
+        info "detected $PARTITION_PATTERN like"
+        has_mount_option $MEDIA_PARNAME $OPTION
         if [ $FNRET -gt 0 ]; then
-            crit "$PARTITION has no option $OPTION in fstab!"
+            crit "$MEDIA_PARNAME has no option $OPTION in fstab!"
             FNRET=1
         else
-            ok "$PARTITION has $OPTION in fstab"
+            ok "$MEDIA_PARNAME has $OPTION in fstab"
         fi       
     fi
 }
@@ -42,10 +44,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     if [ $FNRET = 0 ]; then
-        ok "$PARTITION is correctly set"
+        ok "$PARTITION_PATTERN is correctly set"
     elif [ $FNRET = 1 ]; then
+		MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab $MEDIA_PARNAME $OPTION
     fi 
 }
 
diff --git a/bin/hardening/2.13_removable_device_nosuid.sh b/bin/hardening/2.13_removable_device_nosuid.sh
index da6e381..cb2d90d 100755
--- a/bin/hardening/2.13_removable_device_nosuid.sh
+++ b/bin/hardening/2.13_removable_device_nosuid.sh
@@ -2,10 +2,11 @@
 
 #
 # harbian audit 7/8/9  Hardening
+# Modify by: Samson-W (sccxboy@gmail.com)
 #
 
 #
-# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
+# 2.13 Add nosuid Option to Removable Media Partitions (Scored)
 #
 
 set -e # One error, it's over
@@ -16,25 +17,27 @@ HARDENING_LEVEL=2
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 
 # Quick factoring as many script use the same logic
-PARTITION="/media\S*"
+PARTITION_PATTERN="/media\S*"
 OPTION="nosuid"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    info "Verifying if there is $PARTITION like partition"
+    info "Verifying if there is $PARTITION_PATTERN like partition"
     FNRET=0
-    is_a_partition "$PARTITION"
+    is_a_partition "$PARTITION_PATTERN"
     if [ $FNRET -gt 0 ]; then
-        ok "There is no partition like $PARTITION"
+        ok "There is no partition like $PARTITION_PATTERN"
         FNRET=0
     else
-        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+		MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
+        info "detected $PARTITION_PATTERN like"
+        has_mount_option $MEDIA_PARNAME $OPTION
         if [ $FNRET -gt 0 ]; then
-            crit "$PARTITION has no option $OPTION in fstab!"
+            crit "$MEDIA_PARNAME has no option $OPTION in fstab!"
             FNRET=1
         else
-            ok "$PARTITION has $OPTION in fstab"
+            ok "$MEDIA_PARNAME has $OPTION in fstab"
+            FNRET=0
         fi       
     fi
 }
@@ -42,10 +45,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     if [ $FNRET = 0 ]; then
-        ok "$PARTITION is correctly set"
+        ok "$PARTITION_PATTERN is correctly set"
     elif [ $FNRET = 1 ]; then
+		MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab $MEDIA_PARNAME $OPTION
     fi 
 }
 
diff --git a/lib/utils.sh b/lib/utils.sh
index bcc4281..a4fb7c4 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -344,7 +344,7 @@ add_option_to_fstab() {
 #    debug "Sed command :  sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab"
 #    sed -ie "s;\(^[^#].*${PARTITION}\)\(\s.*\)\(\s\w.*\)\(\s[0-2]\s*[0-2]\);\1\2\3,${OPTION}\4;" /etc/fstab
     MOUNT_OPTION=$(grep -v "^#" /etc/fstab | awk '$2=="'${PARTITION}'" {print $4}')
-    CURLINE=$(grep -v "^#" /etc/fstab -n | grep "/home" | awk -F: '{print $1}')
+    CURLINE=$(grep -v "^#" /etc/fstab -n | grep "${PARTITION}" | awk -F: '{print $1}')
     #This case is for option of starting with "no", example: nosuid noexec nodev
     NOTNOOPTION=$(echo $OPTION | cut -c 3-)