tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix some bugs for mount options check of removable device

Browse Source
This commit is contained in:
samson 2018-12-06 02:41:44 +08:00
parent 5d5e575f8f
commit 2772e8a55f
4 changed files with 44 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
bin/hardening/2.11_removable_device_nodev.sh
View File

@ -2,10 +2,11 @@
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
# #
# #
# 2.11 Add nodev Option to Removable Media Partitions (Not Scored) # 2.11 Add nodev Option to Removable Media Partitions (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
@ -16,25 +17,26 @@ HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/media\S*" PARTITION_PATTERN="/media\S*"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION_PATTERN like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION_PATTERN"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
ok "There is no partition like $PARTITION" ok "There is no partition like $PARTITION_PATTERN"
FNRET=0 FNRET=0
else else
info "detected $PARTITION like" MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
has_mount_option $PARTITION $OPTION info "detected $PARTITION_PATTERN like"
has_mount_option $MEDIA_PARNAME $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$MEDIA_PARNAME has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$MEDIA_PARNAME has $OPTION in fstab"
fi fi
fi fi
} }
@ -42,10 +44,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION_PATTERN is correctly set"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $MEDIA_PARNAME $OPTION
fi fi
} }

25
bin/hardening/2.12_removable_device_noexec.sh
View File

@ -2,10 +2,11 @@
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
# #
# #
# 2.12 Add noexec Option to Removable Media Partitions (Not Scored) # 2.12 Add noexec Option to Removable Media Partitions (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
@ -16,25 +17,26 @@ HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/media\S*" PARTITION_PATTERN="/media\S*"
OPTION="noexec" OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION_PATTERN like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION_PATTERN"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
ok "There is no partition like $PARTITION" ok "There is no partition like $PARTITION_PATTERN"
FNRET=0 FNRET=0
else else
info "detected $PARTITION like" MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
has_mount_option $PARTITION $OPTION info "detected $PARTITION_PATTERN like"
has_mount_option $MEDIA_PARNAME $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$MEDIA_PARNAME has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$MEDIA_PARNAME has $OPTION in fstab"
fi fi
fi fi
} }
@ -42,10 +44,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION_PATTERN is correctly set"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $MEDIA_PARNAME $OPTION
fi fi
} }

26
bin/hardening/2.13_removable_device_nosuid.sh
View File

@ -2,10 +2,11 @@
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 Hardening
# Modify by: Samson-W (sccxboy@gmail.com)
# #
# #
# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored) # 2.13 Add nosuid Option to Removable Media Partitions (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
@ -16,25 +17,27 @@ HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic # Quick factoring as many script use the same logic
PARTITION="/media\S*" PARTITION_PATTERN="/media\S*"
OPTION="nosuid" OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION_PATTERN like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION_PATTERN"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
ok "There is no partition like $PARTITION" ok "There is no partition like $PARTITION_PATTERN"
FNRET=0 FNRET=0
else else
info "detected $PARTITION like" MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
has_mount_option $PARTITION $OPTION info "detected $PARTITION_PATTERN like"
has_mount_option $MEDIA_PARNAME $OPTION
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION has no option $OPTION in fstab!" crit "$MEDIA_PARNAME has no option $OPTION in fstab!"
FNRET=1 FNRET=1
else else
ok "$PARTITION has $OPTION in fstab" ok "$MEDIA_PARNAME has $OPTION in fstab"
FNRET=0
fi fi
fi fi
} }
@ -42,10 +45,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION_PATTERN is correctly set"
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
MEDIA_PARNAME=$(grep "[[:space:]]${PARTITION_PATTERN}[[:space:]]*" /etc/fstab | grep -v "^#" | awk '{print $2}')
info "Adding $OPTION to fstab" info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION add_option_to_fstab $MEDIA_PARNAME $OPTION
fi fi
} }

2
lib/utils.sh
View File

@ -344,7 +344,7 @@ add_option_to_fstab() {
# debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab" # debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab"
# sed -ie "s;\(^[^#].*${PARTITION}\)\(\s.*\)\(\s\w.*\)\(\s[0-2]\s*[0-2]\);\1\2\3,${OPTION}\4;" /etc/fstab # sed -ie "s;\(^[^#].*${PARTITION}\)\(\s.*\)\(\s\w.*\)\(\s[0-2]\s*[0-2]\);\1\2\3,${OPTION}\4;" /etc/fstab
MOUNT_OPTION=$(grep -v "^#" /etc/fstab | awk '$2=="'${PARTITION}'" {print $4}') MOUNT_OPTION=$(grep -v "^#" /etc/fstab | awk '$2=="'${PARTITION}'" {print $4}')
CURLINE=$(grep -v "^#" /etc/fstab -n | grep "/home" | awk -F: '{print $1}') CURLINE=$(grep -v "^#" /etc/fstab -n | grep "${PARTITION}" | awk -F: '{print $1}')
#This case is for option of starting with "no", example: nosuid noexec nodev #This case is for option of starting with "no", example: nosuid noexec nodev
NOTNOOPTION=$(echo $OPTION | cut -c 3-) NOTNOOPTION=$(echo $OPTION | cut -c 3-)