Modify audit and apply methods for 2.1

bin/hardening/2.1_tmp_partition.sh

@@ -17,60 +17,64 @@ HARDENING_LEVEL=3
 PARTITION="/tmp"
 TMPMOUNTNAME="tmp.mount"
 TMPMOUNTO="/usr/share/systemd/tmp.mount"
-TMPMOUNTN="/etc/systemd/system/tmp.mount"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Verifying that $PARTITION is a filesystem/partition"
-    FNRET=0
-    is_debian_9
-    if [ $FNRET -gt 0 ]; then
-        is_a_partition "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
-            crit "$PARTITION is not a partition"
-            FNRET=2
-        else
-            ok "$PARTITION is a partition"
-            is_mounted "$PARTITION"
-            if [ $FNRET -gt 0 ]; then
-                warn "$PARTITION is not mounted"
-                FNRET=1
-            else
-                ok "$PARTITION is mounted"
-            fi
-        fi
-    else
-        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
-    	    crit "$PARTITION is not mounted"
-            FNRET=3
-        else
-            ok "$PARTITION is mounted"
-        fi
-    fi
-    :
+	FNRET=0
+	#If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist
+    is_a_partition "$PARTITION"
+    if [ $FNRET -eq 0 ]; then
+		ok "$PARTITION is a partition"
+		is_mounted "$PARTITION"
+		if [ $FNRET -gt 0 ]; then
+			warn "$PARTITION is not mounted"
+			FNRET=2
+		else
+			ok "$PARTITION is mounted"
+			FNRET=0
+		fi
+	else
+    	warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
+		if [ -e $TMPMOUNTO ]; then
+			if [ $(systemctl status $TMPMOUNTNAME | grep -c "Active:.active") -eq 1 ]; then
+		 		ok "$TMPMOUNTNAME service is active!"
+        		is_mounted "$PARTITION"
+        		if [ $FNRET -gt 0 ]; then
+        			warn "$PARTITION is not mounted"
+            		FNRET=3
+        		else
+        			ok "$PARTITION is mounted"
+            		FNRET=0
+				fi
+			else
+    			crit "$TMPMOUNTNAME service is not active!"
+				FNRET=4
+			fi
+		else
+    		crit "$TMPMOUNTO is not exist!"
+			FNRET=1
+		fi	
+	fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
     if [ $FNRET = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+	elif [ $FNRET = 1 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ];then 
-        info "mounting $PARTITION"
+	elif [ $FNRET = 2 ]; then
+       	warn "mounting $PARTITION"
         mount $PARTITION
-    else
-        info "mounting $PARTITION by systemd"
-	    if [ -a $TMPMOUNTN ]; then
-		    $SUDO_CMD systemctl enable "$TMPMOUNTNAME"
-	    elif [ -a $TMPMOUNTO ]; then
-		    $SUDO_CMD cp $TMPMOUNTO $TMPMOUNTN
-		    $SUDO_CMD systemctl enable "$TMPMOUNTNAME"
-	    fi
+	elif [ $FNRET = 3 ]; then
 	    $SUDO_CMD systemctl daemon-reload 
 	    $SUDO_CMD systemctl start "$TMPMOUNTNAME"
-    fi
+	elif [ $FNRET = 4 ]; then
+		$SUDO_CMD systemctl enable "$TMPMOUNTNAME"
+	    $SUDO_CMD systemctl daemon-reload 
+	    $SUDO_CMD systemctl start "$TMPMOUNTNAME"
+	fi
 }
 
 # This function will check config parameters required

lib/utils.sh

@@ -266,7 +266,6 @@ is_kernel_option_enabled() {
 
 # Verify $1 is a partition declared in fstab
 is_a_partition() {
-
     local PARTITION=$1
     FNRET=128
     if $(grep "[[:space:]]*${PARTITION}[[:space:]]*" /etc/fstab | grep -vqE "^#"); then