tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Modify audit and apply methods for 2.1

This commit is contained in:
samson 2018-12-06 04:30:55 +08:00
parent 2772e8a55f
commit 2a881a5fbe
2 changed files with 44 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
bin/hardening/2.1_tmp_partition.sh
View File

@ -17,57 +17,61 @@ HARDENING_LEVEL=3
PARTITION="/tmp" PARTITION="/tmp"
TMPMOUNTNAME="tmp.mount" TMPMOUNTNAME="tmp.mount"
TMPMOUNTO="/usr/share/systemd/tmp.mount" TMPMOUNTO="/usr/share/systemd/tmp.mount"
TMPMOUNTN="/etc/systemd/system/tmp.mount"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Verifying that $PARTITION is a filesystem/partition" info "Verifying that $PARTITION is a filesystem/partition"
FNRET=0 FNRET=0
is_debian_9 #If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist
if [ $FNRET -gt 0 ]; then
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -eq 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition" ok "$PARTITION is a partition"
is_mounted "$PARTITION" is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted" warn "$PARTITION is not mounted"
FNRET=1 FNRET=2
else else
ok "$PARTITION is mounted" ok "$PARTITION is mounted"
fi FNRET=0
fi fi
else else
warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
if [ -e $TMPMOUNTO ]; then
if [ $(systemctl status $TMPMOUNTNAME | grep -c "Active:.active") -eq 1 ]; then
ok "$TMPMOUNTNAME service is active!"
is_mounted "$PARTITION" is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not mounted" warn "$PARTITION is not mounted"
FNRET=3 FNRET=3
else else
ok "$PARTITION is mounted" ok "$PARTITION is mounted"
FNRET=0
fi
else
crit "$TMPMOUNTNAME service is not active!"
FNRET=4
fi
else
crit "$TMPMOUNTO is not exist!"
FNRET=1
fi fi
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then elif [ $FNRET = 1 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ];then elif [ $FNRET = 2 ]; then
info "mounting $PARTITION" warn "mounting $PARTITION"
mount $PARTITION mount $PARTITION
else elif [ $FNRET = 3 ]; then
info "mounting $PARTITION by systemd" $SUDO_CMD systemctl daemon-reload
if [ -a $TMPMOUNTN ]; then $SUDO_CMD systemctl start "$TMPMOUNTNAME"
elif [ $FNRET = 4 ]; then
$SUDO_CMD systemctl enable "$TMPMOUNTNAME" $SUDO_CMD systemctl enable "$TMPMOUNTNAME"
elif [ -a $TMPMOUNTO ]; then
$SUDO_CMD cp $TMPMOUNTO $TMPMOUNTN
$SUDO_CMD systemctl enable "$TMPMOUNTNAME"
fi
$SUDO_CMD systemctl daemon-reload $SUDO_CMD systemctl daemon-reload
$SUDO_CMD systemctl start "$TMPMOUNTNAME" $SUDO_CMD systemctl start "$TMPMOUNTNAME"
fi fi

1
lib/utils.sh
View File

@ -266,7 +266,6 @@ is_kernel_option_enabled() {
# Verify $1 is a partition declared in fstab # Verify $1 is a partition declared in fstab
is_a_partition() { is_a_partition() {
local PARTITION=$1 local PARTITION=$1
FNRET=128 FNRET=128
if $(grep "[[:space:]]*${PARTITION}[[:space:]]*" /etc/fstab | grep -vqE "^#"); then if $(grep "[[:space:]]*${PARTITION}[[:space:]]*" /etc/fstab | grep -vqE "^#"); then