From 5c52acf20ae058645623ba0bda7f039dd3ec720d Mon Sep 17 00:00:00 2001 From: samson Date: Thu, 6 Dec 2018 13:44:55 +0800 Subject: [PATCH] Fix some bugs for mount option of tmp partition --- bin/hardening/2.1_tmp_partition.sh | 3 +- bin/hardening/2.2_tmp_nodev.sh | 68 +++++++++--------------------- 2 files changed, 23 insertions(+), 48 deletions(-) diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh index 0cf8c43..313f5ac 100755 --- a/bin/hardening/2.1_tmp_partition.sh +++ b/bin/hardening/2.1_tmp_partition.sh @@ -2,6 +2,7 @@ # # harbian audit Debian 7/8/9 Hardening +# Modify by: Samson-W (sccxboy@gmail.com) # # @@ -11,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -HARDENING_LEVEL=3 +HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index 5852f00..4037667 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -2,6 +2,7 @@ # # harbian audit Debian 7/8/9 Hardening +# Modify by: Samson-W (sccxboy@gmail.com) # # @@ -21,55 +22,37 @@ SERVICENAME="tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { + info "Verifying that $PARTITION is a partition/filesystem" FNRET=0 - is_debian_9 - if [ $FNRET -gt 0 ]; then - is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then - crit "$PARTITION is not a partition" - FNRET=2 - else - ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in fstab!" - FNRET=1 - else - ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 - else - ok "$PARTITION mounted with $OPTION" - fi - fi - fi + #If /tmp is set in /etc/fstab, only check /etc/fstab and disable tmp.mount service if it's exist + is_a_partition "$PARTITION" + if [ $FNRET -eq 0 ]; then + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -eq 0 ]; then + ok "$PARTITION has $OPTION in fstab" + FNRET=0 + else + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + fi else - is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then - crit "$PARTITION is not mounted" - FNRET=4 - else + warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" + if [ -e $SERVICEPATH ]; then has_mount_option_systemd $SERVICEPATH $OPTION if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=5 + FNRET=3 else ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=6 - else - ok "$PARTITION mounted with $OPTION" - fi - + FNRET=0 fi + else + crit "$TMPMOUNTO is not exist!" + FNRET=2 fi fi - } # This function will be called if the script status is on enabled mode @@ -84,18 +67,9 @@ apply () { info "Remounting $PARTITION from fstab" remount_partition $PARTITION elif [ $FNRET = 3 ]; then - info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 4 ]; then - info "Remounting $PARTITION from systemd" - remount_partition_by_systemd $SERVICENAME $PARTITION - elif [ $FNRET = 5 ]; then info "Remounting $PARTITION from systemd" add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION - elif [ $FNRET = 6 ]; then - info "Remounting $PARTITION from systemd" - remount_partition_by_systemd $SERVICENAME $PARTITION fi }