From 72d0274f738fcac6360ffbc07a6af807673bb54e Mon Sep 17 00:00:00 2001 From: Samson-W Date: Sat, 25 Aug 2018 11:02:57 +0800 Subject: [PATCH] Modify audit and apply methods of 2.3, 2.4. --- bin/hardening/2.3_tmp_nosuid.sh | 69 +++++++++++++++++++++++++-------- bin/hardening/2.4_tmp_noexec.sh | 69 +++++++++++++++++++++++++-------- 2 files changed, 106 insertions(+), 32 deletions(-) diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index b1c9d54..7abd011 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -5,7 +5,7 @@ # # -# 2.3 Set nosuid option for /tmp Partition (Scored) +# 2.3 Set nosuid option for /tmp filesystem/Partition (Scored) # set -e # One error, it's over @@ -16,31 +16,58 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="nosuid" +SERVICEPATH="/etc/systemd/system/tmp.mount" +SERVICENAME="tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { - info "Verifying that $PARTITION is a partition" + info "Verifying that $PARTITION is a filesystem/partition" FNRET=0 - is_a_partition "$PARTITION" + is_debian_9 if [ $FNRET -gt 0 ]; then - crit "$PARTITION is not a partition" - FNRET=2 - else - ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + is_a_partition "$PARTITION" if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in fstab!" - FNRET=1 + crit "$PARTITION is not a partition" + FNRET=2 else - ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 else - ok "$PARTITION mounted with $OPTION" + ok "$PARTITION has $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi + else + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not mounted" + FNRET=4 + else + has_mount_option_systemd $SERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=5 + else + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=6 + else + ok "$PARTITION mounted with $OPTION" + fi + fi - fi + fi fi } @@ -58,6 +85,16 @@ apply () { elif [ $FNRET = 3 ]; then info "Remounting $PARTITION from fstab" remount_partition $PARTITION + elif [ $FNRET = 4 ]; then + info "Remounting $PARTITION from systemd" + remount_partition_by_systemd $SERVICENAME $PARTITION + elif [ $FNRET = 5 ]; then + info "Remounting $PARTITION from systemd" + add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + remount_partition_by_systemd $SERVICENAME $PARTITION + elif [ $FNRET = 6 ]; then + info "Remounting $PARTITION from systemd" + remount_partition_by_systemd $SERVICENAME $PARTITION fi } diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index c303ae7..67fe0ab 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -5,7 +5,7 @@ # # -# 2.4 Set noexec option for /tmp Partition (Scored) +# 2.4 Set noexec option for /tmp filesystem/Partition (Scored) # set -e # One error, it's over @@ -16,31 +16,58 @@ HARDENING_LEVEL=3 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="noexec" +SERVICEPATH="/etc/systemd/system/tmp.mount" +SERVICENAME="tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { - info "Verifying that $PARTITION is a partition" + info "Verifying that $PARTITION is a filesystem/partition" FNRET=0 - is_a_partition "$PARTITION" + is_debian_9 if [ $FNRET -gt 0 ]; then - crit "$PARTITION is not a partition" - FNRET=2 - else - ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + is_a_partition "$PARTITION" if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in fstab!" - FNRET=1 + crit "$PARTITION is not a partition" + FNRET=2 else - ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 else - ok "$PARTITION mounted with $OPTION" + ok "$PARTITION has $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi + else + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not mounted" + FNRET=4 + else + has_mount_option_systemd $SERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=5 + else + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=6 + else + ok "$PARTITION mounted with $OPTION" + fi + fi - fi + fi fi } @@ -58,6 +85,16 @@ apply () { elif [ $FNRET = 3 ]; then info "Remounting $PARTITION from fstab" remount_partition $PARTITION + elif [ $FNRET = 4 ]; then + info "Remounting $PARTITION from systemd" + remount_partition_by_systemd $SERVICENAME $PARTITION + elif [ $FNRET = 5 ]; then + info "Remounting $PARTITION from systemd" + add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + remount_partition_by_systemd $SERVICENAME $PARTITION + elif [ $FNRET = 6 ]; then + info "Remounting $PARTITION from systemd" + remount_partition_by_systemd $SERVICENAME $PARTITION fi }