From 92a96e8dc362e71424a3353ac4585f1142f92e0b Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 6 Sep 2019 15:57:49 +0800 Subject: [PATCH] Optimize the code of 2.2~2.4 --- bin/hardening/2.2_tmp_nodev.sh | 59 ++++++++++++++------------- bin/hardening/2.3_tmp_nosuid.sh | 71 +++++++++++++-------------------- bin/hardening/2.4_tmp_noexec.sh | 67 +++++++++++++++---------------- 3 files changed, 89 insertions(+), 108 deletions(-) diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index eafa7f2..a79d443 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -18,8 +18,9 @@ HARDENING_LEVEL=2 PARTITION="/tmp" OPTION="nodev" SERVICENAME="tmp.mount" -SERVICEPATH="/usr/share/systemd/tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -46,43 +47,45 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then - if [ $OS_RELEASE -eq 2 ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION - else - has_mount_option_systemd $SERVICEPATH $OPTION - fi - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi + if [ -e $UNITSERVICEPATH ]; then + has_mount_option_systemd $UNITSERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 + else + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=5 else ok "$PARTITION mounted with $OPTION" FNRET=0 fi fi - else - if [ $OS_RELEASE -eq 2 ]; then - crit "$REDHAT_SERVICEPATH is not exist!" - else - crit "$SERVICEPATH is not exist!" - fi - FNRET=2 - fi - fi + else + crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 + fi + fi } # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -95,11 +98,7 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - if [ $OS_RELEASE -eq 2 ]; then - add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME - else - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME - fi + add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index 4c88b99..e403c7f 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -48,57 +48,44 @@ audit () { else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" if [ $OS_RELEASE -eq 1 ]; then - if [ -e $DEBIAN_SERVICEPATH ]; then - has_mount_option_systemd $DEBIAN_SERVICEPATH $OPTION - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=5 - else - ok "$PARTITION mounted with $OPTION" - FNRET=0 - fi - fi - else - crit "$DEBIAN_SERVICEPATH is not exist! Please apply 2.1 first!" - FNRET=2 - fi + UNITSERVICEPATH=$DEBIAN_SERVICEPATH elif [ $OS_RELEASE -eq 2 ]; then - if [ -e $REDHAT_SERVICEPATH ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=5 - else - ok "$PARTITION mounted with $OPTION" - FNRET=0 - fi - fi + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi + if [ -e $UNITSERVICEPATH ]; then + has_mount_option_systemd $UNITSERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 else - crit "$REDHAT_SERVICEPATH is not exist! Please apply 2.1 first!" - FNRET=2 + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=5 + else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi fi + else + crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 fi fi } # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "System unit $SERVICENAME is not exist! Please apply 2.1 first!" + crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -111,11 +98,7 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - if [ $OS_RELEASE -eq 2 ]; then - add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME - else - add_option_to_systemd $DEBIAN_SERVICEPATH $OPTION $SERVICENAME - fi + add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index 52f16cb..618d75a 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -17,9 +17,10 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="noexec" -SERVICEPATH="/usr/share/systemd/tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -46,43 +47,45 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then - if [ $OS_RELEASE -eq 2 ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi + if [ -e $UNITSERVICEPATH ]; then + has_mount_option_systemd $UNITSERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 else - has_mount_option_systemd $SERVICEPATH $OPTION + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=5 + else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi fi - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=5 - else - ok "$PARTITION mounted with $OPTION" - FNRET=0 - fi - fi - else - if [ $OS_RELEASE -eq 2 ]; then - crit "$REDHAT_SERVICEPATH is not exist!" - else - crit "$SERVICEPATH is not exist!" - fi - FNRET=2 - fi - fi + else + crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 + fi + fi } # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -95,11 +98,7 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - if [ $OS_RELEASE -eq 2 ]; then - add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME - else - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME - fi + add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab"