1
0
mirror of https://github.com/ovh/debian-cis.git synced 2025-01-10 14:55:29 +01:00

2.2_tmp_nodev.sh

This commit is contained in:
thibault.dewailly 2016-04-04 15:05:10 +02:00
parent 01b03f7aeb
commit 0bf935bb17
7 changed files with 183 additions and 31 deletions

80
bin/hardening/2.2_tmp_nodev.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.2 Set nodev option for /tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=disabled

View File

@ -3,3 +3,7 @@
# Valid values are debug info warning error
LOGLEVEL=debug
# Backup directory, every file touched by hardennign will be backuped here, with versionning
# Means that if a file is modified more than once during the process, you will have hardening step diffs in the folder
BACKUPDIR="$CIS_ROOT_DIR/tmp/backups"

View File

@ -1,6 +1,26 @@
# CIS Debian 7 Hardening common functions
#
# File Backup functions
#
backup_file() {
FILE=$1
if [ ! -f $FILE ]; then
crit "Cannot backup $FILE, it's not a file"
FNRET=1
else
TARGET=$(echo $FILE | sed -s 's/\//./g' | sed -s 's/^.//' | sed -s "s/$/.$(date +%F-%T)/" )
TARGET="$BACKUPDIR/$TARGET"
debug "Backuping $FILE to $TARGET"
cp -a $FILE $TARGET
FNRET=0
fi
}
#
# Logging functions
#
case $LOGLEVEL in
error )

View File

@ -1,23 +1,9 @@
# Defines constants for CIS Debian 7 Hardening
#
# Script and shell commands homogeneity
export LANG=C
#### Useful Colot constants settings for loglevels
#### Useful Color constants settings for loglevels
# Reset Color (for syslog)
NC='\033[0m'

View File

@ -2,40 +2,85 @@
#
# Return if a package is installed
# @param $1 package name
#
is_installed()
{
PKG_NAME=$1
if `dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install '` ; then
return 0
fi
return 1
}
#
# Mounting point manipulation
#
# Verify $1 is a partition declared in fstab
is_a_partition() {
local PARTITION_NAME=$1
FNRET=128
if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"); then
debug "$PARTITION found in fstab"
FNRET=0
else
debug "Unable to find $PARTITION in fstab"
FNRET=1
fi
}
# Verify that $1 is mounted at runtime
is_mounted() {
local PARTITION_NAME=$1
if $(grep -q "[[:space:]]$1[[:space:]]" /proc/mounts); then
debug "$PARTITION found in /proc/mounts, it's mounted"
FNRET=0
else
debug "Unable to find $PARTITION in /proc/mounts"
FNRET=1
fi
}
# contains helper functions to work with apt
# Verify $1 has the proper option $2 in fstab
has_mount_option() {
local PARTITION=$1
local OPTION=$2
if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$2"); then
debug "$OPTION has been detected in fstab for partition $PARTITION"
FNRET=0
else
debug "Unable to find $OPTION in fstab for partition $PARTITION"
FNRET=1
fi
}
# Verify $1 has the proper option $2 at runtime
has_mounted_option() {
local PARTITION=$1
local OPTION=$2
if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk {'print $4'} | grep -q "$2"); then
debug "$OPTION has been detected in /proc/mounts for partition $PARTITION"
FNRET=0
else
debug "Unable to find $OPTION in /proc/mounts for partition $PARTITION"
FNRET=1
fi
}
# Setup mount option in fstab
add_option_to_fstab() {
local PARTITION=$1
local OPTION=$2
debug "Setting $OPTION for $PARTITION in fstab"
backup_file "/etc/fstab"
# For example :
# /dev/sda9 /home ext4 auto,acl,errors=remount-ro 0 2
# /dev/sda9 /home ext4 auto,acl,errors=remount-ro,nodev 0 2
debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab"
sed -ie "s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;" /etc/fstab
}
remount_partition() {
local PARTITION=$1
debug "Remounting $PARTITION"
mount -o remount $PARTITION
}
#
# Helper functions to work with apt
#
apt_update_if_needed()
{
@ -57,7 +102,7 @@ apt_check_updates()
{
local NAME="$1"
local DETAILS="/dev/shm/${NAME}"
LANGUAGE=C apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || :
apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || :
local COUNT=$(wc -l < "$DETAILS")
FNRET=128 # Unknown function return result
RESULT="" # Result output for upgrade
@ -70,3 +115,16 @@ apt_check_updates()
fi
rm $DETAILS
}
#
# Returns if a package is installed
#
is_installed()
{
PKG_NAME=$1
if `dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install '` ; then
FNRET=0
fi
FNRET=1
}

2
tmp/backups/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
# Ignore everything, this is a place holder for the git
*