elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-21 13:07:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: ensure mountpoints are properly detected (#177)

Browse Source 
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
This commit is contained in:
GoldenKiwi 2023-05-02 18:01:53 +02:00 committed by GitHub
parent 47cf86237b
commit 19ce790a27
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/utils.sh
View File

@ -424,6 +424,9 @@ is_a_partition() {
if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
debug "$PARTITION found in fstab" debug "$PARTITION found in fstab"
FNRET=0 FNRET=0
elif mountpoint -q "$PARTITION"; then
debug "$PARTITION found in /proc fs"
FNRET=0
else else
debug "Unable to find $PARTITION in fstab" debug "Unable to find $PARTITION in fstab"
FNRET=1 FNRET=1
@ -461,6 +464,9 @@ has_mount_option() {
if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then
debug "$OPTION has been detected in fstab for partition $PARTITION" debug "$OPTION has been detected in fstab for partition $PARTITION"
FNRET=0 FNRET=0
elif mountpoint -q "$PARTITION"; then
debug "$OPTION not detected in fstab, but $PARTITION is a mount point searching in /proc fs"
has_mounted_option "$PARTITION" "$OPTION"
else else
debug "Unable to find $OPTION in fstab for partition $PARTITION" debug "Unable to find $OPTION in fstab for partition $PARTITION"
FNRET=1 FNRET=1

7
tests/hardening/1.1.15_run_shm_nodev.sh
View File

@ -12,8 +12,15 @@ test_audit() {
register_test retvalshouldbe 0 register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
rm /run/shm rm /run/shm
sed "/dummy entry/d" /etc/fstab
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

7
tests/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -12,8 +12,15 @@ test_audit() {
register_test retvalshouldbe 0 register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
rm /run/shm rm /run/shm
sed "/dummy entry/d" /etc/fstab
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

7
tests/hardening/1.1.17_run_shm_noexec.sh
View File

@ -12,8 +12,15 @@ test_audit() {
register_test retvalshouldbe 0 register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
rm /run/shm rm /run/shm
sed "/dummy entry/d" /etc/fstab
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #