elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

ADD(1.1.1.7): restrict FAT partitions

Browse Source
This commit is contained in:
Thibault Ayanides 2020-12-23 11:05:37 +01:00
parent f626201fdd
commit 520ab63b29
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
bin/hardening/1.1.1.7_restrict_fat.sh
View File

@ -13,20 +13,33 @@ set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=5
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Limit mounting of FAT filesystems." DESCRIPTION="Limit mounting of FAT filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_VFAT_FS"
MODULE_FILE="vfat"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
: is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else
ok "$KERNEL_OPTION is disabled"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
: is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
} }
# This function will check config parameters required # This function will check config parameters required