forked from konstruktoid/hardening
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfstab
69 lines (48 loc) · 2.36 KB
/
fstab
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
function f_fstab {
echo "[$SCRIPT_COUNT] /etc/fstab and system/tmp.mount"
local TMPFSTAB
cp ./config/tmp.mount /etc/systemd/system/tmp.mount
cp /etc/fstab /etc/fstab.bck
TMPFSTAB=$(mktemp --tmpdir fstab.XXXXX)
sed -i '/floppy/d' /etc/fstab
grep -v -E '[[:space:]]/boot[[:space:]]|[[:space:]]/home[[:space:]]|[[:space:]]/var/log[[:space:]]|[[:space:]]/var/log/audit[[:space:]]|[[:space:]]/var/tmp[[:space:]]' /etc/fstab > "$TMPFSTAB"
if grep -q '[[:space:]]/boot[[:space:]].*' /etc/fstab; then
grep '[[:space:]]/boot[[:space:]].*' /etc/fstab | sed 's/defaults/defaults,nosuid,nodev/g' >> "$TMPFSTAB"
fi
if grep -q '[[:space:]]/home[[:space:]].*' /etc/fstab; then
grep '[[:space:]]/home[[:space:]].*' /etc/fstab | sed 's/defaults/defaults,nosuid,nodev/g' >> "$TMPFSTAB"
fi
if grep -q '[[:space:]]/var/log[[:space:]].*' /etc/fstab; then
grep '[[:space:]]/var/log[[:space:]].*' /etc/fstab | sed 's/defaults/defaults,nosuid,nodev,noexec/g' >> "$TMPFSTAB"
fi
if grep -q '[[:space:]]/var/log/audit[[:space:]].*' /etc/fstab; then
grep '[[:space:]]/var/log/audit[[:space:]].*' /etc/fstab | sed 's/defaults/defaults,nosuid,nodev,noexec/g' >> "$TMPFSTAB"
fi
if grep -q '[[:space:]]/var/tmp[[:space:]].*' /etc/fstab; then
grep '[[:space:]]/var/tmp[[:space:]].*' /etc/fstab | sed 's/defaults/defaults,nosuid,nodev,noexec/g' >> "$TMPFSTAB"
fi
cp "$TMPFSTAB" /etc/fstab
if ! grep -q '/run/shm ' /etc/fstab; then
echo 'none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0' >> /etc/fstab
fi
if ! grep -q '/dev/shm ' /etc/fstab; then
echo 'none /dev/shm tmpfs rw,noexec,nosuid,nodev 0 0' >> /etc/fstab
fi
if ! grep -q '/proc ' /etc/fstab; then
echo 'none /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2 0 0' >> /etc/fstab
fi
if [ -e /etc/systemd/system/tmp.mount ]; then
sed -i '/^\/tmp/d' /etc/fstab
for t in $(mount | grep "[[:space:]]/tmp[[:space:]]" | awk '{print $3}'); do
umount "$t"
done
sed -i '/[[:space:]]\/tmp[[:space:]]/d' /etc/fstab
ln -s /etc/systemd/system/tmp.mount /etc/systemd/system/default.target.wants/tmp.mount
sed -i 's/Options=.*/Options=mode=1777,strictatime,noexec,nodev,nosuid/' /etc/systemd/system/tmp.mount
chmod 0644 /etc/systemd/system/tmp.mount
systemctl daemon-reload
else
echo '/etc/systemd/system/tmp.mount was not found.'
fi
((SCRIPT_COUNT++))
}