diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2020-03-24 15:27:50 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-03-24 15:27:50 +0300 |
| commit | f83025a283c7892ee007c43d90c07d9d6a5d241b (patch) | |
| tree | d11e20dfd1b9202975ca2fb9c435a8acab1bc622 /include/tests_filesystems | |
| parent | dbfadc544613a67726caaf870ed997ec5cf9056d (diff) | |
| parent | 72e8f572bf51ef9b9e09506624cc0a9f9143a9a9 (diff) | |
Merge pull request #860 from topimiettinen/harden-mount-options
Harden mount options for /var, check also /dev and /run
Diffstat (limited to 'include/tests_filesystems')
| -rw-r--r-- | include/tests_filesystems | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/include/tests_filesystems b/include/tests_filesystems index 502e4227..6a70c5fb 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -555,16 +555,18 @@ # --------------------------------------------------------- # Mount point nodev noexec nosuid # /boot v v v + # /dev v v # /dev/shm v v v # /home v v + # /run v v # /tmp v v v - # /var v + # /var v v # /var/log v v v # /var/log/audit v v v # /var/tmp v v v # --------------------------------------------------------- - FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid" + FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev:noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /run:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nodev,nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid" Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Linux mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f ${ROOTDIR}etc/fstab ]; then @@ -578,9 +580,14 @@ FS_FSTAB="" fi fi + if [ -z "${FS_FSTAB}" ]; then # not found in fstab, check if mounted otherwise + FS_FSTAB=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($3==fs) { print $6 } }') + FOUND_FLAGS=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $3==fs) { print $6 } }' | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') + else + FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') + fi if [ -n "${FS_FSTAB}" ]; then # In awk using caret/circumflex as first character between brackets, means 'not' (instead of beginning of line) - FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}" |