-
Notifications
You must be signed in to change notification settings - Fork 9
/
fstab.awk
118 lines (118 loc) · 2.9 KB
/
fstab.awk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/gawk -f
# TODO: /tmp and maybe the /var/tmp binding from NSA 2.2.1.4
@load "filefuncs"
BEGIN{
getline < "/etc/os-release"
if($0 ~ /Raspbian GNU\/Linux/)
os="raspbian"
else if(stat("/etc/slackware-version", stbuf)==0)
os="slackware"
else if(stat("/etc/debian_version", stbuf)==0)
os="debian"
else if(stat("/etc/centos-release", stbuf)==0)
os="centos"
else
os="unknown"
bind_mount_found=0
proc_mount_found=0
}
# partly from system-hardening-10.2.txt
# strict settings for filesystems mounted under /mnt
( \
$3 ~ /^(ext[234]|reiserfs|vfat)$/ && \
$4 !~ /\y(nodev|nosuid|noexec)\y/ && \
( $2 ~ /^\/m.+/ || $2 ~ /^\/boot/ ) \
){
$4 = $4 ",nosuid,nodev,noexec"
}
# from system-hardening-10.2.txt
( $2 == "/var" && \
$4 !~ /\ynosuid\y/ \
){
$4 = $4 ",nosuid"
}
# from system-hardening-10.2.txt
( $2 == "/home" && \
$4 !~ /(nosuid|nodev)/ \
){
$4 = $4 ",nosuid,nodev"
}
# CIS 6.1 Add 'nodev' Option To Appropriate Partitions In /etc/fstab
# NOTE:
# - added ext4
# - this somewhat overlaps with the first rule but the $4 rule takes care of this
( \
$3 ~ /^(ext[234]|reiserfs)$/ && \
$2 !~ "^/(var)?$" && \
$4 !~ /\ynodev\y/ \
){
$4 = $4 ",nodev"
}
# CIS 6.2 Add 'nosuid' and 'nodev' Option For Removable Media In /etc/fstab
# NOTE: added noexec
# NOTE: the "[0-9]?" comes from Debian, where the mount point is /media/cdrom0
( \
$2 ~ /^\/m.+\/(floppy|cdrom[0-9]?)$/ && \
$4 !~ /\y(nosuid|nodev|noexec)\y/ \
){
$4 = $4 ",nosuid,nodev,noexec"
}
# NSA RHEL guide - 2.2.1.3.2 Add nodev, nosuid, and noexec Options to /dev/shm
( \
$2 ~ /^\/dev\/shm$/ && \
$4 !~ /\y(nosuid|nodev|noexec)\y/ \
){
$4 = $4 ",nosuid,nodev,noexec"
}
( \
$1 == "/tmp" && \
$2 == "/var/tmp" && \
$4 == "bind" \
){
bind_mount_found=1
}
( \
$1 == "proc" && \
$2 == "/proc" && \
$3 == "proc" \
){
# https://github.com/systemd/systemd/issues/12955#issuecomment-508490893
#if($4 !~ /hidepid/)
# $4 = $4 ",hidepid=2"
proc_mount_found=1
}
$3 == "swap" {
# FSTAB(5): "For swap partitions, this field should be specified as "none"."
$2 = "none"
# FILE-6336
$4 = "sw"
}
{
# formatting from /usr/lib/setup/SeTpartitions of slackware installer
if($0 ~ /^#/)
print
else
switch(os) {
case "raspbian":
# raspbian format
printf "%-15s %-15s %-7s %-17s %-7s %s\n", $1, $2, $3, $4, $5, $6
break
case "debian":
# debian format
printf "%-15s %-15s %-7s %-15s %-7s %s\n", $1, $2, $3, $4, $5, $6
break
case "centos":
printf "%-41s %-23s %-7s %-15s %s %s\n", $1, $2, $3, $4, $5, $6
break
case "slackware":
default:
# slackware format
printf "%-16s %-16s %-11s %-16s %-3s %s\n", $1, $2, $3, $4, $5, $6
break
}
}END{
if(!bind_mount_found)
printf "/tmp /var/tmp none bind 0 0\n"
#if(!proc_mount_found&&os!="slackware")
# printf "proc /proc proc defaults,hidepid=2 0 0\n"
}