#!/bin/bash
#
# kate: tab-indents off; tab-width 4; indent-width 4;
#
# This file implements the following CIS controls
# --------------------------------------------------------------------
#  1.1.2    Ensure /tmp is configured
#  1.1.3    Ensure noexec option set on /tmp
#  1.1.4    Ensure nodev option set on /tmp
#  1.1.5    Ensure nosuid option set on /tmp
#  1.1.6    Ensure /dev/shm is configured
#  1.1.7    Ensure noexec option set on /dev/shm
#  1.1.8    Ensure nodev option set on /dev/shm
#  1.1.9    Ensure nosuid option set on /dev/shm
#  1.1.10*  Ensure separate partition exists for /var
#  1.1.11*  Ensure separate partition exists for /var/tmp
#  1.1.12   Ensure /var/tmp includes the noexec option
#  1.1.13   Ensure /var/tmp includes the nodev option
#  1.1.14   Ensure /var/tmp includes the nosuid option
#  1.1.15*  Ensure separate partition exists for /var/log
#  1.1.16*  Ensure separate partition exists for /var/log/audit
#  1.1.17*  Ensure separate partition exists for /home
#  1.1.18   Ensure /home partition includes the nodev option
#----------------------------------------------------------------------
#        * Accepted non-compliance (but faked for AWS Inspector)
#
# Due to the use of bind mounts option propagation also requires that
# the bound filesystems are remounted with mount -o remount to ensure
# all options are applied, this is performed by ng-encis-remount-binds.service


SELF=$(readlink -f $0)

augtool --autosave --backup --noautoload >/dev/null <<'EOD'
    transform Fstab.lns incl /etc/fstab
    load

    #############################################################
    # /tmp (CIS Controls 1.1.2, 1.1.3, 1.1.4, 1.1.5)
    #############################################################
    defvar noentry /files/etc/fstab[count(*[file="/tmp"])=0]
    set $noentry/01/spec "tmpfs"
    set $noentry/01/file "/tmp"

    defvar entry /files/etc/fstab/*[file="/tmp"]
    set $entry/spec "tmpfs"
    set $entry/vfstype "tmpfs"
    set $entry/opt[1] "defaults"
    set $entry/opt[2] "noexec"
    set $entry/opt[3] "nodev"
    set $entry/opt[4] "nosuid"
    set $entry/dump 0
    set $entry/passno 0

    rm /files/etc/fstab/*[following-sibling::*[file = "/tmp"]][last()][label()='#comment']
    ins #comment before $entry
    set /files/etc/fstab/#comment[following-sibling::*[file="/tmp"]][last()][label()='#comment'] "[ng-encis] /tmp (CIS Controls 1.1.2, 1.1.3, 1.1.4, 1.1.5)"

    #############################################################
    # /dev/shm (CIS Controls 1.1.6, 1.1.7, 1.1.8, 1.1.9)
    #############################################################
    defvar noentry /files/etc/fstab[count(*[file="/dev/shm"])=0]
    set $noentry/02/spec "tmpfs"
    set $noentry/02/file "/dev/shm"

    defvar entry /files/etc/fstab/*[file="/dev/shm"]
    set $entry/spec "tmpfs"
    set $entry/vfstype "tmpfs"
    set $entry/opt[1] "defaults"
    set $entry/opt[2] "noexec"
    set $entry/opt[3] "nodev"
    set $entry/opt[4] "nosuid"
    set $entry/dump 0
    set $entry/passno 0

    rm /files/etc/fstab/*[following-sibling::*[file = "/dev/shm"]][last()][label()='#comment']
    ins #comment before $entry
    set /files/etc/fstab/#comment[following-sibling::*[file="/dev/shm"]][last()][label()='#comment'] "[ng-encis] /dev/shm  (CIS Controls 1.1.6, 1.1.7, 1.1.8, 1.1.9)"


    #############################################################
    # /var (CIS Control 1.1.10)
    #############################################################
    defvar noentry /files/etc/fstab[count(*[file="/var"])=0]
    set $noentry/03/spec "/var"
    set $noentry/03/file "/var"

    defvar entry /files/etc/fstab/*[file="/var"]
    set $entry/spec "/var"
    set $entry/vfstype "none"
    set $entry/opt[1] "defaults"
    set $entry/opt[2] "bind"
    set $entry/opt[3] "private"
    set $entry/dump 0
    set $entry/passno 0

    rm /files/etc/fstab/*[following-sibling::*[file = "/var"]][last()][label()='#comment']
    ins #comment before $entry
    set /files/etc/fstab/#comment[following-sibling::*[file="/var"]][last()][label()='#comment'] "[ng-encis] /var  (CIS Control 1.1.10)"

    #############################################################
    # /var/tmp (CIS Controls 1.1.11, 1.1.12, 1.1.13, 1.1.14)
    #############################################################
    defvar noentry /files/etc/fstab[count(*[file="/var/tmp"])=0]
    set $noentry/04/spec "tmpfs"
    set $noentry/04/file "/var/tmp"

    defvar entry /files/etc/fstab/*[file="/var/tmp"]
    set $entry/spec "/var/tmp"
    set $entry/vfstype "none"
    set $entry/opt[1] "defaults"
    set $entry/opt[2] "bind"
    set $entry/opt[3] "noexec"
    set $entry/opt[4] "nodev"
    set $entry/opt[5] "nosuid"
    set $entry/opt[6] "x-remount"
    set $entry/dump 0
    set $entry/passno 0

    rm /files/etc/fstab/*[following-sibling::*[file = "/var/tmp"]][last()][label()='#comment']
    ins #comment before $entry
    set /files/etc/fstab/#comment[following-sibling::*[file="/var/tmp"]][last()][label()='#comment'] "[ng-encis] /var/tmp (CIS Controls 1.1.11, 1.1.12, 1.1.13, 1.1.14)"

    #############################################################
    # /var/log (CIS Control 1.1.15)
    #############################################################
    defvar noentry /files/etc/fstab[count(*[file="/var/log"])=0]
    set $noentry/05/spec "/var/log"
    set $noentry/05/file "/var/log"

    defvar entry /files/etc/fstab/*[file="/var/log"]
    set $entry/spec "/var/log"
    set $entry/vfstype "none"
    set $entry/opt[1] "defaults"
    set $entry/opt[2] "bind"
    set $entry/opt[3] "private"
    set $entry/dump 0
    set $entry/passno 0

    rm /files/etc/fstab/*[following-sibling::*[file = "/var/log"]][last()][label()='#comment']
    ins #comment before $entry
    set /files/etc/fstab/#comment[following-sibling::*[file="/var/log"]][last()][label()='#comment'] "[ng-encis] /var/log  (CIS Control 1.1.15)"


    #############################################################
    # /var/log/audit (CIS Control 1.1.16)
    #############################################################
    defvar noentry /files/etc/fstab[count(*[file="/var/log/audit"])=0]
    set $noentry/06/spec "/var/log/audit"
    set $noentry/06/file "/var/log/audit"

    defvar entry /files/etc/fstab/*[file="/var/log/audit"]
    set $entry/spec "/var/log/audit"
    set $entry/vfstype "none"
    set $entry/opt[1] "defaults"
    set $entry/opt[2] "bind"
    set $entry/dump 0
    set $entry/passno 0

    rm /files/etc/fstab/*[following-sibling::*[file = "/var/log/audit"]][last()][label()='#comment']
    ins #comment before $entry
    set /files/etc/fstab/#comment[following-sibling::*[file="/var/log/audit"]][last()][label()='#comment'] "[ng-encis] /var/log/audit  (CIS Control 1.1.16)"

    #############################################################
    # /home (CIS Controls 1.1.17, 1.1.18)
    #############################################################
    defvar noentry /files/etc/fstab[count(*[file="/home"])=0]
    set $noentry/07/spec "/home"
    set $noentry/07/file "/home"

    defvar entry /files/etc/fstab/*[file="/home"]
    set $entry/spec "/home"
    set $entry/vfstype "none"
    set $entry/opt[1] "defaults"
    set $entry/opt[2] "bind"
    set $entry/opt[3] "nodev"
    set $entry/opt[4] "x-remount"
    set $entry/dump 0
    set $entry/passno 0

    rm /files/etc/fstab/*[following-sibling::*[file = "/home"]][last()][label()='#comment']
    ins #comment before $entry
    set /files/etc/fstab/#comment[following-sibling::*[file="/home"]][last()][label()='#comment'] "[ng-encis] /home  (CIS Controls 1.1.17, 1.1.18)"

EOD

# Enable the bind remount service
systemctl enable --no-block ng-encis-remount-binds.service
