#!/bin/bash
# Mount point hardening - PRD FR-007, CIS Benchmark 1.1
# Reference: CIS Benchmark for Debian, NIST SP 800-53 CM-7
set -euo pipefail

echo "Applying mount point hardening..."

# Create fstab security entries for temporary filesystems
# These are added via a systemd mount helper or tmpfiles.d
# since fstab is managed by the installer for the main partitions

# Harden /tmp via tmpfiles.d (systemd-tmpfiles)
mkdir -p /etc/tmpfiles.d

cat >/etc/tmpfiles.d/knel-mount-hardening.conf <<'EOF'
# KNEL-Football Mount Hardening
# Ensure /tmp is mounted with nodev, nosuid, noexec
# This supplements the installer-created fstab
d /tmp 1777 root root 0d
EOF

# Add security mount options to fstab if entries exist
if [ -f /etc/fstab ]; then
    # Harden /tmp if present
    if grep -q '/tmp' /etc/fstab 2>/dev/null; then
        sed -i '/\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
    fi

    # Harden /var/tmp if present
    if grep -q '/var/tmp' /etc/fstab 2>/dev/null; then
        sed -i '/\/var\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
    fi

    # Harden /home if present
    if grep -q '/home' /etc/fstab 2>/dev/null; then
        sed -i '/\/home/s/defaults/defaults,nodev,nosuid/' /etc/fstab 2>/dev/null || true
    fi

    # Harden /dev/shm if present
    if grep -q '/dev/shm' /etc/fstab 2>/dev/null; then
        sed -i '/\/dev\/shm/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
    fi
fi

# If /tmp is NOT in fstab, add a tmpfs entry with hardening
if ! grep -q '/tmp' /etc/fstab 2>/dev/null; then
    echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,size=2G 0 0" >> /etc/fstab
fi

echo "Mount hardening completed."