#!/bin/bash
# Mount point hardening - PRD FR-007, CIS Benchmark 1.1
# Reference: CIS Benchmark for Debian, NIST SP 800-53 CM-7
set -euo pipefail

echo "Applying mount point hardening..."

FSTAB="/etc/fstab"

# Ensure fstab exists
touch "$FSTAB"

# Harden /tmp if present in fstab, otherwise add tmpfs entry
if grep -q '/tmp' "$FSTAB" 2>/dev/null; then
    sed -i '/\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true
else
    echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,size=2G 0 0" >> "$FSTAB"
fi

# Harden /var/tmp if present, otherwise add tmpfs entry
if grep -q '/var/tmp' "$FSTAB" 2>/dev/null; then
    sed -i '/\/var\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true
else
    echo "tmpfs /var/tmp tmpfs defaults,nodev,nosuid,noexec,size=512M 0 0" >> "$FSTAB"
fi

# Harden /dev/shm if present, otherwise add tmpfs entry
if grep -q '/dev/shm' "$FSTAB" 2>/dev/null; then
    sed -i '/\/dev\/shm/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true
else
    echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec,size=512M 0 0" >> "$FSTAB"
fi

# Harden /home if it has its own partition
if grep -q '/home' "$FSTAB" 2>/dev/null; then
    sed -i '/\/home/s/defaults/defaults,nodev,nosuid/' "$FSTAB" 2>/dev/null || true
fi

echo "Mount hardening completed."