From 6127f2fe6717755ac3623a33e3747b436cf76937 Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Wed, 20 Jan 2021 09:21:08 +0100
Subject: [PATCH] IMP(4.2.2.x): improve dealing with default conf

The default for journald is Compress=yes and ForwardToSyslog=yes
So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
---
 bin/hardening/4.2.2.1_journald_logs.sh           | 16 ++++++++--------
 bin/hardening/4.2.2.2_journald_compress.sh       | 14 +++++++-------
 .../4.2.2.3_journald_write_persistent.sh         |  2 +-
 tests/hardening/4.2.2.1_journald_logs.sh         |  5 ++---
 tests/hardening/4.2.2.2_journald_compress.sh     |  4 ++--
 5 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/bin/hardening/4.2.2.1_journald_logs.sh b/bin/hardening/4.2.2.1_journald_logs.sh
index 4e47970..1fc28a1 100755
--- a/bin/hardening/4.2.2.1_journald_logs.sh
+++ b/bin/hardening/4.2.2.1_journald_logs.sh
@@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."
 
 FILE='/etc/systemd/journald.conf'
-OPTIONS='ForwardToSyslog=yes'
+OPTIONS='ForwardToSyslog=no'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -34,9 +34,9 @@ audit() {
             debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
             does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
             else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
             fi
         done
     fi
@@ -57,18 +57,18 @@ apply() {
         debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
         PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
         does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            warn "$PATTERN is not present in $FILE, adding it"
+        if [ "$FNRET" = 0 ]; then
+            warn "$PATTERN is present in $FILE, deleting it"
             does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
             else
                 info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
             fi
         else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
         fi
     done
 }
diff --git a/bin/hardening/4.2.2.2_journald_compress.sh b/bin/hardening/4.2.2.2_journald_compress.sh
index 324f592..cd44b9c 100755
--- a/bin/hardening/4.2.2.2_journald_compress.sh
+++ b/bin/hardening/4.2.2.2_journald_compress.sh
@@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."
 
 FILE='/etc/systemd/journald.conf'
-OPTIONS='Compress=yes'
+OPTIONS='Compress=no'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -34,9 +34,9 @@ audit() {
             debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
             does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
             else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
             fi
         done
     fi
@@ -57,18 +57,18 @@ apply() {
         debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
         PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
         does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"
             does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
             else
                 info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
             fi
         else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
         fi
     done
 }
diff --git a/bin/hardening/4.2.2.3_journald_write_persistent.sh b/bin/hardening/4.2.2.3_journald_write_persistent.sh
index 6eb43ff..8dcd492 100755
--- a/bin/hardening/4.2.2.3_journald_write_persistent.sh
+++ b/bin/hardening/4.2.2.3_journald_write_persistent.sh
@@ -62,7 +62,7 @@ apply() {
             does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=$JOURNALD_VALUE"
             else
                 info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
                 replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
diff --git a/tests/hardening/4.2.2.1_journald_logs.sh b/tests/hardening/4.2.2.1_journald_logs.sh
index b757c05..24106b1 100644
--- a/tests/hardening/4.2.2.1_journald_logs.sh
+++ b/tests/hardening/4.2.2.1_journald_logs.sh
@@ -3,7 +3,6 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
@@ -13,7 +12,7 @@ test_audit() {
     echo "ForwardToSyslog=no" >>"$FILE"
     register_test retvalshouldbe 1
     register_test contain "$FILE exists, checking configuration"
-    register_test contain "is not present in $FILE"
+    register_test contain "is present in $FILE"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     describe correcting situation
@@ -22,6 +21,6 @@ test_audit() {
 
     describe Checking resolved state
     register_test retvalshouldbe 0
-    register_test contain "is present in $FILE"
+    register_test contain "is not present in $FILE"
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
diff --git a/tests/hardening/4.2.2.2_journald_compress.sh b/tests/hardening/4.2.2.2_journald_compress.sh
index fd8c992..d1933c9 100644
--- a/tests/hardening/4.2.2.2_journald_compress.sh
+++ b/tests/hardening/4.2.2.2_journald_compress.sh
@@ -13,7 +13,7 @@ test_audit() {
     echo "Compress=no" >>"$FILE"
     register_test retvalshouldbe 1
     register_test contain "$FILE exists, checking configuration"
-    register_test contain "is not present in $FILE"
+    register_test contain "is present in $FILE"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     describe correcting situation
@@ -22,6 +22,6 @@ test_audit() {
 
     describe Checking resolved state
     register_test retvalshouldbe 0
-    register_test contain "is present in $FILE"
+    register_test contain "is not present in $FILE"
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }