diff --git a/bin/hardening/8.2.2_enable_syslog-ng.sh b/bin/hardening/4.2.2.1_enable_syslog-ng.sh similarity index 96% rename from bin/hardening/8.2.2_enable_syslog-ng.sh rename to bin/hardening/4.2.2.1_enable_syslog-ng.sh index 9bb7f6d..54f1e2e 100755 --- a/bin/hardening/8.2.2_enable_syslog-ng.sh +++ b/bin/hardening/4.2.2.1_enable_syslog-ng.sh @@ -5,7 +5,7 @@ # # -# 8.2.2 Ensure the syslog-ng Service is activated (Scored) +# 4.2.2.1 Ensure syslog-ng service is enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/8.2.3_configure_syslog-ng.sh b/bin/hardening/4.2.2.2_configure_syslog-ng.sh similarity index 95% rename from bin/hardening/8.2.3_configure_syslog-ng.sh rename to bin/hardening/4.2.2.2_configure_syslog-ng.sh index fc83f3a..9b5ba82 100755 --- a/bin/hardening/8.2.3_configure_syslog-ng.sh +++ b/bin/hardening/4.2.2.2_configure_syslog-ng.sh @@ -5,7 +5,7 @@ # # -# 8.2.3 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored) +# 4.2.2.2 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh new file mode 100755 index 0000000..05eb25d --- /dev/null +++ b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 +DESCRIPTION="Ensure logfile are created with root:640" + +PATTERN='options[[:space:]]*{[[:alnum:] ()_;"\t]*perm\(0640\);' + +# This function will be called if the script status is on enabled / audit mode +audit () { + FOUND=0 + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)" + for FILE in $FILES; do + does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" + if [ $FNRET = 0 ]; then + FOUND=1 + fi + done + + if [ $FOUND = 1 ]; then + ok "$PATTERN is present in $FILES" + else + crit "$PATTERN is not present in $FILES" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + FOUND=0 + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)" + for FILE in $FILES; do + does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" + if [ $FNRET = 0 ]; then + FOUND=1 + fi + done + if [ $FOUND = 1 ]; then + ok "$PATTERN is present in $FILES" + else + crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" + fi +} + +# This function will create the config file for this check with default values +create_config() { + cat <