diff --git a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh index 05eb25d..df50474 100755 --- a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh +++ b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh @@ -5,50 +5,113 @@ # # -# 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) +# 4.2.2.3 Create and Set Permissions on syslog-ng Log Files (Scored) # set -e # One error, it's over set -u # One variable unset, it's over -HARDENING_LEVEL=3 -DESCRIPTION="Ensure logfile are created with root:640" +# Note: this is not exacly the same check as the one described in CIS PDF -PATTERN='options[[:space:]]*{[[:alnum:] ()_;"\t]*perm\(0640\);' +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Create and set permissions on syslog-ng logfiles." + +PERMISSIONS='' +USER='' +GROUP='' +EXCEPTIONS='' # This function will be called if the script status is on enabled / audit mode audit () { - FOUND=0 - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)" + FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2) for FILE in $FILES; do - does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" - if [ $FNRET = 0 ]; then - FOUND=1 + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + warn "$FILE does not exist" + else + FOUND_EXC=0 + if grep -q "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then + debug "$FILE is found in exceptions" + debug "Setting special user:group:perm" + FOUND_EXC=1 + local user_bak="$USER" + local group_bak="$GROUP" + local perm_bak="$PERMISSIONS" + USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" + GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" + PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership ($USER:$GROUP)" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions ($PERMISSIONS)" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + if [ "$FOUND_EXC" = 1 ]; then + debug "Resetting user:group:perm" + USER="$user_bak" + GROUP="$group_bak" + PERMISSIONS="$perm_bak" + fi fi done - - if [ $FOUND = 1 ]; then - ok "$PATTERN is present in $FILES" - else - crit "$PATTERN is not present in $FILES" - fi } # This function will be called if the script status is on enabled mode apply () { - FOUND=0 - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)" for FILE in $FILES; do - does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" - if [ $FNRET = 0 ]; then - FOUND=1 + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + info "$FILE does not exist" + filedir=$(dirname "${FILE#/var/log/}") + if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then + debug "Creating /var/log/$filedir for $FILE" + debug "mkdir -p /var/log/$filedir" + mkdir -p /var/log/"$filedir" + fi + touch "$FILE" + fi + FOUND_EXC=0 + if grep "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then + debug "$FILE is found in exceptions" + debug "Setting special user:group:perm" + FOUND_EXC=1 + local user_bak="$USER" + local group_bak="$GROUP" + local perm_bak="$PERMISSIONS" + USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" + GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" + PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi + if [ "$FOUND_EXC" = 1 ]; then + debug "Resetting user:group:perm" + USER="$user_bak" + GROUP="$group_bak" + PERMISSIONS="$perm_bak" fi done - if [ $FOUND = 1 ]; then - ok "$PATTERN is present in $FILES" - else - crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" - fi } # This function will create the config file for this check with default values @@ -56,12 +119,27 @@ create_config() { cat <