diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh index 774fdfa..1b9a7c8 100755 --- a/bin/hardening/4.2.4_logs_permissions.sh +++ b/bin/hardening/4.2.4_logs_permissions.sh @@ -16,10 +16,12 @@ DESCRIPTION="Check permissions on logs (other has no permissions on any files an DIR='/var/log' PERMISSIONS='640' +OPTIONS=(-type f) # This function will be called if the script status is on enabled / audit mode audit () { - have_files_in_dir_correct_permissions $DIR $PERMISSIONS + have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS + if [ $FNRET = 0 ]; then ok "Logs in $DIR have correct permissions" else @@ -29,9 +31,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - have_files_in_dir_correct_permissions $DIR $PERMISSIONS + have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS if [ $FNRET = 0 ]; then - ok "$FILE has correct permissions" + ok "Logs in $DIR have correct permissions" else info "fixing $DIR logs permissions to $PERMISSIONS" find $DIR -type f -exec chmod 0$PERMISSIONS {} \; diff --git a/lib/utils.sh b/lib/utils.sh index 5eaf134..b2e33b1 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -84,6 +84,29 @@ has_file_correct_ownership() { fi } +have_files_in_dir_correct_ownership(){ + local DIR=$1 + local USER=$2 + local GROUP=$3 + local name=$4[@] + local OPTIONS=("${!name}") + + local USERID=$(id -u $USER) + local GROUPID=$(getent group $GROUP | cut -d: -f3) + + FNRET=0 + OIFS="$IFS" + IFS=$'\n' # prevents word splitting + for owner in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -c '%u %g' {} \;"); + do + if [ "$owner" != "$USERID $GROUPID" ]; then + FNRET=1 + break + fi + done + IFS="$OIFS" +} + has_file_correct_permissions() { local FILE=$1 local PERMISSIONS=$2 @@ -98,10 +121,13 @@ has_file_correct_permissions() { have_files_in_dir_correct_permissions(){ local DIR=$1 local PERMISSIONS=$2 - + local name=$3[@] + local OPTIONS=("${!name}") + FNRET=0 - for perm in $($SUDO_CMD find "$DIR" -type f -exec stat -L -c "%a" {} \;); + for perm in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -L -c '%a' {} \;"); do + echo "$perm ttt $PERMISSIONS" if [ "$perm" != "$PERMISSIONS" ]; then FNRET=1 break