From a37c5bdc4e27adb342c95ee97b3483b5d3ebcc83 Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Mon, 5 Oct 2020 17:01:13 +0200
Subject: [PATCH] Add functions utils

I added two functions in utils that checks perms and ownership for file
resulting for a certain find. It takes parameters to filter the results
if needed.
---
 bin/hardening/4.2.4_logs_permissions.sh |  8 ++++---
 lib/utils.sh                            | 30 +++++++++++++++++++++++--
 2 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh
index 774fdfa..1b9a7c8 100755
--- a/bin/hardening/4.2.4_logs_permissions.sh
+++ b/bin/hardening/4.2.4_logs_permissions.sh
@@ -16,10 +16,12 @@ DESCRIPTION="Check permissions on logs (other has no permissions on any files an
 
 DIR='/var/log'
 PERMISSIONS='640'
+OPTIONS=(-type f)
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    have_files_in_dir_correct_permissions $DIR $PERMISSIONS
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+
     if [ $FNRET = 0 ]; then
         ok "Logs in $DIR have correct permissions"
     else
@@ -29,9 +31,9 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    have_files_in_dir_correct_permissions $DIR $PERMISSIONS
+    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
     if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
+        ok "Logs in $DIR have correct permissions"
     else
         info "fixing $DIR logs permissions to $PERMISSIONS"
         find $DIR -type f -exec chmod 0$PERMISSIONS {} \;
diff --git a/lib/utils.sh b/lib/utils.sh
index 5eaf134..b2e33b1 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -84,6 +84,29 @@ has_file_correct_ownership() {
     fi
 }
 
+have_files_in_dir_correct_ownership(){
+    local DIR=$1
+    local USER=$2
+    local GROUP=$3
+    local name=$4[@]
+    local OPTIONS=("${!name}")
+
+    local USERID=$(id -u $USER)
+    local GROUPID=$(getent group $GROUP | cut -d: -f3)
+
+    FNRET=0
+    OIFS="$IFS"
+    IFS=$'\n' # prevents word splitting
+    for owner in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -c '%u %g' {} \;");
+    do
+    if [ "$owner" != "$USERID $GROUPID" ]; then
+        FNRET=1
+        break
+    fi
+    done
+    IFS="$OIFS"
+}
+
 has_file_correct_permissions() {
     local FILE=$1
     local PERMISSIONS=$2
@@ -98,10 +121,13 @@ has_file_correct_permissions() {
 have_files_in_dir_correct_permissions(){
     local DIR=$1
     local PERMISSIONS=$2
-
+    local name=$3[@]
+    local OPTIONS=("${!name}")
+    
     FNRET=0
-    for perm in $($SUDO_CMD find "$DIR" -type f -exec stat -L -c "%a" {} \;);
+    for perm in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -L -c '%a' {} \;");
     do
+    echo "$perm  ttt $PERMISSIONS"
     if [ "$perm" != "$PERMISSIONS" ]; then
         FNRET=1
         break