From e2ad0a5dccdf3267c2cd438cf4329d4c0498e597 Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Thu, 24 Dec 2020 10:31:47 +0100
Subject: [PATCH] ADD(4.4): add logrotate permissions checking

---
 bin/hardening/4.4_logrotate_permissions.sh   | 35 ++++++++++++++++++--
 tests/hardening/4.4_logrotate_permissions.sh | 15 ++++++++-
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/bin/hardening/4.4_logrotate_permissions.sh b/bin/hardening/4.4_logrotate_permissions.sh
index 29e6f24..bffddb4 100755
--- a/bin/hardening/4.4_logrotate_permissions.sh
+++ b/bin/hardening/4.4_logrotate_permissions.sh
@@ -17,14 +17,45 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure logrotate to assign appropriate permissions."
 
+FILE="/etc/logrotate.conf"
+PATTERN="^\s*create\s+\S+"
+PERMISSIONS=0640
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        crit "Logrotate permissions are not configured"
+    else
+        if grep -E "$PATTERN" "$FILE" | grep -E -v "\s(0)?[0-6][04]0\s"; then
+            crit "Logrotate permissions are not set to $PERMISSIONS"
+        else
+            ok "Logrotate permissions are well configured"
+        fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        warn "Logrotate permissions are not configured, fixing it"
+        add_end_of_file "$FILE" "create $PERMISSIONS root utmp"
+    else
+        RESULT=$(grep -E "$PATTERN" "$FILE" | grep -E -v "\s(0)?[0-6][04]0\s")
+        if [[ -n "$RESULT" ]]; then
+            warn "Logrotate permissions are not set to $PERMISSIONS, fixing it"
+            d_IFS=$IFS
+            c_IFS=$'\n'
+            IFS=$c_IFS
+            for SOURCE in $RESULT; do
+                replace_in_file "$FILE" "$SOURCE" "create $PERMISSIONS root utmp"
+            done
+            IFS=$d_IFS
+        else
+            ok "Logrotate permissions are well configured"
+        fi
+    fi
 }
 
 # This function will check config parameters required
diff --git a/tests/hardening/4.4_logrotate_permissions.sh b/tests/hardening/4.4_logrotate_permissions.sh
index f85b20d..e1b83d9 100644
--- a/tests/hardening/4.4_logrotate_permissions.sh
+++ b/tests/hardening/4.4_logrotate_permissions.sh
@@ -7,5 +7,18 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Tests purposely failing
+    echo "create 0660 root utmp" >/etc/logrotate.conf
+    register_test retvalshouldbe 1
+    register_test contain "Logrotate permissions are not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "Logrotate permissions are well configured"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }