From f0bff32503d86504e3a178067780dcd6e62958c1 Mon Sep 17 00:00:00 2001
From: "thibault.dewailly" <thibault.dewailly@ovh.net>
Date: Thu, 14 Apr 2016 17:55:14 +0200
Subject: [PATCH] 8.2.1_install_syslog-ng.sh 8.2.2_enable_syslog-ng.sh
 8.2.3_configure_syslog-ng.sh 8.2.4_set_logfile_perm.sh

---
 bin/hardening/2.25_disable_automounting.sh  |  2 +-
 bin/hardening/3.2_bootloader_permissions.sh |  1 -
 bin/hardening/8.2.1_install_syslog-ng.sh    | 56 +++++++++++++
 bin/hardening/8.2.2_enable_syslog-ng.sh     | 58 ++++++++++++++
 bin/hardening/8.2.3_configure_syslog-ng.sh  | 46 +++++++++++
 bin/hardening/8.2.4_set_logfile_perm.sh     | 89 +++++++++++++++++++++
 etc/conf.d/8.2.1_install_syslog-ng.cfg      |  2 +
 etc/conf.d/8.2.2_enable_syslog-ng.cfg       |  2 +
 etc/conf.d/8.2.3_configure_syslog-ng.cfg    |  2 +
 etc/conf.d/8.2.4_set_logfile_perm.cfg       |  2 +
 lib/utils.sh                                |  6 +-
 11 files changed, 261 insertions(+), 5 deletions(-)
 create mode 100755 bin/hardening/8.2.1_install_syslog-ng.sh
 create mode 100755 bin/hardening/8.2.2_enable_syslog-ng.sh
 create mode 100755 bin/hardening/8.2.3_configure_syslog-ng.sh
 create mode 100755 bin/hardening/8.2.4_set_logfile_perm.sh
 create mode 100644 etc/conf.d/8.2.1_install_syslog-ng.cfg
 create mode 100644 etc/conf.d/8.2.2_enable_syslog-ng.cfg
 create mode 100644 etc/conf.d/8.2.3_configure_syslog-ng.cfg
 create mode 100644 etc/conf.d/8.2.4_set_logfile_perm.cfg

diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh
index 7094597..7b72cbb 100755
--- a/bin/hardening/2.25_disable_automounting.sh
+++ b/bin/hardening/2.25_disable_automounting.sh
@@ -31,7 +31,7 @@ apply () {
     is_service_enabled $SERVICE_NAME
     if [ $FNRET = 0 ]; then
         info "Disabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME disable > /dev/null 2>&1
+        update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
     else
         ok "$SERVICE_NAME is disabled"
     fi
diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh
index 2967579..faba57c 100755
--- a/bin/hardening/3.2_bootloader_permissions.sh
+++ b/bin/hardening/3.2_bootloader_permissions.sh
@@ -40,7 +40,6 @@ apply () {
 
 # This function will check config parameters required
 check_config() {
-
     is_pkg_installed "grub-pc"
     if [ $FNRET != 0 ]; then
         warn "grub-pc is not installed, not handling configuration"
diff --git a/bin/hardening/8.2.1_install_syslog-ng.sh b/bin/hardening/8.2.1_install_syslog-ng.sh
new file mode 100755
index 0000000..572f274
--- /dev/null
+++ b/bin/hardening/8.2.1_install_syslog-ng.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 8.2.1 Install the syslog-ng package (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng
+PACKAGE='syslog-ng'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed !"
+    else
+        ok "$PACKAGE is installed"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install $PACKAGE
+        fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
diff --git a/bin/hardening/8.2.2_enable_syslog-ng.sh b/bin/hardening/8.2.2_enable_syslog-ng.sh
new file mode 100755
index 0000000..548d576
--- /dev/null
+++ b/bin/hardening/8.2.2_enable_syslog-ng.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 8.2.2 Ensure the syslog-ng Service is activated (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+SERVICE_NAME="syslog-ng"
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    info "Checking if $SERVICE_NAME is enabled"
+    is_service_enabled $SERVICE_NAME
+    if [ $FNRET = 0 ]; then
+        ok "$SERVICE_NAME is enabled"
+    else
+        crit "$SERVICE_NAME is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    info "Checking if $SERVICE_NAME is enabled"
+    is_service_enabled $SERVICE_NAME
+    if [ $FNRET != 0 ]; then
+        info "Enabling $SERVICE_NAME"
+        update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
+        update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1
+    else
+        ok "$SERVICE_NAME is enabled"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
diff --git a/bin/hardening/8.2.3_configure_syslog-ng.sh b/bin/hardening/8.2.3_configure_syslog-ng.sh
new file mode 100755
index 0000000..423e0e2
--- /dev/null
+++ b/bin/hardening/8.2.3_configure_syslog-ng.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 8.2.3 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+SERVICE_NAME="syslog-ng"
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    info "Ensure default and local facilities are preserved on the system"
+    info "No measure here, please review the file by yourself"
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    info "Ensure default and local facilities are preserved on the system"
+    info "No measure here, please review the file by yourself"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh
new file mode 100755
index 0000000..bf2f72b
--- /dev/null
+++ b/bin/hardening/8.2.4_set_logfile_perm.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILES=$(grep "file(" /etc/syslog-ng/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
+PERMISSIONS='640'
+USER='root'
+GROUP='adm'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for FILE in $FILES; do
+        has_file_correct_ownership $FILE $USER $GROUP
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE is not $USER:$GROUP ownership set"
+        fi
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE has not $PERMISSIONS permissions set"
+        fi 
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    for FILE in $FILES; do
+        does_file_exist $FILE
+        if [ $FNRET != 0 ]; then
+            info "$FILE does not exist"
+            touch $FILE
+        fi
+        has_file_correct_ownership $FILE $USER $GROUP
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "$FILE is not $USER:$GROUP ownership set"
+            chown $USER:$GROUP $FILE
+        fi
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0$PERMISSIONS $FILE
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
diff --git a/etc/conf.d/8.2.1_install_syslog-ng.cfg b/etc/conf.d/8.2.1_install_syslog-ng.cfg
new file mode 100644
index 0000000..e1e4502
--- /dev/null
+++ b/etc/conf.d/8.2.1_install_syslog-ng.cfg
@@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
diff --git a/etc/conf.d/8.2.2_enable_syslog-ng.cfg b/etc/conf.d/8.2.2_enable_syslog-ng.cfg
new file mode 100644
index 0000000..e1e4502
--- /dev/null
+++ b/etc/conf.d/8.2.2_enable_syslog-ng.cfg
@@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
diff --git a/etc/conf.d/8.2.3_configure_syslog-ng.cfg b/etc/conf.d/8.2.3_configure_syslog-ng.cfg
new file mode 100644
index 0000000..e1e4502
--- /dev/null
+++ b/etc/conf.d/8.2.3_configure_syslog-ng.cfg
@@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
diff --git a/etc/conf.d/8.2.4_set_logfile_perm.cfg b/etc/conf.d/8.2.4_set_logfile_perm.cfg
new file mode 100644
index 0000000..e1e4502
--- /dev/null
+++ b/etc/conf.d/8.2.4_set_logfile_perm.cfg
@@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
diff --git a/lib/utils.sh b/lib/utils.sh
index 50f965d..bdad3dd 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -86,9 +86,9 @@ has_file_correct_ownership() {
     local USER=$2
     local GROUP=$3
     local USERID=$(id -u $USER)
-    local GROUPID=$(id -u $GROUP)
-
-    if [ "$(stat -c "%u %g" $1)" = "$USERID $GROUPID" ]; then
+    local GROUPID=$(getent group $GROUP | cut -d: -f3)
+    debug "stat -c '%u %g' $FILE"
+    if [ "$(stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
         FNRET=0
     else
         FNRET=1