a

2026-05-11 09:15:08 +02:00
parent 9bec2b9e42
commit 404ee3fec4
641 changed files with 416825 additions and 0 deletions
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+{
+    echo -e "\n- Start check - logfiles have appropriate permissions and ownership"
+    output=""
+    find /var/log -type f | (
+        while read -r fname; do
+            bname="$(basename "$fname")"
+            case "$bname" in lastlog | lastlog.* | wtmp | wtmp.* | btmp | btmp.*)
+                if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$'; then
+                    output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
+                fi
+                if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*root\h+(utmp|root)\h*$'; then
+                    output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
+                fi
+                ;;
+            secure | auth.log)
+                if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
+                    output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
+                fi
+                if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
+                    output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
+                fi
+                ;;
+            SSSD | sssd)
+                if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
+                    output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
+                fi
+                if ! stat -Lc "%U %G" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h+(SSSD|root)\h*$'; then
+                    output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
+                fi
+                ;;
+            gdm | gdm3)
+                if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
+                    output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
+                fi
+                if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(gdm3?|root)\h*$'; then
+                    output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
+                fi
+                ;;
+            *.journal)
+                if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
+                    output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
+                fi
+                if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(systemd-journal|root)\h*$'; then
+                    output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
+                fi
+                ;;
+            *)
+                if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
+                    output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
+                fi
+                if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
+                    output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
+                fi
+                ;;
+            esac
+        done
+        # If all files passed, then we pass
+        if [ -z "$output" ]; then
+            echo -e "\n- PASS\n- All files in \"/var/log/\" have appropriate permissions and ownership\n"
+        else
+            # print the reason why we are failing
+            echo -e "\n- FAIL:\n$output"
+        fi
+        echo -e "- End check - logfiles have appropriate permissions and ownership\n"
+    )
+}