#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_logfiles - 11/10/2001
# 
# Check for the presence of a given number of logfiles and their permissions.
# Note that these check is operating system dependant.
#
# check_logfiles - 08/09/2001 - jfs - fixed to add GREP and WC to haveallcmds
#                  detected when testing in Solaris 8. Also changed == to =
#
# check_logfiles - 04/15/2003 - jfs - separated logfiles and umask checks
#                  added permission checks for the logfiles based on 
#                  Solaris recommendations. 
#                  Logfile location is no longer hardcoded but can be changed
#                  depending on $OS
# check_logfiles - 06/20/2003 - jfs - based on patch from Ryan Bradetich fixed
#                  logic errors in check_fileperm(). Updated the error codes to 
#                  match the appropriate descriptions.
#                  Also fixed a typo in MESSAGEs and modified the script to not
#                  warn if LOGINLOG does not exist (as is the Linux case)
#                  Also, file permissions in systems in which WTMP and UTMP
#                  are group 'utmp' should be 664
# check_logfiles - 10/19/2003 - jfs - based on patch from Ryan Bradetich fixed
#                  location of logfiles for HP-UX, btmp file check, and btmp
#                  location for Linux (previously undefined)
# check_logfiles - 11/19/2003 - jfs - Modified -r to -f
#     (Checks should only determine wether the file exists, if its 
#     readable or not is irrelevant. As a matter of fact they might not be
#     if running a user != root. We don't care since we are not checking
#     file content)
# check_logfiles - 04/03/2004 - rbrad Added logfiles support for Tru64.
#
#-----------------------------------------------------------------------------
#
TigerInstallDir="."

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done

#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}

. $basedir/config

. $BASEDIR/initdefs

#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds AWK || exit 1
  haveallfiles BASEDIR WORKDIR || exit 1
  haveallvars TESTLINK HOSTNAME
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------

echo
echo "# Checking for existence of log files..."

haveallcmds AWK || exit 1

check_fileperm () {
  file=$1
  permission=$2
  value=1
  realpermission=`getpermit $1 | $AWK '{ print $4$5$6$7$8$9$10$11$12 }' `
  [ "$realpermission" = "$permission" ]  && value=0
  return $value
}


#####
# Check various accounting files
#####
WTMP=/var/log/wtmp
BTMP=/var/log/btmp
LASTLOG=/var/log/lastlog
UTMP=/var/run/utmp
LOGINLOG=/var/log/loginlog
MESSAGES=/var/log/messages
SULOG=""

if [ "$OS" = "SunOS" ] ; then
	WTMP=/var/adm/wtmpx
	UTMP=/var/adm/utmpx
# Check: Note BTMP does not seem to exist
	BTMP=/var/adm/btmp
	LASTLOG=/var/adm/lastlog
	LOGINLOG=/var/adm/loginlog
	MESSAGES=/var/adm/messages
	SULOG=/var/adm/sulog
fi

if [ "$OS" = "Linux" ] ; then
# Loginlog does not exist
# Btmp does exist (see lastb(1))
	LOGINLOG=""
fi

if [ "$OS" = "HPUX" ] ; then
	WTMP=/var/adm/wtmp
	BTMP=/var/adm/btmp
	LASTLOG=""
	UTMP=/etc/utmp
	LOGINLOG=""
	MESSAGES=""
fi

if [ "$OS" = "Tru64" ]; then
	WTMP=/var/adm/wtmp
	BTMP=""
	LASTLOG=""
	UTMP=/var/adm/utmp
	LOGINLOG=""
	MESSAGES=""
fi

if [ ! -f "$WTMP" ] ; then
    #echo "...Warning: $WTMP does not exist"
    message FAIL logf001f "" "Log file $WTMP does not exist"
else
    group=`getpermit $WTMP | $AWK '{ print $3 }'`
    if [  "$group" = "utmp" ] ; then
        check_fileperm $WTMP 110110100 || 
       	message FAIL logf005f "" "Log file $WTMP permission should be 664"
    else
	check_fileperm $WTMP 110100100 || 
 	message FAIL logf005f "" "Log file $WTMP permission should be 644"
    fi
fi

if [ -n "$BTMP" ] ; then
    if [ ! -f "$BTMP" ] ; then
        #echo "...Warning: $BTMP does not exist"
        message FAIL logf002f "" "Log file $BTMP does not exist"
    else
        group=`getpermit $BTMP | $AWK '{ print $3 }'`
        if [ "$group" = "utmp" ] ; then
	    check_fileperm $BTMP 110110000 || 
 	    message FAIL logf005f "" "Log file $BTMP permission should be 660"
        else
	    check_fileperm $BTMP 110000000 || 
 	    message FAIL logf005f "" "Log file $BTMP permission should be 600"
	fi
    fi
fi

[ -n "$LASTLOG" -a ! -f "$LASTLOG" ] && 
    #echo "...Warning: $LASTLOG does not exist"
    message FAIL logf003f "" "Log file $LASTLOG does not exist"

if [ ! -f "$UTMP" ] ; then
    #echo "...Warning: $UTMP does not exist"
    message FAIL logf004f "" "Log file $UTMP does not exist"
else
    group=`getpermit $UTMP | $AWK '{ print $3 }'`
    if [  "$group" = "utmp" ] ; then
	check_fileperm $UTMP 110110100 || 
   	message FAIL logf005f "" "Log file $UTMP permission should be 664"
    else
	check_fileperm $UTMP 110100100 || 
	message FAIL logf005f "" "Log file $UTMP permission should be 644"
    fi
fi

if [ -n "$LOGINLOG" ] ; then
    if [ ! -f "$LOGINLOG" ] ; then
        #echo "...Warning: $LOGINGLOG does not exist"
        message FAIL logf006f "" "Log file $LOGINLOG does not exist"
    else
        check_fileperm $LOGINLOG 110000000 || 
    	    message FAIL logf005f "" "Log file $LOGINLOG permission should be 600"
    fi
fi

if [ -n "$SULOG" ] ; then
    if [ ! -f "$SULOG" ] ; then
        message FAIL logf006f "" "Log file $SULOG does not exist"
    else
        check_fileperm $SULOG 110000000 || 
    	    message FAIL logf005f "" "Log file $SULOG permission should be 600"
    fi
fi
 
if [ -n "$MESSAGES" ] ; then
    if [ ! -f "$MESSAGES" ] ; then
        #echo "...Warning: $MESSAGES does not exist"
        message FAIL logf007f "" "Log file $MESSAGES does not exist"
    else 
        check_fileperm $MESSAGES 110100000 || 
    	    message FAIL logf005f "" "Log file $MESSAGES permission should be 640"
    fi
fi
 
exit 0
