#!/bin/sh
# shellcheck disable=SC2174
# postinst script for securedrop-app-ossec
#
# see: dh_installdeb(1)
set -e
#set -x
# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package

case "$1" in
    configure)
	DIR="/var/ossec"
	USER="ossec"
	GROUP="ossec"
	OSSEC_HIDS_TMP_DIR="/tmp/ossec-hids"

        mkdir -p ${DIR}/active-response/bin
        mkdir -p ${DIR}/agentless
        mkdir -m 700 -p ${DIR}/.ssh
        mkdir -m 770 -p ${DIR}/etc/shared
        mkdir -p ${DIR}/bin
        mkdir -m 775 -p ${DIR}/queue/rids
        mkdir -p ${DIR}/queue/syscheck
        mkdir -p ${DIR}/queue/alerts
        mkdir -m 750 -p ${DIR}/queue/diff
        mkdir -m 770 -p ${DIR}/queue/ossec
        mkdir -m 770 -p ${DIR}/var/run
        mkdir -m 750 -p ${DIR}/logs

	OSMYSHELL="/sbin/nologin"
        if [ ! -f ${OSMYSHELL} ]; then 
	    if [ -f "/bin/false" ]; then
	        OSMYSHELL="/bin/false"
	    fi
	fi

        if ! getent group | grep -q "^ossec"
        then
            groupadd --system ossec
        fi
        if ! getent passwd | grep -q "^ossec"
        then
            useradd -d ${DIR} -s ${OSMYSHELL} -g ${GROUP} ${USER}
        fi

	# Default for all directories
	chmod -R 550 ${DIR}
	chown -R root:${GROUP} ${DIR}

	# To the ossec queue (default for agentd to read)
	chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
	chmod -R 770 ${DIR}/queue/ossec

	# For the logging user
	chown -R ${USER}:${GROUP} ${DIR}/logs
	chmod -R 750 ${DIR}/logs
	chmod -R 775 ${DIR}/queue/rids
	touch ${DIR}/logs/ossec.log
	chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
	chmod 664 ${DIR}/logs/ossec.log

        chown -R ${USER}:${GROUP} ${DIR}/queue/diff
        chmod -R 750 ${DIR}/queue/diff
        chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true

	# For the etc dir
	chmod 550 ${DIR}/etc
	chown -R root:${GROUP} ${DIR}/etc
	if [ -f /etc/localtime ]; then
	    cp -pL /etc/localtime ${DIR}/etc/;
	    chmod 555 ${DIR}/etc/localtime
	    chown root:${GROUP} ${DIR}/etc/localtime
	fi

	if [ -f /etc/TIMEZONE ]; then
	    cp -p /etc/TIMEZONE ${DIR}/etc/;
	    chmod 555 ${DIR}/etc/TIMEZONE
	fi

	# More files
	chown root:${GROUP} ${DIR}/etc/internal_options.conf
	chown root:${GROUP} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
	chown root:${GROUP} ${DIR}/etc/client.keys >/dev/null 2>&1 || true
	chown root:${GROUP} ${DIR}/agentless/*
	chown ${USER}:${GROUP} ${DIR}/.ssh
	chown root:${GROUP} ${DIR}/etc/shared/*

	chmod 550 ${DIR}/etc
	chmod 440 ${DIR}/etc/internal_options.conf
	chmod 440 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
	chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true
	chmod 550 ${DIR}/agentless/*
	chmod 700 ${DIR}/.ssh
	chmod 770 ${DIR}/etc/shared
	chmod 440 ${DIR}/etc/shared/*

	# For the /var/run
	chmod 770 ${DIR}/var/run
	chown root:${GROUP} ${DIR}/var/run

	# For util.sh 
	chown root:${GROUP} ${DIR}/bin/util.sh
	chmod +x ${DIR}/bin/util.sh

	# For binaries and active response
        chmod 755 ${DIR}/active-response/bin/*
        chown root:${GROUP} ${DIR}/active-response/bin/*
        chown root:${GROUP} ${DIR}/bin/*
        chmod 550 ${DIR}/bin/*

        chown root:${GROUP} ${DIR}/etc/ossec.conf
        chmod 440 ${DIR}/etc/ossec.conf


	if [ -x /etc/init.d/ossec ]; then
	    update-rc.d -f ossec defaults
	fi

	if [ -d ${OSSEC_HIDS_TMP_DIR} ]; then
	    rm -r ${OSSEC_HIDS_TMP_DIR}
	fi
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0
