#!/bin/bash

. /usr/lib/common-criteria/scripts/libcc

# note, the logic below is a white-list approach which first
# disables all services and then only enables those listed in
# this variable

# The following services must be enabled and we have an error if they
# are not present
REQUIRED="
auditd			# audit daemon
cron			# Vixie cron daemon
rsyslog			# Syslog daemon
restorecond		# SELinux relabeling helper
mcstransd		# SELinux label translation helper
sshd			# OpenSSH daemon
"

REQUIRED_x86_64="
"

# The following services are allowed - i.e. it remains untouched
ALLOWED="
dbus		# DBus Server
dm-event	# device mapper event daemon
getty@		# Systemd getty process
iscsi		# iSCSI management daemon
kmod-static-nodes	# Creation of static device nodes
libvirtd	# libvirtd virtual machine manager
ntpd		# NTP time daemon
plymouth-	# Plymouth components
postfix		# local MTA
rc-local	# Start /etc/init.d/boot.local
systemd-	# Systemd components
user@		# Systemd user service
wicked		# Wicked and subprocesses
YaST		# YaST services (including Firstboot)
autoyast	# AutoYaST init scripts
SuSEfirewall2	# SLES Firewall
SuSEfirewall2_init	# SLES Firewall
"

######################################

OLDIFS=$IFS
IFS="
"

#Speed up process - remove comments
tmpALLOWED=""
tmpREQUIRED=""
eval ALLOWED_HOST=\$ALLOWED_$HOSTTYPE
for i in $ALLOWED $ALLOWED_HOST
do
	[ "#" = ${i:0:1} ] && continue
	i=$(echo $i | sed 's/#.*//')
	tmpALLOWED="$tmpALLOWED $i"
done
eval REQUIRED_HOST=\$REQUIRED_$HOSTTYPE
for i in $REQUIRED $REQUIRED_HOST
do
	[ "#" = ${i:0:1} ] && continue
	i=$(echo $i | sed 's/#.*//')
	tmpREQUIRED="$tmpREQUIRED $i"
done

IFS=$OLDIFS
for i in $tmpREQUIRED
do
	# make sure the required service is known
	systemctl enable $i >/dev/null 2>&1
done

enabled_systemd=$(systemctl --all --type=service list-units | grep -v not-found | cut -d" " -f1 | grep service | sed -e 's/\.service$//')

# Sanity check to verify that all required services are also present
# on the system - exit with error code if one required service is not
# found
for i in $tmpREQUIRED
do
	found=0
	for j in $enabled_systemd
	do
		[ "${j#$i}" != "$j" ] && {
			found=1
			break
		}
	done
	[ "$found" = "0" ] && {
		cc_echo "Required service $i not found"
		cc_exit 1
	}
done

# disable all services unless in ALLOWED or REQUIRED
for i in $enabled_systemd
do
	# skip allowed services - we do not touch them
	afound=0
	rfound=0
	for j in $tmpALLOWED
	do
		[ "${i#$j}" != "$i" ] && {
			cc_echo "Leave service $i untouched"
			afound=1
			break
		}
	done
	# if the current service matches one of the ALLOWED services
	# forward to the next service name and leave the setting for
	# the current service unchanged
	[ "$afound" = "1" ] && continue

	for j in $tmpREQUIRED
	do
		[ "${i#$j}" != "$i" ] && {
			cc_echo "Turn on service $i"
			rfound=1
			break
		}
	done
	# if the current service matches one of the REQUIRED services,
	# enable it and forward to the next service name
	[ "$rfound" = "1" ] && {
		# We suppress error messages which can occur if you try to
		# enable an already enabled vital system service
		cc_exec_log systemctl enable $i >/dev/null 2>&1
		[ "$?" = "0" ] || {
			[ $(systemctl status $i | grep "Active: " | awk '{print $2}' != "active") ] && \
				cc_echo "WARNING: Could  not enable service $i"
		}
		continue
	}

	# Disable service as it is neither in ALLOWED or in REQUIRED
	cc_echo "Disable service $i"
	cc_exec_log systemctl disable $i || cc_exit $?
done