mondoohq
diff --git a/‎providers/os/resources/logrotate.go‎
Lines changed: 185 additions & 0 deletions b/‎providers/os/resources/logrotate.go‎
Lines changed: 185 additions & 0 deletions
diff --git a/‎providers/os/resources/logrotate/logrotate.go‎
Lines changed: 193 additions & 0 deletions b/‎providers/os/resources/logrotate/logrotate.go‎
Lines changed: 193 additions & 0 deletions
@@ -0,0 +1,185 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package resources
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"go.mondoo.com/mql/v13/llx"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
+	"go.mondoo.com/mql/v13/providers/os/resources/logrotate"
+	"go.mondoo.com/mql/v13/types"
+)
+
+const (
+	defaultLogrotateConf = "/etc/logrotate.conf"
+	defaultLogrotateDir  = "/etc/logrotate.d"
+)
+
+func initLogrotate(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) {
+	return args, nil, nil
+}
+
+func (l *mqlLogrotate) id() (string, error) {
+	return "logrotate", nil
+}
+
+func (le *mqlLogrotateEntry) id() (string, error) {
+	file := le.File.Data
+	lineNum := strconv.FormatInt(le.LineNumber.Data, 10)
+
+	return file.Path.Data + ":" + lineNum + ":" + le.Path.Data, nil
+}
+
+// files discovers logrotate configuration files from the main config and logrotate.d directory.
+func (l *mqlLogrotate) files() ([]any, error) {
+	var allFiles []any
+
+	// Add main logrotate.conf
+	mainFile, err := CreateResource(l.MqlRuntime, "file", map[string]*llx.RawData{
+		"path": llx.StringData(defaultLogrotateConf),
+	})
+	if err != nil {
+		return nil, err
+	}
+	f := mainFile.(*mqlFile)
+	exists := f.GetExists()
+	if exists.Error != nil {
+		return nil, exists.Error
+	}
+
+	if exists.Data {
+		allFiles = append(allFiles, f)
+	}
+
+	// Check logrotate.d directory
+	dirFile, err := CreateResource(l.MqlRuntime, "file", map[string]*llx.RawData{
+		"path": llx.StringData(defaultLogrotateDir),
+	})
+	if err != nil {
+		return nil, err
+	}
+	dir := dirFile.(*mqlFile)
+	dirExists := dir.GetExists()
+	if dirExists.Error != nil {
+		return nil, dirExists.Error
+	}
+
+	if dirExists.Data {
+		files, err := CreateResource(l.MqlRuntime, "files.find", map[string]*llx.RawData{
+			"from":  llx.StringData(defaultLogrotateDir),
+			"type":  llx.StringData("file"),
+			"depth": llx.IntData(1),
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		ff := files.(*mqlFilesFind)
+		list := ff.GetList()
+		if list.Error != nil {
+			return nil, list.Error
+		}
+
+		for i := range list.Data {
+			file := list.Data[i].(*mqlFile)
+			basename := file.GetBasename()
+			if basename.Error != nil {
+				continue
+			}
+
+			// Skip common backup/temp file extensions that logrotate ignores
+			name := basename.Data
+			if strings.HasSuffix(name, ".bak") || strings.HasSuffix(name, ".old") ||
+				strings.HasSuffix(name, ".rpmsave") || strings.HasSuffix(name, ".rpmorig") ||
+				strings.HasSuffix(name, ".dpkg-old") || strings.HasSuffix(name, ".dpkg-new") ||
+				strings.HasSuffix(name, ".dpkg-dist") || strings.HasSuffix(name, "~") {
+				continue
+			}
+
+			allFiles = append(allFiles, file)
+		}
+	}
+
+	return allFiles, nil
+}
+
+// globalConfig parses all config files and returns the global directives.
+func (l *mqlLogrotate) globalConfig(files []any) (map[string]any, error) {
+	merged := make(map[string]any)
+
+	for i := range files {
+		file := files[i].(*mqlFile)
+		content := file.GetContent()
+		if content.Error != nil {
+			continue
+		}
+
+		global, _ := logrotate.ParseContent(file.Path.Data, content.Data)
+		for k, v := range global {
+			merged[k] = v
+		}
+	}
+
+	return merged, nil
+}
+
+// entries parses all config files and returns logrotate entries.
+func (l *mqlLogrotate) entries(files []any) ([]any, error) {
+	var allEntries []any
+	var errs []error
+
+	for i := range files {
+		file := files[i].(*mqlFile)
+
+		content := file.GetContent()
+		if content.Error != nil {
+			errs = append(errs, fmt.Errorf("failed to read %s: %w", file.Path.Data, content.Error))
+			continue
+		}
+
+		entries, err := parseLogrotateContent(l.MqlRuntime, file, content.Data)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to parse %s: %w", file.Path.Data, err))
+			continue
+		}
+
+		allEntries = append(allEntries, entries...)
+	}
+
+	if len(errs) > 0 {
+		return allEntries, errors.Join(errs...)
+	}
+
+	return allEntries, nil
+}
+
+func parseLogrotateContent(runtime *plugin.Runtime, file *mqlFile, content string) ([]any, error) {
+	_, parsed := logrotate.ParseContent(file.Path.Data, content)
+	var entries []any
+
+	for _, e := range parsed {
+		configMap := make(map[string]any, len(e.Config))
+		for k, v := range e.Config {
+			configMap[k] = v
+		}
+
+		entry, err := CreateResource(runtime, "logrotate.entry", map[string]*llx.RawData{
+			"file":       llx.ResourceData(file, "file"),
+			"lineNumber": llx.IntData(int64(e.LineNumber)),
+			"path":       llx.StringData(e.Path),
+			"config":     llx.MapData(configMap, types.String),
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		entries = append(entries, entry.(*mqlLogrotateEntry))
+	}
+
+	return entries, nil
+}
@@ -0,0 +1,193 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package logrotate
+
+import (
+	"strings"
+)
+
+// Entry represents a single logrotate block for one log path.
+// If a block specifies multiple paths, each path gets its own Entry
+// with the same config values.
+type Entry struct {
+	File       string
+	LineNumber int
+	Path       string
+	Config     map[string]string
+}
+
+// ParseContent parses the content of a logrotate configuration file and
+// returns the global directives and per-path entries.
+func ParseContent(filePath string, content string) (globalConfig map[string]string, entries []Entry) {
+	globalConfig = make(map[string]string)
+	lines := strings.Split(content, "\n")
+
+	var (
+		inBlock    bool
+		inScript   bool
+		blockPaths []string
+		blockLine  int
+		blockConf  map[string]string
+	)
+
+	for i, line := range lines {
+		lineNum := i + 1
+		trimmed := strings.TrimSpace(line)
+
+		// Skip empty lines and comments
+		if trimmed == "" || strings.HasPrefix(trimmed, "#") {
+			continue
+		}
+
+		// Handle endscript inside a script block
+		if inScript {
+			if trimmed == "endscript" {
+				inScript = false
+			}
+			continue
+		}
+
+		if inBlock {
+			// Check for closing brace
+			if trimmed == "}" {
+				// Emit one entry per path in this block
+				for _, p := range blockPaths {
+					entries = append(entries, Entry{
+						File:       filePath,
+						LineNumber: blockLine,
+						Path:       p,
+						Config:     copyMap(blockConf),
+					})
+				}
+				inBlock = false
+				blockPaths = nil
+				blockConf = nil
+				continue
+			}
+
+			// Check for script block start
+			if isScriptDirective(trimmed) {
+				inScript = true
+				continue
+			}
+
+			// Parse directive inside block
+			key, value := parseDirective(trimmed)
+			if key != "" {
+				blockConf[key] = value
+			}
+			continue
+		}
+
+		// Outside any block
+
+		// Check for lone opening brace (paths on previous line(s), { on its own)
+		if trimmed == "{" {
+			blockPaths, blockLine = findPathsBackward(lines, i)
+			if len(blockPaths) > 0 {
+				blockConf = make(map[string]string)
+				inBlock = true
+			}
+			continue
+		}
+
+		// Check for block opening: paths followed by { on the same line
+		if strings.HasSuffix(trimmed, "{") {
+			pathsPart := strings.TrimSuffix(trimmed, "{")
+			pathsPart = strings.TrimSpace(pathsPart)
+			if pathsPart != "" {
+				blockPaths = splitPaths(pathsPart)
+				blockLine = lineNum
+				blockConf = make(map[string]string)
+				inBlock = true
+			}
+			continue
+		}
+
+		// Skip include directives at global level (file discovery handles these)
+		if strings.HasPrefix(trimmed, "include ") || strings.HasPrefix(trimmed, "include\t") {
+			continue
+		}
+
+		// Skip tabooext directives
+		if strings.HasPrefix(trimmed, "tabooext ") || strings.HasPrefix(trimmed, "tabooext\t") {
+			continue
+		}
+
+		// Global directive
+		key, value := parseDirective(trimmed)
+		if key != "" {
+			globalConfig[key] = value
+		}
+	}
+
+	return globalConfig, entries
+}
+
+// parseDirective splits a logrotate directive into key and value.
+// Boolean directives (like "compress") return key with empty value.
+// Value directives (like "rotate 4") return key and value.
+func parseDirective(line string) (string, string) {
+	// Strip inline comments
+	if idx := strings.Index(line, "#"); idx >= 0 {
+		line = strings.TrimSpace(line[:idx])
+	}
+	if line == "" {
+		return "", ""
+	}
+
+	parts := strings.Fields(line)
+	if len(parts) == 0 {
+		return "", ""
+	}
+
+	key := parts[0]
+	if len(parts) == 1 {
+		return key, ""
+	}
+	return key, strings.Join(parts[1:], " ")
+}
+
+// splitPaths splits a space-separated list of log file paths/globs.
+func splitPaths(s string) []string {
+	fields := strings.Fields(s)
+	paths := make([]string, 0, len(fields))
+	for _, f := range fields {
+		f = strings.TrimSpace(f)
+		if f != "" {
+			paths = append(paths, f)
+		}
+	}
+	return paths
+}
+
+// findPathsBackward scans backward from a lone "{" to find the log path(s).
+func findPathsBackward(lines []string, braceIdx int) ([]string, int) {
+	for j := braceIdx - 1; j >= 0; j-- {
+		trimmed := strings.TrimSpace(lines[j])
+		if trimmed == "" || strings.HasPrefix(trimmed, "#") {
+			continue
+		}
+		return splitPaths(trimmed), j + 1
+	}
+	return nil, 0
+}
+
+// isScriptDirective returns true if the line starts a script block.
+func isScriptDirective(line string) bool {
+	for _, prefix := range []string{"prerotate", "postrotate", "firstaction", "lastaction", "preremove"} {
+		if line == prefix || strings.HasPrefix(line, prefix+" ") {
+			return true
+		}
+	}
+	return false
+}
+
+func copyMap(m map[string]string) map[string]string {
+	cp := make(map[string]string, len(m))
+	for k, v := range m {
+		cp[k] = v
+	}
+	return cp
+}