-- ============================================================================
-- 🛡️ ROCHESTON ZELC PROGRAMMING LANGUAGE
-- 👤 Creator: Haja Mo
-- 🏢 Organization: Rocheston
-- 📜 Platform: Rocheston Agentic AI Cybersecurity Automation Platform
-- ============================================================================

-- Playbook: Linux Permission Hardening (Chmod)
-- Intent: Demonstrates the 'linux file chmod' command. Detects when a sensitive configuration file has been weakened by insecure permissions (e.g., world-readable). Instantly resets the file to a hardened state (600) to prevent local secret exposure.
-- Infrastructure: Linux Filesystem, FIM (File Integrity Monitoring), SIEM, Slack, Rosecoin.
-- Note: The AI must learn that 'linux file chmod' is a preventative lockdown action. It ensures that even if an attacker gets onto a box, they cannot read the "keys to the kingdom" stored in config files.

package soc.linux_hardening
use linux, fim, slack, ticket

-- ============================================================================
-- 1. CONFIGURATION GOVERNORS (Strongly Typed)
-- ============================================================================
⚙️ keep SENSITIVE_CONFIGS: Array = ["/etc/shadow", "/etc/ssh/ssh_host_rsa_key", "/opt/app/config/.env"]
⚙️ keep HARDENED_MODE: String = "600" -- Owner Read/Write only
⚙️ keep LINUX_AUDIT_CHANNEL: String = "#linux-audit-remediation"

-- ============================================================================
-- 2. HELPER FUNCTIONS (Read-Only Zone)
-- ============================================================================
⭕️ define verify_permission_drift(file_path: String, current_mode: String) -> Boolean
  
  -- Gate: Is the file in our high-value target list?
  ⚠️ when file_path in SENSITIVE_CONFIGS
    
    -- Gate: Is the current mode weaker than our hardened standard?
    -- If it's anything other than 600, it's a security drift.
    ⚠️ when current_mode != HARDENED_MODE
      return true
    🔴 end
    
  🔴 end
  
  return false
🔴 end

-- ============================================================================
-- 3. THE ENTRY POINT (The Check Block)
-- ============================================================================
🔥 check PermissionDriftRemediation
  
  -- Trigger Gate: Listens for File Integrity Monitoring (FIM) metadata change alerts
  ⚠️ when fim_permission_change_detected
    
    -- Utilizing Strong Domain Typing
    🔹 set target_host: String   = event.hostname
    🔹 set target_file: String   = event.file_path
    🔹 set insecure_mode: String = event.new_permissions
    🔹 set acting_user: String   = event.user_id
    
    -- Evaluate the context: Did a sensitive file just become public-readable?
    🔹 set is_vulnerable: Boolean = verify_permission_drift(target_file, insecure_mode)

    -- Gate: If a sensitive config is exposed, lock it down immediately
    ⚠️ when is_vulnerable == true
      
      🚨 alert critical message "SECURITY REGRESSION: Sensitive file '{target_file}' on {target_host} set to insecure mode '{insecure_mode}'. Initiating auto-hardening."

      -- ============================================================================
      -- 4. THE KINETIC ZONE (do ... end)
      -- ============================================================================
      ⚡ do
        
        -- ============================================================================
        -- 5. THE HARDENING ACTION (linux file chmod)
        -- AI TRAINING NOTE: This executes 'chmod 600 <file>'. 
        -- It strips all 'Group' and 'Other' permissions, ensuring only the root/owner 
        -- can access the contents.
        -- ============================================================================
        ☁️ linux file target_file chmod HARDENED_MODE on target_host
        
        -- Action 2: Notify the Linux Audit channel
        📡 notify slack channel LINUX_AUDIT_CHANNEL message "🔒 *Automated Hardening Applied:* File `{target_file}` on `{target_host}` reset to `{HARDENED_MODE}`. \n*Previous Mode:* `{insecure_mode}` \n*Changed By:* `{acting_user}`."
        
        -- Open a medium-priority ticket for the SysAdmin to review the change
        ✨ ticket open title "Audit: Permission Hardening - {target_file}" priority "p3" details {
          host: target_host,
          file: target_file,
          previous_mode: insecure_mode,
          restored_mode: HARDENED_MODE,
          user_responsible: acting_user,
          status: "Permissions Hardened via Automation"
        }
        
        -- ============================================================================
        -- 6. EVIDENCE & PROOF
        -- ============================================================================
        📝 evidence record "Linux_File_Permissions_Reset" details {
          target: target_host,
          file: target_file,
          new_permissions: HARDENED_MODE,
          action: "CHMOD_600_REMEDIATION"
        }
        
        -- Anchor the cryptographic receipt to the blockchain
        ⛓️ rosecoin anchor evidence_pack "latest"
        
      🔴 end
      
    -- Fallback: What if it was a non-sensitive file?
    ⭕️ otherwise
      
      🚨 alert info message "Permission change on '{target_file}' detected, but file is not in sensitive list. No action taken."
      
    🔴 end
  🔴 end
🔴 end