#!/bin/bash

# Sleep for up to a couple of minutes to prevent a race condition with other cron jobs.
sleep $(( RANDOM % 120 ))

# Secure /var/log
shopt -s globstar
GLOBIGNORE="/var/log/packages/:/var/log/setup/:/var/log/scripts/"
#  Set standard access perms for directories
setfacl -m user::rwx,group::rx,other::- /var/log/**/
setfacl -m user::rwx,group::rx,other::x /var/log/
#  Set standard access perms for files
find /var/log -type f -exec setfacl -m user::rw,group::r,other::- {} +
#  Allow group 'admin' read access to all directories/files
setfacl -m group:admin:rX /var/log/**/
find /var/log -type f -exec setfacl -m group:admin:r {} +
#  Set default access for new files in directories.
setfacl -dm user::rwX,group::rX,other::- /var/log/**/
setfacl -dm group:admin:rX /var/log/**/
#  /var/log/wtmp needs to be readable by everyone
setfacl -m user::rw,group::r,other::r /var/log/wtmp
unset GLOBIGNORE

# To clear above ACL settings:
#  setfacl -Rk /path
#  setfacl -Rx group:admin: /path
#  setfacl -Rx mask:: /path