#!/bin/bash

# Sleep for a couple of minutes to prevent a race condition with other cron jobs.
sleep 120

# Secure /var/log
#  Set standard access perms for directories
setfacl -m user::rwx,group::rx,other::x /var/log/
find /var/log/*/ -type d -exec setfacl -m user::rwx,group::rx,other::- {} \;
#  Set standard access perms for files
find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \;
#  Allow group 'admin' read access to all directories/files
find /var/log -type d -exec setfacl -m group:admin:rX {} \;
find /var/log -type f -exec setfacl -m group:admin:r {} \;
#  Set default access for new files in directories.
find /var/log -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \;
find /var/log -type d -exec setfacl -dm group:admin:rX {} \;
# /var/log/wtmp needs to be readable by everyone
setfacl -m user::rw,group::r,other::r /var/log/wtmp

# To clear above ACL settings:
#  setfacl -Rk /path
#  setfacl -Rx group:admin: /path
#  setfacl -Rx mask:: /path