24 lines
991 B
Bash
Executable file
24 lines
991 B
Bash
Executable file
#!/bin/bash
|
|
|
|
# Sleep for a couple of minutes to prevent a race condition with other cron jobs.
|
|
sleep 120
|
|
|
|
# Secure /var/log
|
|
# Set standard access perms for directories
|
|
setfacl -m user::rwx,group::rx,other::x /var/log/
|
|
find /var/log/*/ -type d -exec setfacl -m user::rwx,group::rx,other::- {} \;
|
|
# Set standard access perms for files
|
|
find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \;
|
|
# Allow group 'admin' read access to all directories/files
|
|
find /var/log -type d -exec setfacl -m group:admin:rX {} \;
|
|
find /var/log -type f -exec setfacl -m group:admin:r {} \;
|
|
# Set default access for new files in directories.
|
|
find /var/log -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \;
|
|
find /var/log -type d -exec setfacl -dm group:admin:rX {} \;
|
|
# /var/log/wtmp needs to be readable by everyone
|
|
setfacl -m user::rw,group::r,other::r /var/log/wtmp
|
|
|
|
# To clear above ACL settings:
|
|
# setfacl -Rk /path
|
|
# setfacl -Rx group:admin: /path
|
|
# setfacl -Rx mask:: /path
|