Puppet Class: cis_security_hardening::rules::logfile_permissions

Defined in:
manifests/rules/logfile_permissions.pp

Summary

Ensure permissions on all logfiles are configured

Overview

Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well.

Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.

Examples:

class { 'cis_security_hardening::rules::logfile_permissions':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule

  • file_mode (String) (defaults to: '0640')

    Mode to set files to

  • dir_mode (Optional[String]) (defaults to: undef)

    Directory mode to set

  • exclude_files (Optional[Array]) (defaults to: undef)

    Files not to change the permissions



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
 
# File 'manifests/rules/logfile_permissions.pp', line 26

class cis_security_hardening::rules::logfile_permissions (
  Boolean $enforce = false,
  String $file_mode = '0640',
  Optional[String] $dir_mode = undef,
  Optional[Array] $exclude_files = undef,
) {
  if $enforce {
    $data = $dir_mode ? {
      undef   => {
        file_mode => $file_mode,
      },
      default => {
        file_mode => $file_mode,
        dir_mode => $dir_mode,
      },
    }
    recursive_file_permissions { '/var/log':
      * => $data,
    }
  }
}