add logdir-check

2024-11-22 19:23:02 +00:00 · 2017-08-22 18:23:24 +02:00 · 2017-08-22 18:23:24 +02:00 · 9c138b8c54
commit 9c138b8c54
parent c72d8adad0
1 changed files with 18 additions and 0 deletions
--- a/controls/os_spec.rb
+++ b/controls/os_spec.rb
@ -17,6 +17,13 @@
 # author: Dominik Richter
 # author: Patrick Muench

+log_dir_group = case os[:family]
+                when 'debian', 'redhat', 'fedora'
+                  'root'
+                when 'ubuntu'
+                  os[:release] == '14.04' ? 'syslog' : 'root'
+                end
+
 login_defs_umask = attribute('login_defs_umask', default: '027', description: 'Default umask to set in login.defs')
 login_defs_passmaxdays = attribute('login_defs_passmaxdays', default: '60', description: 'Default password maxdays to set in login.defs')
 login_defs_passmindays = attribute('login_defs_passmindays', default: '7', description: 'Default password mindays to set in login.defs')
@ -236,3 +243,14 @@ control 'os-10' do
    its(:content) { should match 'install vfat /bin/true' }
  end
 end
+
+control 'os-11' do
+  impact 1.0
+  title 'Protect log-directory'
+  desc 'The log-directory /var/log should belong to root'
+  describe file('/var/log') do
+    it { should be_directory }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into log_dir_group }
+  end
+end