From f292c531dba09b2fea26d8b22674c097cb9bdff8 Mon Sep 17 00:00:00 2001
From: Ryan Cavicchioni <ryan@cavi.cc>
Date: Wed, 27 Nov 2019 16:09:22 -0600
Subject: [PATCH] Fix rsyslog file and directory permissions

---
 roles/rsyslog/templates/archival.conf.j2 | 8 ++++++++
 roles/rsyslog/templates/rsyslog.conf.j2  | 9 +++++++++
 roles/rsyslog/vars/Debian.yaml           | 5 ++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/roles/rsyslog/templates/archival.conf.j2 b/roles/rsyslog/templates/archival.conf.j2
index 558567c..8088595 100644
--- a/roles/rsyslog/templates/archival.conf.j2
+++ b/roles/rsyslog/templates/archival.conf.j2
@@ -24,4 +24,12 @@ template(
     type="omfile"
     dynafile="FilePerDay"
     template="RSYSLOG_FileFormat"
+    fileCreateMode="{{ rsyslog_file_create_mode }}"
+    dirCreateMode="{{ rsyslog_dir_create_mode }}"
+    createDirs="{{ rsyslog_create_dirs | ternary('on', 'off') }}"
+    fileOwner="{{ rsyslog_file_owner }}"
+    fileGroup="{{ rsyslog_file_group }}"
+    dirOwner="{{ rsyslog_file_owner }}"
+    dirGroup="{{ rsyslog_file_group }}"
+    umask="{{ rsyslog_umask }}"
 )
diff --git a/roles/rsyslog/templates/rsyslog.conf.j2 b/roles/rsyslog/templates/rsyslog.conf.j2
index 599688a..5a1286b 100644
--- a/roles/rsyslog/templates/rsyslog.conf.j2
+++ b/roles/rsyslog/templates/rsyslog.conf.j2
@@ -27,9 +27,18 @@ $FileOwner {{ rsyslog_file_owner }}
 {% if rsyslog_file_group is defined %}
 $FileGroup {{ rsyslog_file_group }}
 {% endif %}
+{% if rsyslog_dir_owner is defined %}
+$FileOwner {{ rsyslog_dir_owner }}
+{% endif %}
+{% if rsyslog_dir_group is defined %}
+$FileGroup {{ rsyslog_dir_group }}
+{% endif %}
 {% if rsyslog_file_create_mode is defined %}
 $FileCreateMode {{ rsyslog_file_create_mode }}
 {% endif %}
+{% if rsyslog_create_dirs is defined %}
+CreateDirs {{ rsyslog_create_dirs | ternary('on', 'off') }}
+{% endif %}
 {% if rsyslog_dir_create_mode is defined %}
 $DirCreateMode {{ rsyslog_dir_create_mode }}
 {% endif %}
diff --git a/roles/rsyslog/vars/Debian.yaml b/roles/rsyslog/vars/Debian.yaml
index 6e92402..9cd40e0 100644
--- a/roles/rsyslog/vars/Debian.yaml
+++ b/roles/rsyslog/vars/Debian.yaml
@@ -1,8 +1,11 @@
 ---
 rsyslog_file_owner: syslog
 rsyslog_file_group: adm
-rsyslog_file_create_mode: "0644"
+rsyslog_dir_owner: syslog
+rsyslog_dir_group: adm
+rsyslog_file_create_mode: "0640"
 rsyslog_dir_create_mode: "0755"
+rsyslog_create_dirs: yes
 rsyslog_umask: "0022"
 rsyslog_priv_drop_to_user: syslog
 rsyslog_priv_drop_to_group: syslog