Define a complete security baseline and monitor the baseline's rules. The definition of the baseline should be done in Hiera. The purpose of the module is to give the ability to setup a complete security baseline which not necessarily have to stick to industry security guides like the CIS benchmarks.
This file is under /var/log and is world readable (and getting changes back to world readable) so this will generate endless changes for the puppet runs when you enable
This file is under /var/log and is world readable (and getting changes back to world readable) so this will generate endless changes for the puppet runs when you enable
cis_security_hardening::rules::logfile_permissions:enforce: true
Non-world readable generic logfiles is good for the benchmark, but this file need to be ignored somehow.
See answer on the debian mailinglist here