progress snapshot

2026-01-21 08:33:09 -05:00
parent 6c96f3c549
commit 1339705f9d
20 changed files with 3387 additions and 46 deletions
--- a/config/cis-logs
+++ b/config/cis-logs
@@ -0,0 +1,215 @@
+# CIS Debian 13 Benchmark - Log Rotation Configuration
+# Implements CIS recommendations for secure log rotation
+
+# Global rotation settings
+weekly
+rotate 52
+compress
+delaycompress
+missingok
+notifempty
+create 0640 root adm
+sharedscripts
+
+# Security logs - longer retention
+/var/log/security/*.log {
+    weekly
+    rotate 104
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true
+    endscript
+}
+
+# Authentication logs - high retention for forensic analysis
+/var/log/security/auth.log /var/log/security/failed.log /var/log/security/login.log {
+    daily
+    rotate 365
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true
+    endscript
+}
+
+# Sudo logs - longer retention for audit purposes
+/var/log/security/sudo.log {
+    daily
+    rotate 365
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true
+    endscript
+}
+
+# Audit logs - longer retention for compliance
+/var/log/security/audit.log /var/log/audit/*.log {
+    weekly
+    rotate 104
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true
+    endscript
+}
+
+# System logs - standard retention
+/var/log/security/messages /var/log/security/kern.log /var/log/security/daemon.log {
+    weekly
+    rotate 52
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true
+    endscript
+}
+
+# Network logs - standard retention
+/var/log/security/network.log {
+    weekly
+    rotate 52
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true
+    endscript
+}
+
+# Security alerts - longer retention for incident analysis
+/var/log/security/alerts.log {
+    daily
+    rotate 730
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true
+    endscript
+}
+
+# AIDE integrity check logs
+/var/log/aide/*.log {
+    weekly
+    rotate 104
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}
+
+# Fail2ban logs
+/var/log/fail2ban.log {
+    weekly
+    rotate 52
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        service fail2ban reload >/dev/null 2>&1 || true
+    endscript
+}
+
+# Application logs - standard rotation
+/var/log/remmina/*.log {
+    weekly
+    rotate 12
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 user user
+}
+
+# IceWM logs - standard rotation
+/var/log/icewm/*.log {
+    weekly
+    rotate 12
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 user user
+}
+
+# WireGuard logs - important for network security
+/var/log/wireguard/*.log {
+    weekly
+    rotate 52
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}
+
+# Ensure secure permissions for all log directories
+/var/log/security/ /var/log/audit/ /var/log/aide/ {
+    monthly
+    rotate 1
+    nocreate
+    compress
+    missingok
+    postrotate
+        find /var/log/security/ -type f -name "*.log" -exec chmod 0640 {} \;
+        find /var/log/security/ -type d -exec chmod 0750 {} \;
+        find /var/log/audit/ -type f -name "*.log" -exec chmod 0640 {} \;
+        find /var/log/audit/ -type d -exec chmod 0750 {} \;
+        find /var/log/aide/ -type f -name "*.log" -exec chmod 0640 {} \;
+        find /var/log/aide/ -type d -exec chmod 0750 {} \;
+    endscript
+}
+
+# Summary log rotation for compliance reporting
+/var/log/security/summary.log {
+    monthly
+    rotate 60
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}
+
+# Old system logs for historical reference
+/var/log/syslog /var/log/messages /var/log/kern.log {
+    weekly
+    rotate 4
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}