feat: implement comprehensive auditing and logging for compliance

- Add CIS audit rules for system events monitoring
- Configure rsyslog for centralized security logging
- Implement logrotate for 365-day retention
- Add AIDE file integrity monitoring configuration

Audit Rules Coverage:
- System calls monitoring
- Privileged command execution
- File access and modification
- User/group information changes
- Network configuration changes
- Cron and service management
- Login and session events

Logging Features:
- Separate logs for security, admin, access, change events
- Rate limiting to prevent log flooding
- RFC 5424 format compliance
- Secure file permissions (0640)

File Integrity Monitoring:
- AIDE daily integrity checks
- Monitor critical system files and directories
- Exclude volatile filesystems (/proc, /sys, /tmp)
- Automated integrity verification

Compliance:
- CIS Benchmark 4.1: Audit and Accountability
- CMMC Level 3: AU domain (Audit and Accountability)
- FedRAMP Moderate: AU controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

chroot-overlay/etc/logrotate.d/cis-logs

@@ -0,0 +1,177 @@
+# CIS Benchmark - Logrotate Configuration
+# Implements CIS Debian Benchmark Section 4.2.1.3
+
+# Rotate daily
+daily
+
+# Keep logs for 365 days (CMMC/FedRAMP requirement)
+rotate 365
+
+# Create new log files
+create
+
+# Compress old logs
+compress
+
+# Use gzip compression
+compresscmd /usr/bin/gzip
+
+# Uncompress with gunzip
+uncompresscmd /usr/bin/gunzip
+
+# Compression options
+compressoptions -9
+
+# Don't compress if recent
+delaycompress
+
+# Don't compress empty logs
+notifempty
+
+# Don't rotate if missing
+missingok
+
+# Rotate if size exceeds 100M
+size 100M
+
+# ============================================================================
+# Specific Log Rotation Rules
+# ============================================================================
+
+# System logs
+/var/log/auth.log
+/var/log/kern.log
+/var/log/syslog
+/var/log/messages
+/var/log/debug
+/var/log/user.log
+{
+    rotate 90
+    daily
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        systemctl reload rsyslog > /dev/null 2>&1 || true
+    endscript
+}
+
+# Security logs (keep longer for compliance)
+/var/log/audit/audit.log
+/var/log/security.log
+/var/log/access.log
+/var/log/change.log
+/var/log/admin.log
+{
+    rotate 365
+    daily
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        systemctl reload auditd > /dev/null 2>&1 || true
+        systemctl reload rsyslog > /dev/null 2>&1 || true
+    endscript
+}
+
+# Sudo logs
+/var/log/sudo.log
+{
+    rotate 365
+    monthly
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}
+
+# Firewall and network logs
+/var/log/firewall.log
+/var/log/wireguard.log
+/var/log/network.log
+{
+    rotate 90
+    daily
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}
+
+# Cron logs
+/var/log/cron.log
+{
+    rotate 60
+    weekly
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}
+
+# Boot logs
+/var/log/boot.log
+{
+    rotate 30
+    weekly
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}
+
+# Package manager logs
+/var/log/dpkg.log
+/var/log/apt/
+{
+    rotate 90
+    monthly
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}
+
+# System startup/shutdown logs
+/var/log/wtmp
+{
+    rotate 30
+    monthly
+    compress
+    missingok
+    notifempty
+    create 0644 root utmp
+}
+
+# Failed login attempts
+/var/log/btmp
+{
+    rotate 90
+    monthly
+    compress
+    missingok
+    notifempty
+    create 0640 root utmp
+}
+
+# Last login logs
+/var/log/lastlog
+{
+    rotate 30
+    monthly
+    compress
+    missingok
+    notifempty
+    create 0640 root utmp
+}