# CIS Benchmark - Logrotate Configuration
# Implements CIS Debian Benchmark Section 4.2.1.3

# Rotate daily
daily

# Keep logs for 365 days (CMMC/FedRAMP requirement)
rotate 365

# Create new log files
create

# Compress old logs
compress

# Use gzip compression
compresscmd /usr/bin/gzip

# Uncompress with gunzip
uncompresscmd /usr/bin/gunzip

# Compression options
compressoptions -9

# Don't compress if recent
delaycompress

# Don't compress empty logs
notifempty

# Don't rotate if missing
missingok

# Rotate if size exceeds 100M
size 100M

# ============================================================================
# Specific Log Rotation Rules
# ============================================================================

# System logs
/var/log/auth.log
/var/log/kern.log
/var/log/syslog
/var/log/messages
/var/log/debug
/var/log/user.log
{
    rotate 90
    daily
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
    sharedscripts
    postrotate
        systemctl reload rsyslog > /dev/null 2>&1 || true
    endscript
}

# Security logs (keep longer for compliance)
/var/log/audit/audit.log
/var/log/security.log
/var/log/access.log
/var/log/change.log
/var/log/admin.log
{
    rotate 365
    daily
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
    sharedscripts
    postrotate
        systemctl reload auditd > /dev/null 2>&1 || true
        systemctl reload rsyslog > /dev/null 2>&1 || true
    endscript
}

# Sudo logs
/var/log/sudo.log
{
    rotate 365
    monthly
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
}

# Firewall and network logs
/var/log/firewall.log
/var/log/wireguard.log
/var/log/network.log
{
    rotate 90
    daily
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
}

# Cron logs
/var/log/cron.log
{
    rotate 60
    weekly
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
}

# Boot logs
/var/log/boot.log
{
    rotate 30
    weekly
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
}

# Package manager logs
/var/log/dpkg.log
/var/log/apt/
{
    rotate 90
    monthly
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
}

# System startup/shutdown logs
/var/log/wtmp
{
    rotate 30
    monthly
    compress
    missingok
    notifempty
    create 0644 root utmp
}

# Failed login attempts
/var/log/btmp
{
    rotate 90
    monthly
    compress
    missingok
    notifempty
    create 0640 root utmp
}

# Last login logs
/var/log/lastlog
{
    rotate 30
    monthly
    compress
    missingok
    notifempty
    create 0640 root utmp
}