# CIS Debian 13 Benchmark - Log Rotation Configuration # Implements CIS recommendations for secure log rotation # Global rotation settings weekly rotate 52 compress delaycompress missingok notifempty create 0640 root adm sharedscripts # Security logs - longer retention /var/log/security/*.log { weekly rotate 104 compress delaycompress missingok notifempty create 0640 root adm sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true endscript } # Authentication logs - high retention for forensic analysis /var/log/security/auth.log /var/log/security/failed.log /var/log/security/login.log { daily rotate 365 compress delaycompress missingok notifempty create 0640 root adm sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true endscript } # Sudo logs - longer retention for audit purposes /var/log/security/sudo.log { daily rotate 365 compress delaycompress missingok notifempty create 0640 root adm sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true endscript } # Audit logs - longer retention for compliance /var/log/security/audit.log /var/log/audit/*.log { weekly rotate 104 compress delaycompress missingok notifempty create 0640 root adm sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true endscript } # System logs - standard retention /var/log/security/messages /var/log/security/kern.log /var/log/security/daemon.log { weekly rotate 52 compress delaycompress missingok notifempty create 0640 root adm sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true endscript } # Network logs - standard retention /var/log/security/network.log { weekly rotate 52 compress delaycompress missingok notifempty create 0640 root adm sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true endscript } # Security alerts - longer retention for incident analysis /var/log/security/alerts.log { daily rotate 730 compress delaycompress missingok notifempty create 0640 root adm sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate &>/dev/null || true endscript } # AIDE integrity check logs /var/log/aide/*.log { weekly rotate 104 compress delaycompress missingok notifempty create 0640 root adm } # Fail2ban logs /var/log/fail2ban.log { weekly rotate 52 compress delaycompress missingok notifempty create 0640 root adm sharedscripts postrotate service fail2ban reload >/dev/null 2>&1 || true endscript } # Application logs - standard rotation /var/log/remmina/*.log { weekly rotate 12 compress delaycompress missingok notifempty create 0640 user user } # IceWM logs - standard rotation /var/log/icewm/*.log { weekly rotate 12 compress delaycompress missingok notifempty create 0640 user user } # WireGuard logs - important for network security /var/log/wireguard/*.log { weekly rotate 52 compress delaycompress missingok notifempty create 0640 root adm } # Ensure secure permissions for all log directories /var/log/security/ /var/log/audit/ /var/log/aide/ { monthly rotate 1 nocreate compress missingok postrotate find /var/log/security/ -type f -name "*.log" -exec chmod 0640 {} \; find /var/log/security/ -type d -exec chmod 0750 {} \; find /var/log/audit/ -type f -name "*.log" -exec chmod 0640 {} \; find /var/log/audit/ -type d -exec chmod 0750 {} \; find /var/log/aide/ -type f -name "*.log" -exec chmod 0640 {} \; find /var/log/aide/ -type d -exec chmod 0750 {} \; endscript } # Summary log rotation for compliance reporting /var/log/security/summary.log { monthly rotate 60 compress delaycompress missingok notifempty create 0640 root adm } # Old system logs for historical reference /var/log/syslog /var/log/messages /var/log/kern.log { weekly rotate 4 compress delaycompress missingok notifempty create 0640 root adm }