KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9eb08c9fde9b64f14b94fe268e78a2d9b5a718c
football/chroot-overlay/etc/logrotate.d/cis-logs
Charles N Wyble d9eb08c9fd feat: implement comprehensive auditing and logging for compliance 
- Add CIS audit rules for system events monitoring
- Configure rsyslog for centralized security logging
- Implement logrotate for 365-day retention
- Add AIDE file integrity monitoring configuration

Audit Rules Coverage:
- System calls monitoring
- Privileged command execution
- File access and modification
- User/group information changes
- Network configuration changes
- Cron and service management
- Login and session events

Logging Features:
- Separate logs for security, admin, access, change events
- Rate limiting to prevent log flooding
- RFC 5424 format compliance
- Secure file permissions (0640)

File Integrity Monitoring:
- AIDE daily integrity checks
- Monitor critical system files and directories
- Exclude volatile filesystems (/proc, /sys, /tmp)
- Automated integrity verification

Compliance:
- CIS Benchmark 4.1: Audit and Accountability
- CMMC Level 3: AU domain (Audit and Accountability)
- FedRAMP Moderate: AU controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 13:13:09 -05:00

178 lines
2.7 KiB
Plaintext
Raw Blame History

# CIS Benchmark - Logrotate Configuration
# Implements CIS Debian Benchmark Section 4.2.1.3
# Rotate daily
daily
# Keep logs for 365 days (CMMC/FedRAMP requirement)
rotate 365
# Create new log files
create
# Compress old logs
compress
# Use gzip compression
compresscmd /usr/bin/gzip
# Uncompress with gunzip
uncompresscmd /usr/bin/gunzip
# Compression options
compressoptions -9
# Don't compress if recent
delaycompress
# Don't compress empty logs
notifempty
# Don't rotate if missing
missingok
# Rotate if size exceeds 100M
size 100M
# ============================================================================
# Specific Log Rotation Rules
# ============================================================================
# System logs
/var/log/auth.log
/var/log/kern.log
/var/log/syslog
/var/log/messages
/var/log/debug
/var/log/user.log
{
rotate 90
daily
compress
delaycompress
missingok
notifempty
create 0640 root adm
sharedscripts
postrotate
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# Security logs (keep longer for compliance)
/var/log/audit/audit.log
/var/log/security.log
/var/log/access.log
/var/log/change.log
/var/log/admin.log
{
rotate 365
daily
compress
delaycompress
missingok
notifempty
create 0640 root adm
sharedscripts
postrotate
systemctl reload auditd > /dev/null 2>&1 || true
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# Sudo logs
/var/log/sudo.log
{
rotate 365
monthly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Firewall and network logs
/var/log/firewall.log
/var/log/wireguard.log
/var/log/network.log
{
rotate 90
daily
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Cron logs
/var/log/cron.log
{
rotate 60
weekly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Boot logs
/var/log/boot.log
{
rotate 30
weekly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Package manager logs
/var/log/dpkg.log
/var/log/apt/
{
rotate 90
monthly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# System startup/shutdown logs
/var/log/wtmp
{
rotate 30
monthly
compress
missingok
notifempty
create 0644 root utmp
}
# Failed login attempts
/var/log/btmp
{
rotate 90
monthly
compress
missingok
notifempty
create 0640 root utmp
}
# Last login logs
/var/log/lastlog
{
rotate 30
monthly
compress
missingok
notifempty
create 0640 root utmp
}
Reference in New Issue View Git Blame Copy Permalink