logrotate(8)
is a userland utility that relocates or outright deletes old log files in order to make space for newer logs. Regular maintenance of this sort of a system’s log files prevents system failures due to negligence or explicitly malicious activity, such as running out of free disk space due to uncontrolled log file growth and other potential issues. Automated log rotation can also be thought of a security hardening measure to ensure no unnecessary user data is retained on a system after the time at which it is used. Shorter data retention policies, in part implemented by aggressively shredding logs, helps maintain operational security and user privacy in a variety of environments.
The default configuration (/etc/logrotate.conf
) typically only handles rotation of the /var/log/btmp
and /var/log/wtmp
files. Many other system services typically ship with their own logrotate configuration files (see § Service configurations).
Hardening¶
Disable current login reporting¶
# This logrotate(5) configuration helps persist permission changes to
# the /var/run/utmp file, which stores knowledge of current successful
# logins to the system. By removing and re-creating this file with
# its permission bits set to `660`, owned by `root` and associated
# with the `utmp` group, we ensure no unprivileged users can query
# the system for logged in users via the `who(1)` command or similar.
#
# File: /etc/logrotate.d/utmp
/var/run/utmp {
hourly
rotate 0
size 1
shred
missingok
create 660 root utmp
}
Run logrotate hourly instead of daily¶
Most systems default to invoking logrotate
daily, however, logrotate
can determine that a log file needs rotation as granularly as one hour rather than one day. If your available resources permit it, consider invoking logrotate
at this more frequent interval.
TK-TODO
Service configurations¶
Each service whose log file(s) you wish to automatically rotate should have a configuration file written to the system’s /etc/logrotate.d
directory.
List of services¶
The following list links directly to its associated configuration.