Enable logrotate Timer

An XCCDF Rule

Description

The logrotate timer can be enabled with the following command:

$ sudo systemctl enable logrotate.timer

warning alert: Warning

The Systemd unit logrotate.timer does not exist in Red Hat Enterprise Linux 7. The rule ensure_logrotate_activated is suggested instead.

Rationale

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

ID: xccdf_org.ssgproject.content_rule_timer_logrotate_enabled
Severity: Medium
References: BP28(R71) NT12(R18)

1 14 15 16 3 5 6

APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01

CCI-000366

4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9

A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1

CM-6(a)

PR.PT-1

Req-10.7

10.5.1

5.1.3
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.7  - PCI-DSSv4-10.5.1
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - timer_logrotate_enabled

- name: Enable timer logrotate
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Enable timer logrotate
    systemd:
      name: logrotate.timer
      enabled: 'yes'
      state: started
    when:
    - '"logrotate" in ansible_facts.packages'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( ansible_distribution == 'RedHat' and ansible_distribution_version is version('9',
    '>=') and "logrotate" in ansible_facts.packages )
  tags:
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.7
  - PCI-DSSv4-10.5.1
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - timer_logrotate_enabled

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && rpm --quiet -q logrotate ); }; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'logrotate.timer'
"$SYSTEMCTL_EXEC" enable 'logrotate.timer'
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable logrotate Timer

Description

Rationale

Remediation - Ansible

Remediation - Shell Script