Detections
Analytics
6.4 Ensure Log Storage and Rotation Is Configured Correctly - '/etc/logrotate.conf rotate log files = weekly'
Information
It is important that there is adequate disk space on the partition to hold all the log files, and that log rotation is configured to retain at least three months or 13 weeks of logs if central logging is not used for storage.Rationale:
The generation of logs is under a potential attacker's control, so do not hold any Apache log files on the root partition of the OS. This could result in a denial of service against your web server host by filling up the root partition and causing the system to crash. For this reason, it is recommended that the log files should be stored on a dedicated partition. Likewise, consider that attackers sometimes put information into your logs which is intended to attack your log collection or log analysis processing software. So it is important that they are not vulnerable. Investigation of incidents often requires access to several months or more of logs, which is why it is important to keep at least three months' worth available. Two common log rotation utilities are 'rotatelogs(8)', which is bundled with Apache, and 'logrotate(8)', commonly bundled on Linux distributions.
Solution
To implement the recommended state, do either option a) if using the Linux 'logrotate' utility or option b) if using a piped logging utility such as the Apache 'rotatelogs':a) File Logging with Logrotate:
1. Add or modify the web log rotation configuration to match your configured log files in '/etc/logrotate.d/httpd' to be similar to the following.
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP 'cat /var/run/httpd.pid 2>/dev/null' 2> /dev/null || true
endscript
}
2. Modify the rotation period and number of logs to keep so that at least 13 weeks or three months of logs are retained. This may be done as the default value for all logs in '/etc/logrotate.conf' or in the web specific log rotation configuration in '/etc/logrotate.d/httpd' to be similar to the following.
# rotate log files weekly
weekly
# keep 1 year of logs
rotate 52
3. For each virtual host configured with its own log files, ensure those log files are also included in a similar log rotation.
b) Piped Logging:
1. Configure the log rotation interval and log filenames to a suitable interval such as daily.
CustomLog '|bin/rotatelogs -l /var/logs/logfile.%Y.%m.%d 86400' combined
2. Ensure the log file naming and any rotation scripts provide for retaining at least three months or 13 weeks of log files.
3. For each virtual host configured with its own log files, ensure those log files are included in a similar log rotation.
See Also
Item Details
Audit Name: CIS Apache HTTP Server 2.2 L1 v3.5.0
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-11, CSCv6|6.3
Plugin: Unix
Control ID: c1fc31c75bcb0ce66e01923029aa14a9b05076d2e6267c3b48ce0e7286db3230