V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4400_hardening/4445_hardening_logrotate.sh

@@ -36,27 +36,49 @@ hardening_logrotate() {
   cat << EOF >>   "${var_target}/etc/logrotate.conf"
 # See "man logrotate" for details. Global options do not affect preceding include directives.
 
-# rotate log files daily
+# Rotate log files daily
 daily
 
-# keep 384 daily worth of backlogs
+# Keep 384 daily worth of backlogs.
 rotate 384
 
-# hard cap: delete rotated logs older than 384 days
+# Hard cap: delete rotated logs older than 384 days.
 maxage 384
 
-# create new (empty) log files after rotating old ones
+# Do not rotate the log if it is empty (this overrides the ifempty option).
+notifempty
+
+# Create new (empty) log files after rotating old ones.
 create
 
-# use date as a suffix of the rotated file
+# Use date as a suffix of the rotated file.
 dateext
 
-# gzip older rotations
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
+# that is the same as the timestamps within it.
+dateyesterday
+
+# Enable compression
 compress
 
-# keep the most recent rotation uncompressed for one cycle
+# Use zstd instead of gzip.
+compresscmd /usr/bin/zstd
+
+# File extension for compressed logs.
+compressext .zst
+
+# Set zstd level 3 (default).
+compressoptions -20
+
+# How to decompress for 'logrotate -d' or similar.
+uncompresscmd /usr/bin/unzstd
+
+# Keep the most recent rotation uncompressed for one cycle.
 delaycompress
 
+# Delete log files using shred -u instead of unlink().
+shred
+
 # packages drop log rotation information into this directory
 include /etc/logrotate.d