Package: logrotate Version: 3.14.0-4 Severity: normal Short backstory: A server I've access to might have been hacked. Due to logrotate not being tweaked when the system was provisioned to keep more than the default 4 weeks' worth of logs, it's hard to do a complete forensics job.
Sure, this should have been done by the admin/s post-install, there's no escaping that. But logrotate with defaults set to retain more than 4 weeks of log files all over /var/log might've helped discover how a system user (with a uid < 1000) was added to this potentially hacked system in a window of between 20-28 weeks ago. On the system in question, excluding the systemd journal which contains ~700mb of noisy firewall logs, this is the size of both compressed and uncompressed files: root@rescue /mnt/var/log # find . -type f |sed 's,^./,,g' \ > |grep -v ^journal/ |xargs du -shc |grep total 105M total Note: this figure also includes a decent amount of apache2 logs with the usual 404s, 405s etc. that most web servers attract these days. If three months' worth of logs were kept instead of just 4 weeks, I'd guess due to compression ratios of text, that would come in at around 2-250M, if that. It's not a lot of disk space in 2019, imnsho. I'm expecting this bug to be closed, because it's not Debian's job to set policies on log retention. But I'm hoping maybe this bug can start a discussion on whether longer retention periods should be an option, maybe via a package configuration step or similar, so that the user is reminded that they shouldn't always just fire and forget without thinking about the what-ifs. Hindsight's a wonderful thing... Best, Francis -- Package-specific info: Contents of /etc/logrotate.d total 48 -rw-r--r--. 1 root root 120 Feb 24 2019 alternatives -rw-r--r--. 1 root root 442 Apr 2 2019 apache2 -rw-r--r--. 1 root root 173 Jun 1 2017 apt -rw-r--r--. 1 root root 79 Apr 18 2017 aptitude -rw-r--r--. 1 root root 130 Aug 28 2018 btmp -rw-r--r--. 1 root root 82 May 26 2018 certbot -rw-r--r--. 1 root root 112 Feb 24 2019 dpkg -rw-r--r--. 1 root root 802 Jan 8 2019 mysql-server -rw-r--r--. 1 root root 162 Mar 2 2019 rkhunter -rw-r--r--. 1 root root 501 Feb 26 2019 rsyslog.disabled -rw-r--r--. 1 root root 534 Dec 25 2018 syslog-ng -rw-r--r--. 1 root root 145 Feb 19 2018 wtmp -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.45 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages logrotate depends on: ii cron [cron-daemon] 3.0pl1-134 ii libacl1 2.2.53-4 ii libc6 2.28-10 ii libpopt0 1.16-12 ii libselinux1 2.8-1+b1 ii systemd-sysv 241-7~deb10u1 Versions of packages logrotate recommends: ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-1 logrotate suggests no packages. -- no debconf information
