4.3 logrotate config may cause worse rentention

[dgm]

I'm not sure what the remediation rule is trying to accomplish. it blindly changes all periods to the same configuration option, but not the number of rotations to keep. Thus a 4 week rentention may get changed to a 4 day retention.

Granted, the implementation of this rule is fairly arbitrary in the spec.

[florianutz]

Qutation of CIS Ubuntu Linux 18.04 LTS Benchmark v1.0.0

Rationale: By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files.

Remediation: Edit /etc/logrotate.conf and /etc/logrotate.d/* to ensure logs are rotated according to site policy.

In other words, you should follow your company's logging guidelines. In a professional environment, a protocol aggregation system such as ELK or Splunk is normally used and the retention period is determined within this system. If you have a recommendation how to extend this rule, feel free to send a pull request. You are also able to disable this rule for your environment by setting ubuntu1804cis_rule_4_3 to false.