From 4b5f4fb7dbcf4a96ae32fa3b6fd857841e4ee538 Mon Sep 17 00:00:00 2001
From: Starchy <starchy@eff.org>
Date: Wed, 15 Aug 2018 21:19:42 -0700
Subject: [PATCH] Sets 30 day retention period for apache logs

---
 .../roles/app/files/apache2-logrotate.conf             | 10 ++++++++++
 .../roles/app/tasks/install_and_harden_apache.yml      |  9 +++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 install_files/ansible-base/roles/app/files/apache2-logrotate.conf

diff --git a/install_files/ansible-base/roles/app/files/apache2-logrotate.conf b/install_files/ansible-base/roles/app/files/apache2-logrotate.conf
new file mode 100644
index 0000000000..b336f16a5b
--- /dev/null
+++ b/install_files/ansible-base/roles/app/files/apache2-logrotate.conf
@@ -0,0 +1,10 @@
+/var/log/apache2/*.log {
+  daily
+  missingok
+  rotate 30
+  create 640 root adm
+  sharedscripts
+  postrotate
+    /usr/bin/killall -HUP apache2
+  endscript
+}
diff --git a/install_files/ansible-base/roles/app/tasks/install_and_harden_apache.yml b/install_files/ansible-base/roles/app/tasks/install_and_harden_apache.yml
index dcbe711c82..db55e3a445 100644
--- a/install_files/ansible-base/roles/app/tasks/install_and_harden_apache.yml
+++ b/install_files/ansible-base/roles/app/tasks/install_and_harden_apache.yml
@@ -116,3 +116,12 @@
     - restart apache2
   tags:
     - apache
+
+- name: Retain no more than one month of apache logs
+  copy:
+    src: apache2-logrotate.conf
+    dest: /etc/logrotate.d/apache2
+    owner: root
+    mode: "0644"
+  tags:
+    - apache