CLASS="section" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" >

28.9. Configure the /etc/logrotate.d/squid file

Configure your /etc/logrotate.d/squid file to rotate your log files automatically each week. Create the squid file, touch /etc/logrotate.d/squid and add:


               /var/log/squid/access.log {
               weekly
               rotate 5
               copytruncate
               compress
               notifempty
               missingok
               }
               /var/log/squid/cache.log {
               weekly
               rotate 5
               copytruncate
               compress
               notifempty
               missingok
               }

               /var/log/squid/store.log {
               weekly
               rotate 5
               copytruncate
               compress
               notifempty
               missingok
               # This script asks squid to rotate its logs on its own.
               # Restarting squid is a long process and it is not worth
               # doing it just to rotate logs
               postrotate
               /usr/sbin/squid -k rotate
               endscript
               }
             

28.9.1. Securing and Immunize Squid

By having more control on mounting the cache directory of Squid, if you have created the cache directory of Squid in a separate partition of your Linux system i.e. /cache, like we have done during the install setup, then you can use the noexec, nodev, and nosuid features to improve and consolidate the cache security. These features can be set up in the /etc/fstab file to tell the system to not allow execution of any binaries; noexec to not interpret character or block special devices; nodev and to not allow set-user-identifier or set-group-identifier bits to take effect, nosuid on the mounted file system /cache in our example. Applying this procedure on the partition where the Squid Cache resides will help to eliminate the possibility of DEV, SUID/SGID, and execution of any binaries.

As an example, assuming /dev/sda8 is the partition in the system where the /cache directory of Squid lives, you must edit the fstab file, vi /etc/fstab and change the line related to /dev/sda8:

                   /dev/sda8			/cache		ext2		defaults        1 2
                 
To read:

                   /dev/sda8			/cache 		ext2		noexec,nodev,nosuid 1 2
                 
Dont you forget to reboot your system for the changes to take effect.

You should immunize important configuration file like squid.conf. As we already know, the immutable bit can be used to prevent deletion, overwriting, or creation of a symbolic link to a file. Once your squid.conf file has been configured, it's a good idea to immunize it with the following command:

                 [root@deep /]# chattr +i /etc/squid/squid.conf