mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-08 13:03:32 +02:00
db02a8f8aa
- Add no_log directives to all cloud provider credential handling - Set privacy-focused defaults (StrongSwan logging disabled, DNSCrypt syslog off) - Implement privacy role with log rotation, history clearing, and log filtering - Add Privacy Considerations section to README - Make all privacy features configurable and enabled by default This update significantly reduces Algo's logging footprint to enhance user privacy while maintaining the ability to enable logging for debugging when needed.
75 lines
No EOL
2.5 KiB
Django/Jinja
75 lines
No EOL
2.5 KiB
Django/Jinja
#!/bin/bash
|
|
# Privacy auto-cleanup script
|
|
# Automatically cleans up logs and temporary files for enhanced privacy
|
|
# Generated by Algo VPN privacy role
|
|
|
|
set -euo pipefail
|
|
|
|
# Configuration
|
|
LOG_MAX_AGE={{ privacy_auto_cleanup.temp_files_max_age }}
|
|
SCRIPT_LOG="/var/log/privacy-cleanup.log"
|
|
|
|
# Logging function
|
|
log_message() {
|
|
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$SCRIPT_LOG"
|
|
}
|
|
|
|
log_message "Starting privacy cleanup"
|
|
|
|
{% if privacy_auto_cleanup.enabled %}
|
|
# Rotate log files to prevent the cleanup log from growing
|
|
if [ -f "$SCRIPT_LOG" ] && [ $(wc -l < "$SCRIPT_LOG") -gt 1000 ]; then
|
|
tail -n 500 "$SCRIPT_LOG" > "$SCRIPT_LOG.tmp"
|
|
mv "$SCRIPT_LOG.tmp" "$SCRIPT_LOG"
|
|
fi
|
|
|
|
# Clean temporary files
|
|
log_message "Cleaning temporary files older than ${LOG_MAX_AGE} days"
|
|
find /tmp -type f -mtime +${LOG_MAX_AGE} -delete 2>/dev/null || true
|
|
find /var/tmp -type f -mtime +${LOG_MAX_AGE} -delete 2>/dev/null || true
|
|
|
|
# Clean old log files that may have escaped rotation
|
|
log_message "Cleaning old rotated logs"
|
|
find /var/log -name "*.log.*" -type f -mtime +{{ privacy_log_rotation.max_age }} -delete 2>/dev/null || true
|
|
find /var/log -name "*.gz" -type f -mtime +{{ privacy_log_rotation.max_age }} -delete 2>/dev/null || true
|
|
|
|
# Clean systemd journal if it exists
|
|
if [ -d /var/log/journal ]; then
|
|
log_message "Cleaning systemd journal files"
|
|
journalctl --vacuum-time={{ privacy_log_rotation.max_age }}d 2>/dev/null || true
|
|
journalctl --vacuum-size=50M 2>/dev/null || true
|
|
fi
|
|
|
|
{% if privacy_auto_cleanup.clean_package_cache %}
|
|
# Clean package cache
|
|
log_message "Cleaning package cache"
|
|
apt-get clean 2>/dev/null || true
|
|
apt-get autoclean 2>/dev/null || true
|
|
{% endif %}
|
|
|
|
# Clean bash history files
|
|
log_message "Cleaning bash history files"
|
|
for user_home in /home/* /root; do
|
|
if [ -d "$user_home" ]; then
|
|
rm -f "$user_home/.bash_history" 2>/dev/null || true
|
|
rm -f "$user_home/.zsh_history" 2>/dev/null || true
|
|
rm -f "$user_home/.lesshst" 2>/dev/null || true
|
|
rm -f "$user_home/.viminfo" 2>/dev/null || true
|
|
fi
|
|
done
|
|
|
|
# Clean core dumps
|
|
log_message "Cleaning core dumps"
|
|
find /var/crash -type f -name "*.crash" -mtime +1 -delete 2>/dev/null || true
|
|
|
|
# Force log rotation
|
|
log_message "Forcing log rotation"
|
|
/usr/sbin/logrotate -f /etc/logrotate.conf 2>/dev/null || true
|
|
|
|
log_message "Privacy cleanup completed successfully"
|
|
{% else %}
|
|
log_message "Privacy cleanup is disabled"
|
|
{% endif %}
|
|
|
|
# Clean up old privacy cleanup logs
|
|
find /var/log -name "privacy-cleanup.log.*" -type f -mtime +7 -delete 2>/dev/null || true |