Detections
Analytics

6.1.1.6 Ensure journald log file rotation is configured

Information

Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf or a drop in configuration file in `/etc/systemd/journald.conf.d is used to specify how logs generated by Journald should be rotated.

By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files.

Solution

- Edit /etc/systemd/journald.conf or a file ending in .conf the /etc/systemd/journald.conf.d/ directory. Set the following parameters in the [Journal] section to ensure logs are rotated according to site policy. The settings should be carefully understood as there are specific edge cases and prioritization of parameters.

Example Configuration:

[Journal]
SystemMaxUse=1G
SystemKeepFree=500M
RuntimeMaxUse=200M
RuntimeKeepFree=50M
MaxFileSec=1month
 -

- IF - The same option was returned in more than one file, edit the file or files returned by the audit script as needed to ensure only one file contains the option in the [Journal] block.

 -

Run to following command to update the parameters in the service:

# systemctl reload-or-restart systemd-journald

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv7|6.2

Plugin: Unix

Control ID: 05212ccc36d04d66025106dc131b4ff904d0289154289dbbe923a0e54ad8e6fa