Detections
Analytics

6.1.1.5 Ensure journald ForwardToSyslog is configured

Information

Data from systemd-journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of systemd-journald logs, however, use of the rsyslog service provides a consistent means of log collection and export.

Note: As mentioned in the systemd-journald man pages, systemd-journald logs may be exported to rsyslog either through the process mentioned here, or through a facility like systemd-journald.service . There are trade-offs involved in each implementation, where ForwardToSyslog will immediately capture all events (and forward to an external log server, if properly configured), but may not capture all boot-up activities. Mechanisms such as systemd-journald.service, on the other hand, will record bootup events, but may delay sending the information to rsyslog, leading to the potential for log manipulation prior to export. Be aware of the limitations of all tools employed to secure a system.

rsyslog is the recommended method for capturing logs. All system logs should be sent to it for further processing.

Solution

Note: Drop-in configuration files have higher precedence and override the main configuration file. Files in the *.conf.d/ configuration subdirectories are sorted by their filename in lexicographic order, regardless of in which of the subdirectories they reside. When multiple files specify the same option, for options which accept just a single value, the entry in the file sorted last takes precedence, and for options which accept a list of values, entries are collected as they occur in the sorted files.

 - Set the following parameter in the [Journal] section in /etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending in .conf :

ForwardToSyslog=yes

Example:

#!/usr/bin/env bash

{
 [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir -p /etc/systemd/journald.conf.d/
 if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
 printf '%s\n' "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
 else
 printf '%s\n' "" "[Journal]" "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
 fi
}
 -

- IF - The ForwardToSyslog option was returned by the audit procedure in more than one file, edit the file or files returned by the audit script as needed to ensure only one file contains the option in the [Journal] block.

 -

Run to following command to update the parameters in the service:

# systemctl reload-or-restart systemd-journald

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv7|6.2

Plugin: Unix

Control ID: fa825a71a2c5ff365b122277f079e78181525f0ecc04db4c1e03004857d13220