Detections
Analytics

6.2.1.1.6 Ensure journald Compress is configured

Information

The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large.

Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts.

Solution

Set the following parameter in the [Journal] section in /etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending in .conf :

Compress=yes

Example:

#!/usr/bin/env bash

{
 [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
 if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
 printf '%s\n' "Compress=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
 else
 printf '%s\n' "[Journal]" "Compress=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
 fi
}

Note: Drop-in configuration files have higher precedence and override the main configuration file. Files in the *.conf.d/ configuration subdirectories are sorted by their filename in lexicographic order, regardless of in which of the subdirectories they reside. When multiple files specify the same option, for options which accept just a single value, the entry in the file sorted last takes precedence, and for options which accept a list of values, entries are collected as they occur in the sorted files.

Run to following command to update the parameters in the service:

# systemctl reload-or-restart systemd-journald

See Also

https://workbench.cisecurity.org/benchmarks/23600

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-4, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3, CSCv7|6.4

Plugin: Unix

Control ID: b045dd7eb690d758c767230cb8e10bcf71a182cba02d36c3cc2a7ce269674bd4