Auditing the systemd journal files provides logging that can be used for
forensic purposes. Verify the system generates audit records for all events
that affect "/var/log/journal" by using the following command:
$ sudo auditctl -l | grep journal
-w /var/log/journal/ -p wa -k systemd_journal
If the command does not return a line that matches the example or the line
is commented out, this is a finding.
Note: The "-k" value is arbitrary and can be different from the example
output above.