The journald system may store log files in volatile memory or locally on disk.
If the logs are only stored in volatile memory they will we lost upon reboot.
Rationale
Log files contain valuable data and need to be persistent to aid in possible investigations.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
function remove_journald_Storage_configuration {
local COMPONENT_PARAM_CONFIG
mapfile -t COMPONENT_PARAM_CONFIG < <(ls /etc/systemd/journald.conf.d/*.conf)
COMPONENT_PARAM_CONFIG+=("/etc/systemd/journald.conf")
for f in "${COMPONENT_PARAM_CONFIG[@]}"
do
sed -i "/^\s*Storage\s*=\s*/d" "$f"
# make sure file has newline at the end
sed -i -e '$a\' "$f"
done
sed -i -e '$a\' "/etc/systemd/journald.conf"
}
function journald_Storage_add_configuration {
local COMPONENT_PARAM_REMEDY_CFG
mkdir -p "/etc/systemd/journald.conf.d"
COMPONENT_PARAM_REMEDY_CFG="/etc/systemd/journald.conf.d/oscap-remedy.conf"
if [ ! -f "${COMPONENT_PARAM_REMEDY_CFG}" ] ; then
touch "${COMPONENT_PARAM_REMEDY_CFG}"
fi
cp "${COMPONENT_PARAM_REMEDY_CFG}" "${COMPONENT_PARAM_REMEDY_CFG}.bak"
# Insert before the line matching the regex '^#\s*Compress'.
line_number="$(LC_ALL=C grep -n "^#\s*Storage" "${COMPONENT_PARAM_REMEDY_CFG}.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^#\s*Storage', insert at
# the end of the file.
printf '%s\n' "Storage=persistent" >> "${COMPONENT_PARAM_REMEDY_CFG}"
else
head -n "$(( line_number - 1 ))" "${COMPONENT_PARAM_REMEDY_CFG}.bak" > "${COMPONENT_PARAM_REMEDY_CFG}"
printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf"
tail -n "+$(( line_number ))" "${COMPONENT_PARAM_REMEDY_CFG}.bak" >> "${COMPONENT_PARAM_REMEDY_CFG}"
fi
# Clean up after ourselves.
rm "${COMPONENT_PARAM_REMEDY_CFG}.bak"
}
remove_journald_Storage_configuration
journald_Storage_add_configuration
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi