Ensure journald is configured to compress large log files

An XCCDF Rule

Description

The journald system can compress large log files to avoid fill the system disk.

Rationale

Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full.

ID: xccdf_org.ssgproject.content_rule_journald_compress
Severity: Medium
References: CCE-85930-6

5.1.2.3
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function remove_journald_Compress_configuration {
    local COMPONENT_PARAM_CONFIG
    mapfile -t COMPONENT_PARAM_CONFIG < <(ls /etc/systemd/journald.conf.d/*.conf)    COMPONENT_PARAM_CONFIG+=("/etc/systemd/journald.conf")

    for f in "${COMPONENT_PARAM_CONFIG[@]}"
    do
        sed -i "/^\s*Compress\s*=\s*/d" "$f"
        # make sure file has newline at the end
        sed -i -e '$a\' "$f"
    done
    sed -i -e '$a\' "/etc/systemd/journald.conf"
}

function journald_Compress_add_configuration {
    local COMPONENT_PARAM_REMEDY_CFG
    mkdir -p "/etc/systemd/journald.conf.d"
    COMPONENT_PARAM_REMEDY_CFG="/etc/systemd/journald.conf.d/oscap-remedy.conf"

    if [ ! -f "${COMPONENT_PARAM_REMEDY_CFG}" ] ; then
        touch "${COMPONENT_PARAM_REMEDY_CFG}"
    fi
    cp "${COMPONENT_PARAM_REMEDY_CFG}" "${COMPONENT_PARAM_REMEDY_CFG}.bak"
    # Insert before the line matching the regex '^#\s*Compress'.
    line_number="$(LC_ALL=C grep -n "^#\s*Compress" "${COMPONENT_PARAM_REMEDY_CFG}.bak" | LC_ALL=C sed 's/:.*//g')"
    if [ -z "$line_number" ]; then
       # There was no match of '^#\s*Compress', insert at
       # the end of the file.
       printf '%s\n' "Compress=yes" >> "${COMPONENT_PARAM_REMEDY_CFG}"
    else
        head -n "$(( line_number - 1 ))" "${COMPONENT_PARAM_REMEDY_CFG}.bak" > "${COMPONENT_PARAM_REMEDY_CFG}"
        printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf"
        tail -n "+$(( line_number ))" "${COMPONENT_PARAM_REMEDY_CFG}.bak" >> "${COMPONENT_PARAM_REMEDY_CFG}"
    fi
    # Clean up after ourselves.
    rm "${COMPONENT_PARAM_REMEDY_CFG}.bak"
}

remove_journald_Compress_configuration
journald_Compress_add_configuration

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Check for duplicate Compress values in master journald configuration
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    create: false
    regexp: ^\s*Compress=
    state: absent  check_mode: true
  changed_when: false
  register: dupes_master
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85930-6
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Deduplicate Compress values from journald master configuration
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    create: false
    regexp: ^\s*Compress=
    state: absent
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - dupes_master.found is defined and dupes_master.found > 1
  tags:
  - CCE-85930-6
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Collect all config journald files which configure Compress
  ansible.builtin.find:
    paths: /etc/systemd/journald.conf.d
    contains: ^[\s]*Compress=.*$
    patterns: '*.conf'
  register: journald_Compress_dropin_config_files
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85930-6
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Deduplicate values from journald Compress dropin configuration
  ansible.builtin.lineinfile:
    path: '{{ item.path }}'
    create: false
    regexp: ^\s*Compress=
    state: absent
  loop: '{{  journald_Compress_dropin_config_files.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85930-6
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Insert correct line to journald Compress configuration
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf.d/oscap-remedy.conf
    create: true
    regexp: ^\s*Compress=
    line: Compress=yes
    state: present
    insertbefore: ^# Compress
    validate: bash -n %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85930-6
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Ensure journald is configured to compress large log files

Description

Rationale

Remediation - Shell Script

Remediation - Ansible