Ensure journald is configured to send logs to rsyslog

An XCCDF Rule

Description

Data from journald may be stored in volatile memory or persisted locally. Utilities exist to accept remote export of journald logs.

Rationale

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

ID: xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
Severity: Medium
References: CCE-85995-9

5.1.1.3
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function remove_journald_ForwardToSyslog_configuration {
    local COMPONENT_PARAM_CONFIG
    mapfile -t COMPONENT_PARAM_CONFIG < <(ls /etc/systemd/journald.conf.d/*.conf)    COMPONENT_PARAM_CONFIG+=("/etc/systemd/journald.conf")

    for f in "${COMPONENT_PARAM_CONFIG[@]}"
    do
        sed -i "/^\s*ForwardToSyslog\s*=\s*/d" "$f"
        # make sure file has newline at the end
        sed -i -e '$a\' "$f"
    done
    sed -i -e '$a\' "/etc/systemd/journald.conf"
}

function journald_ForwardToSyslog_add_configuration {
    local COMPONENT_PARAM_REMEDY_CFG
    mkdir -p "/etc/systemd/journald.conf.d"
    COMPONENT_PARAM_REMEDY_CFG="/etc/systemd/journald.conf.d/oscap-remedy.conf"

    if [ ! -f "${COMPONENT_PARAM_REMEDY_CFG}" ] ; then
        touch "${COMPONENT_PARAM_REMEDY_CFG}"
    fi
    cp "${COMPONENT_PARAM_REMEDY_CFG}" "${COMPONENT_PARAM_REMEDY_CFG}.bak"
    # Insert before the line matching the regex '^#\s*Compress'.
    line_number="$(LC_ALL=C grep -n "^#\s*ForwardToSyslog" "${COMPONENT_PARAM_REMEDY_CFG}.bak" | LC_ALL=C sed 's/:.*//g')"
    if [ -z "$line_number" ]; then
       # There was no match of '^#\s*ForwardToSyslog', insert at
       # the end of the file.
       printf '%s\n' "ForwardToSyslog=yes" >> "${COMPONENT_PARAM_REMEDY_CFG}"
    else
        head -n "$(( line_number - 1 ))" "${COMPONENT_PARAM_REMEDY_CFG}.bak" > "${COMPONENT_PARAM_REMEDY_CFG}"
        printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf"
        tail -n "+$(( line_number ))" "${COMPONENT_PARAM_REMEDY_CFG}.bak" >> "${COMPONENT_PARAM_REMEDY_CFG}"
    fi
    # Clean up after ourselves.
    rm "${COMPONENT_PARAM_REMEDY_CFG}.bak"
}

remove_journald_ForwardToSyslog_configuration
journald_ForwardToSyslog_add_configuration

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Check for duplicate ForwardToSyslog values in master journald configuration
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    create: false
    regexp: ^\s*ForwardToSyslog=
    state: absent  check_mode: true
  changed_when: false
  register: dupes_master
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85995-9
  - journald_forward_to_syslog
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Deduplicate ForwardToSyslog values from journald master configuration
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    create: false
    regexp: ^\s*ForwardToSyslog=
    state: absent
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - dupes_master.found is defined and dupes_master.found > 1
  tags:
  - CCE-85995-9
  - journald_forward_to_syslog
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Collect all config journald files which configure ForwardToSyslog
  ansible.builtin.find:
    paths: /etc/systemd/journald.conf.d
    contains: ^[\s]*ForwardToSyslog=.*$
    patterns: '*.conf'
  register: journald_ForwardToSyslog_dropin_config_files
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85995-9
  - journald_forward_to_syslog
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Deduplicate values from journald ForwardToSyslog dropin configuration
  ansible.builtin.lineinfile:
    path: '{{ item.path }}'
    create: false
    regexp: ^\s*ForwardToSyslog=
    state: absent
  loop: '{{  journald_ForwardToSyslog_dropin_config_files.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85995-9
  - journald_forward_to_syslog
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Insert correct line to journald ForwardToSyslog configuration
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf.d/oscap-remedy.conf
    create: true
    regexp: ^\s*ForwardToSyslog=
    line: ForwardToSyslog=yes
    state: present
    insertbefore: ^# ForwardToSyslog
    validate: bash -n %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85995-9
  - journald_forward_to_syslog
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Ensure journald is configured to send logs to rsyslog

Description

Rationale

Remediation - Shell Script

Remediation - Ansible