Disable systemd-journal-remote Socket

An XCCDF Rule

Description

Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: The same package, systemd-journal-remote , is used for both sending logs to remote hosts and receiving incoming logs. With regards to receiving logs, there are two Systemd unit files; systemd-journal-remote.socket and systemd-journal-remote.service.

Rationale

If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary.

ID: xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled
Severity: Medium
References: CCE-87605-2

5.1.2.1.4
Updated: over 1 year ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-87605-2
  - disable_strategy  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - socket_systemd-journal-remote_disabled
- name: Disable systemd-journal-remote Socket - Collect systemd Socket Units Present
    in the System
  ansible.builtin.command:
    cmd: systemctl -q list-unit-files --type socket
  register: result_systemd_unit_files
  changed_when: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-87605-2
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - socket_systemd-journal-remote_disabled

- name: Disable systemd-journal-remote Socket - Ensure systemd-journal-remote.socket
    is Masked
  ansible.builtin.systemd:
    name: systemd-journal-remote.socket
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - result_systemd_unit_files.stdout_lines is search("systemd-journal-remote.socket")
  tags:
  - CCE-87605-2
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - socket_systemd-journal-remote_disabled

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
SOCKET_NAME="systemd-journal-remote.socket"
SYSTEMCTL_EXEC='/usr/bin/systemctl'

if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then    "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME"
    "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable systemd-journal-remote Socket

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script