Disable systemd-journal-remote Socket
An XCCDF Rule
Description
Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: The same package, systemd-journal-remote , is used for both sending logs to remote hosts and receiving incoming logs. With regards to receiving logs, there are two Systemd unit files; systemd-journal-remote.socket and systemd-journal-remote.service.
Rationale
If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary.
- ID
- xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Disable systemd-journal-remote Socket - Collect systemd Socket Units Present
in the System
ansible.builtin.command:
cmd: systemctl -q list-unit-files --type socket
register: result_systemd_unit_files
changed_when: false
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SOCKET_NAME="systemd-journal-remote.socket"
SYSTEMCTL_EXEC='/usr/bin/systemctl'