Ensure journald is configured to compress large log files

An XCCDF Rule

Description

The journald system can compress large log files to avoid fill the system disk.

Rationale

Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full.

ID: xccdf_org.ssgproject.content_rule_journald_compress
Severity: Medium
References: 5.1.2.3
Updated: over 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - journald_compress
  - low_complexity  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure journald is configured to compress large log files - Search for a section
    in files
  ansible.builtin.find:
    paths: '{{item.path}}'
    patterns: '{{item.pattern}}'
    contains: ^\s*\[Journal\]
    read_whole_file: true
    use_regex: true
  register: systemd_dropin_files_with_section
  loop:
  - path: '{{ ''/etc/systemd/journald.conf'' | dirname }}'
    pattern: '{{ ''/etc/systemd/journald.conf'' | basename | regex_escape }}'
  - path: /etc/systemd/journald.conf.d
    pattern: .*\.conf
  when: '"kernel" in ansible_facts.packages'
  tags:
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure journald is configured to compress large log files - Count number of
    files which contain the correct section
  ansible.builtin.set_fact:
    count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results
      | map(attribute=''matched'') | list | map(''int'') | sum}}'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure journald is configured to compress large log files - Add missing configuration
    to correct section
  ini_file:
    path: '{{item}}'
    section: Journal
    option: Compress
    value: 'yes'
    state: present
    no_extra_spaces: true
  when:
  - '"kernel" in ansible_facts.packages'
  - count_of_systemd_dropin_files_with_section | int > 0
  loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[])
    | map(attribute=''path'') | list }}'
  tags:
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure journald is configured to compress large log files - Add configuration
    to new remediation file
  ini_file:
    path: /etc/systemd/journald.conf.d/complianceascode_hardening.conf
    section: Journal
    option: Compress
    value: 'yes'
    state: present
    no_extra_spaces: true
    create: true
  when:
  - '"kernel" in ansible_facts.packages'
  - count_of_systemd_dropin_files_with_section | int == 0
  tags:
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

found=false

# set value in all files if they contain section or keyfor f in $(echo -n "/etc/systemd/journald.conf.d/complianceascode_hardening.conf /etc/systemd/journald.conf.d/*.conf /etc/systemd/journald.conf"); do
    if [ ! -e "$f" ]; then
        continue
    fi

    # find key in section and change value
    if grep -qzosP "[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Compress" "$f"; then

            sed -i "s/Compress[^(\n)]*/Compress=yes/" "$f"

            found=true

    # find section and add key = value to it
    elif grep -qs "[[:space:]]*\[Journal\]" "$f"; then

            sed -i "/[[:space:]]*\[Journal\]/a Compress=yes" "$f"

            found=true
    fi
done

# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
    file=$(echo "/etc/systemd/journald.conf.d/complianceascode_hardening.conf /etc/systemd/journald.conf.d/*.conf /etc/systemd/journald.conf" | cut -f1 -d ' ')
    mkdir -p "$(dirname "$file")"

    echo -e "[Journal]\nCompress=yes" >> "$file"

fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure journald is configured to compress large log files

Description

Rationale

Remediation - Ansible

Remediation - Shell Script