6.2.2.1.3 Ensure systemd-journal-upload is enabled and active

Information

Journald systemd-journal-upload supports the ability to send log events it gathers to a remote log host.

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

Note: This recommendation only applies if journald is the chosen method for client side logging Do not apply this recommendation if rsyslog is used.

Solution

Run the following commands to unmask, enable and start systemd-journal-upload :

# systemctl unmask systemd-journal-upload.service
# systemctl --now enable systemd-journal-upload.service

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: 0524ad86d425ca0b4ee3f154ebd79c66fa34c2ed46ef9a1ddf9beb597a9cd3c2