4.2.2.4 Ensure journald is configured to write logfiles to persistent disk

Information

Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot.

Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot.

Solution

Edit the /etc/systemd/journald.conf file and add the following line:

Storage=persistent

Restart the service:

# systemctl restart systemd-journal-upload

See Also

https://workbench.cisecurity.org/files/3742

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: 4156acf80c27d675907ba34bb6c7e48d3fe2159c572dfb202204982118cf0f8c