6.2.1.1.5 Ensure journald Storage is configured

Information

Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot.

Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot.

Solution

Set the following parameter in the [Journal] section in /etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending inconf :

Storage=persistent

Example:

#!/usr/bin/env bash

{
[ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
if grep -Psq -- '^h*[Journal]' /etc/systemd/journald.conf.d/60-journald.conf; then
printf '%s
' "Storage=persistent" >> /etc/systemd/journald.conf.d/60-journald.conf
else
printf '%s
' "[Journal]" "Storage=persistent" >> /etc/systemd/journald.conf.d/60-journald.conf
fi
}

Note: If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten

Run to following command to update the parameters in the service:

# systemctl reload-or-restart systemd-journald

See Also

https://workbench.cisecurity.org/benchmarks/17045

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: 31484d9b9580525a382004b3a6f4bb2f79ec4317e4d0a73e74e79a92e6f35f73