6.1.2.1.2 Ensure systemd-journal-upload authentication is configured

Information

Journald systemd-journal-upload supports the ability to send log events it gathers to a remote log host.

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

Note: This recommendation only applies if journald is the chosen method for client side logging Do not apply this recommendation if rsyslog is used.

Solution

Edit the /etc/systemd/journal-upload.conf file or a file in /etc/systemd/journal-upload.conf.d ending inconf and ensure the following lines are set in the [Upload] section per your environment:

Example settings:

[Upload]
URL=192.168.50.42
ServerKeyFile=/etc/ssl/private/journal-upload.pem
ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
TrustedCertificateFile=/etc/ssl/ca/trusted.pem

Example script to create systemd drop-in configuration file:

#!/usr/bin/env bash

{
a_settings=("URL=192.168.50.42" "ServerKeyFile=/etc/ssl/private/journal-upload.pem"
"ServerCertificateFile=/etc/ssl/certs/journal-upload.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
if grep -Psq -- '^h*[Upload]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
printf '%s
' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
else
printf '%s
' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
fi
}

Run the following command to update the parameters in the service:

# systemctl reload-or-restart systemd-journal-upload

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: acd5a2d920f7a7c4654ffb8232da86b4ed6408f88559abafb2dc70954f71e01d