6.2.2.2 Ensure journald ForwardToSyslog is disabled

Information

Data from journald should be kept in the confines of the service and not forwarded to other services.

- IF - journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms.

Note: This recommendation only applies if journald is the chosen method for client side logging Do not apply this recommendation if rsyslog is used.

Solution

- IF - rsyslog is the preferred method for capturing logs, this section and Recommendation should be skipped and the "Configure rsyslog" section followed.

- IF - journald is the preferred method for capturing logs:

Set the following parameter in the [Journal] section in /etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending inconf :

ForwardToSyslog=no

Example:

#!/usr/bin/env bash

{
[ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
if grep -Psq -- '^h*[Journal]' /etc/systemd/journald.conf.d/60-journald.conf; then
printf '%s
' "ForwardToSyslog=no" >> /etc/systemd/journald.conf.d/60-journald.conf
else
printf '%s
' "[Journal]" "ForwardToSyslog=no" >> /etc/systemd/journald.conf.d/60-journald.conf
fi
}

Note: If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten

Run to following command to update the parameters in the service:

# systemctl reload-or-restart systemd-journald

See Also

https://workbench.cisecurity.org/benchmarks/18209

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.3

Plugin: Unix

Control ID: 705c4eea736119333be9145ab023b3090850e1f5adba12f1a54636a14650acaa