- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Data from journald may be stored in volatile memory or persisted locally. Utilities exist to accept remote export of journald logs.
Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/systemd/journald.conf" ] ; then
LC_ALL=C sed -i "/^\s*ForwardToSyslog\s*=\s*/d" "/etc/systemd/journald.conf"
else
touch "/etc/systemd/journald.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/journald.conf"
cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak"
# Insert before the line matching the regex '^#\s*ForwardToSyslog'.
line_number="$(LC_ALL=C grep -n "^#\s*ForwardToSyslog" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^#\s*ForwardToSyslog', insert at
# the end of the file.
printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf"
else
head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf"
tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
# Clean up after ourselves.
rm "/etc/systemd/journald.conf.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
The following playbook can be run with Ansible to remediate the issue.
- name: Setting unquoted shell-style assignment of 'ForwardToSyslog' to 'yes' in '/etc/systemd/journald.conf'
block:
- name: Check for duplicate values
lineinfile:
path: /etc/systemd/journald.conf
create: true
regexp: ^\s*ForwardToSyslog=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/systemd/journald.conf
lineinfile:
path: /etc/systemd/journald.conf
create: true
regexp: ^\s*ForwardToSyslog=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/systemd/journald.conf
lineinfile:
path: /etc/systemd/journald.conf
create: true
regexp: ^\s*ForwardToSyslog=
line: ForwardToSyslog=yes
state: present
insertbefore: ^# ForwardToSyslog
validate: /usr/bin/bash -n %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- journald_forward_to_syslog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy