Ensure journald is configured to compress large log files

Docs > Datadog Security > OOTB Rules > Ensure journald is configured to compress large log files

Classification:

compliance

Framework:

Control:

Description

The journald system can compress large log files to avoid fill the system disk.

Rationale

Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/systemd/journald.conf" ] ; then
 
 LC\_ALL=C sed -i "/^\s\*Compress\s\*=\s\*/d" "/etc/systemd/journald.conf"
else
 touch "/etc/systemd/journald.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/journald.conf"

cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak"
# Insert before the line matching the regex '^#\s\*Compress'.
line\_number="$(LC\_ALL=C grep -n "^#\s\*Compress" "/etc/systemd/journald.conf.bak" | LC\_ALL=C sed 's/:.\*//g')"
if [ -z "$line\_number" ]; then
 # There was no match of '^#\s\*Compress', insert at
 # the end of the file.
 printf '%s\n' "Compress='yes'" >> "/etc/systemd/journald.conf"
else
 head -n "$(( line\_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
 printf '%s\n' "Compress='yes'" >> "/etc/systemd/journald.conf"
 tail -n "+$(( line\_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
# Clean up after ourselves.
rm "/etc/systemd/journald.conf.bak"

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Setting shell-quoted shell-style assignment of 'Compress' to 'yes' in '/etc/systemd/journald.conf'
 block:

 - name: Check for duplicate values
 lineinfile:
 path: /etc/systemd/journald.conf
 create: false
 regexp: ^\s\*Compress=
 state: absent
 check\_mode: true
 changed\_when: false
 register: dupes

 - name: Deduplicate values from /etc/systemd/journald.conf
 lineinfile:
 path: /etc/systemd/journald.conf
 create: false
 regexp: ^\s\*Compress=
 state: absent
 when: dupes.found is defined and dupes.found > 1

 - name: Insert correct line to /etc/systemd/journald.conf
 lineinfile:
 path: /etc/systemd/journald.conf
 create: true
 regexp: ^\s\*Compress=
 line: Compress="yes"
 state: present
 insertbefore: ^# Compress
 validate: /usr/bin/bash -n %s
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - journald\_compress
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy