Ensure journald is configured to send logs to rsyslog

Docs > Datadog Security > OOTB Rules > Ensure journald is configured to send logs to rsyslog

Classification:

compliance

Framework:

Control:

Description

Data from journald may be stored in volatile memory or persisted locally. Utilities exist to accept remote export of journald logs.

Rationale

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/systemd/journald.conf" ] ; then
 
 LC\_ALL=C sed -i "/^\s\*ForwardToSyslog\s\*=\s\*/d" "/etc/systemd/journald.conf"
else
 touch "/etc/systemd/journald.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/journald.conf"

cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak"
# Insert before the line matching the regex '^#\s\*ForwardToSyslog'.
line\_number="$(LC\_ALL=C grep -n "^#\s\*ForwardToSyslog" "/etc/systemd/journald.conf.bak" | LC\_ALL=C sed 's/:.\*//g')"
if [ -z "$line\_number" ]; then
 # There was no match of '^#\s\*ForwardToSyslog', insert at
 # the end of the file.
 printf '%s\n' "ForwardToSyslog='yes'" >> "/etc/systemd/journald.conf"
else
 head -n "$(( line\_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
 printf '%s\n' "ForwardToSyslog='yes'" >> "/etc/systemd/journald.conf"
 tail -n "+$(( line\_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
# Clean up after ourselves.
rm "/etc/systemd/journald.conf.bak"

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Setting shell-quoted shell-style assignment of 'ForwardToSyslog' to 'yes'
 in '/etc/systemd/journald.conf'
 block:

 - name: Check for duplicate values
 lineinfile:
 path: /etc/systemd/journald.conf
 create: false
 regexp: ^\s\*ForwardToSyslog=
 state: absent
 check\_mode: true
 changed\_when: false
 register: dupes

 - name: Deduplicate values from /etc/systemd/journald.conf
 lineinfile:
 path: /etc/systemd/journald.conf
 create: false
 regexp: ^\s\*ForwardToSyslog=
 state: absent
 when: dupes.found is defined and dupes.found > 1

 - name: Insert correct line to /etc/systemd/journald.conf
 lineinfile:
 path: /etc/systemd/journald.conf
 create: true
 regexp: ^\s\*ForwardToSyslog=
 line: ForwardToSyslog="yes"
 state: present
 insertbefore: ^# ForwardToSyslog
 validate: /usr/bin/bash -n %s
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - journald\_forward\_to\_syslog
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy