Disable systemd-journal-remote Socket

Docs > Datadog Security > OOTB Rules > Disable systemd-journal-remote Socket

Classification:

compliance

Framework:

Control:

Description

Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: The same package, systemd-journal-remote , is used for both sending logs to remote hosts and receiving incoming logs. With regards to receiving logs, there are two Systemd unit files; systemd-journal-remote.socket and systemd-journal-remote.service.

Rationale

If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it’s operational boundary.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SOCKET\_NAME="systemd-journal-remote.socket"
SYSTEMCTL\_EXEC='/usr/bin/systemctl'

if "$SYSTEMCTL\_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET\_NAME"; then
 "$SYSTEMCTL\_EXEC" stop "$SOCKET\_NAME"
 "$SYSTEMCTL\_EXEC" unmask "$SOCKET\_NAME"
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Disable systemd-journal-remote Socket - Collect systemd Socket Units Present
 in the System
 ansible.builtin.command:
 cmd: systemctl -q list-unit-files --type socket
 register: result\_systemd\_unit\_files
 changed\_when: false
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - socket\_systemd-journal-remote\_disabled

- name: Disable systemd-journal-remote Socket - Ensure systemd-journal-remote.socket
 is Masked
 ansible.builtin.systemd:
 name: systemd-journal-remote.socket
 state: stopped
 enabled: false
 masked: true
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - result\_systemd\_unit\_files.stdout\_lines is search("systemd-journal-remote.socket")
 tags:
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - socket\_systemd-journal-remote\_disabled