Profile Applicability:
Level 1
Description:
The systemd journal (journald) collects and stores log data. Proper configuration of journald log rotation ensures that logs are managed according to site-specific retention policies, preventing disk space exhaustion and maintaining log availability for auditing.
Rationale:
Configuring journald log rotation per site policy helps maintain system stability, ensures compliance with data retention requirements, and supports effective log management.
Impact:
Pros:
Prevents excessive disk usage by controlling log file size and retention.
Supports compliance with organizational and regulatory requirements.
Cons:
Misconfiguration may lead to loss of important log data or insufficient log retention.
Default Value:
Default journald configurations may not align with site-specific policies and often require customization.
Pre-requisites:
Root or sudo privileges to modify systemd journal configurations.
Remediation:
Test Plan:
Using Linux command line:
Review current journald configuration:
cat /etc/systemd/journald.conf
Check current runtime settings:
journalctl --disk-usage
Verify if log rotation parameters (SystemMaxUse=, SystemKeepFree=, RuntimeMaxUse=, MaxRetentionSec=, etc.) comply with site policy.
Implementation Plan:
Using Linux command line:
Edit /etc/systemd/journald.conf to configure log rotation parameters according to site policy. For example:
SystemMaxUse=500M SystemKeepFree=50M RuntimeMaxUse=200M MaxRetentionSec=1month
Restart the journald service to apply changes:
systemctl restart systemd-journald
Verify changes:
journalctl --disk-usage
Backout Plan:
Using Linux command line:
Revert changes in /etc/systemd/journald.conf if necessary.
Restart journald service and verify logging:
systemctl restart systemd-journald
References:
CIS Amazon Linux 2 Benchmark v3.0.0
systemd-journald Documentation