Profile Applicability:
Level 1
Description:
The systemd journal (journald) can forward log messages to the traditional syslog daemon (rsyslog). Disabling this forwarding prevents duplicate logging, reduces system overhead, and minimizes potential security risks from unnecessary log transmission.
Rationale:
Preventing journald from forwarding logs to rsyslog reduces redundancy and limits the exposure of sensitive log data, improving overall system security and performance.
Impact:
Pros:
Reduces log duplication and storage usage.
Decreases inter-process communication overhead.
Minimizes risk of unintended log exposure.
Cons:
Systems relying on rsyslog for centralized logging may lose log data if forwarding is disabled.
Default Value:
Forwarding logs to rsyslog is often enabled by default.
Pre-requisites:
Root or sudo privileges to modify systemd journal configuration.
Remediation:
Test Plan:
Using Linux command line:
Check the forwarding setting in /etc/systemd/journald.conf:
grep ForwardToSyslog /etc/systemd/journald.conf
Verify that ForwardToSyslog is set to no.
Implementation Plan:
Using Linux command line:
Edit the journald configuration file:
vi /etc/systemd/journald.conf
Set the parameter to disable forwarding:
ForwardToSyslog=no
Save the file and restart the journald service:
systemctl restart systemd-journald
Confirm the change:
grep ForwardToSyslog /etc/systemd/journald.conf
Backout Plan:
Using Linux command line:
Re-enable forwarding if necessary by setting:
ForwardToSyslog=yes
Restart journald service:
systemctl restart systemd-journald
Verify forwarding is active.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
systemd-journald Documentation