Profile Applicability:
Level 1
Description:
By default, systemd’s journal (journald) stores logs in volatile memory, which means logs are lost on reboot. Configuring journald to write logs to persistent storage ensures that logs survive system restarts and are available for auditing and troubleshooting.
Rationale:
Persistent logging provides a reliable audit trail by preserving logs across reboots, which is essential for security monitoring, compliance, and forensic investigations.
Impact:
Pros:
Maintains log availability after system reboots.
Supports long-term auditing and analysis.
Cons:
Consumes disk space; requires monitoring and log rotation.
Default Value:
By default, journald may be configured to store logs only in volatile memory unless explicitly set to use persistent storage.
Pre-requisites:
Root or sudo privileges to modify journald configuration.
Remediation:
Test Plan:
Using Linux command line:
Check the current storage setting in /etc/systemd/journald.conf:
grep "^Storage" /etc/systemd/journald.conf
Verify that Storage=persistent is set.
Implementation Plan:
Using Linux command line:
Edit /etc/systemd/journald.conf:
vi /etc/systemd/journald.conf
Set the Storage parameter to persistent:
Storage=persistent
Save the file and restart the journald service:
systemctl restart systemd-journald
Verify that the setting is active:
grep "^Storage" /etc/systemd/journald.conf
Backout Plan:
Using Linux command line:
Revert the Storage parameter to previous value if needed (e.g., auto or volatile):
vi /etc/systemd/journald.conf
Restart journald service:
systemctl restart systemd-journald
References:
CIS Amazon Linux 2 Benchmark v3.0.0
systemd-journald Documentation