Profile Applicability:
• Level 1
Description:
The systemd journal (journald) can be configured to accept log messages from remote clients. Disabling this feature prevents unauthorized or malicious external sources from injecting logs into the local journal, protecting the integrity of system logs.
Rationale:
Preventing journald from receiving remote logs reduces the risk of log poisoning and ensures that only locally generated logs are trusted, enhancing overall system security.
Impact:
Pros:
Protects against unauthorized log injection from remote sources.
Maintains the integrity and trustworthiness of local logs.
Cons:
Disabling remote logging may limit centralized log aggregation capabilities.
Default Value:
By default, journald does not accept logs from remote clients unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify journald configuration.
Remediation:
Test Plan:
Using Linux command line:
Check if journald is configured to receive remote logs:
grep "^ReceiveRemote" /etc/systemd/journald.conf
Confirm that ReceiveRemote is set to no.
Implementation Plan:
Using Linux command line:
Edit the journald configuration file:
vi /etc/systemd/journald.conf
Set the following parameter to disable remote logging:
ReceiveRemote=no
Save the file and restart journald:
systemctl restart systemd-journald
Verify the setting:
grep "^ReceiveRemote" /etc/systemd/journald.conf
Backout Plan:
Using Linux command line:
Re-enable remote log reception if needed:
ReceiveRemote=yes
Restart journald:
systemctl restart systemd-journald
Confirm remote logging is enabled.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
systemd-journald Documentation