CIS-CAT-PRO audit finding 4.2.2.4

[bbaassssiiee]

Description:

Ensure journald is configured to write logfiles to persistent disk

Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot.

Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot.

Edit the /etc/systemd/journald.conf file and add the following line:

Storage=persistent 

Expected Behavior
The line is explicit and uncommented.

Actual Behavior
The line is commented, as if the regexp didn't match for some reason.

Control(s) Affected
What controls are being affected by the issue: CIS 4.2.2.4

Environment (please complete the following information):

• Ansible Version: [core 2.11.12]
• Host Python Version: [Python 3.6.8]
• Ansible Server Python Version: [Python 3.6.8]
• Using branch: [release 2.2.1]
• Additional Details:

Additional Notes
CIS-CAT_PRO is the official audit tool for CIS members.

Possible Solution
Enter a suggested fix here

- name: Insert correct line to /etc/systemd/journald.conf
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    create: true
    regexp: 'Storage='
    line: Storage=persistent
    state: present
    insertafter: ^#Storage
    validate: /usr/bin/bash -n %s

[bbaassssiiee]

Contents of /etc/systemd/journald.conf after applying RHEL8-CIS on AlmaLinux 8.7:

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See journald.conf(5) for details.

[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K