CCE-95480-0| Platform: cpe:/o:amazon:linux:2, cpe:/o:centos:centos:7, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9 | Date: (C)2021-03-05 (M)2023-07-04 |
Description:
Data from journald may be stored in volatile memory or persisted locally on the server.
Utilities exist to accept remote export of journald logs, however, use of the rsyslog service
provides a consistent means of log collection and export.
Rationale:
Storing log data on a remote host protects log integrity from local attacks. If an attacker
gains root access on the local system, they could tamper with or remove log data that is
stored on the local system.
Audit:
Review /etc/systemd/journald.conf and verify that logs are forwarded to syslog
# grep -e ^s*ForwardToSyslog /etc/systemd/journald.conf
ForwardToSyslog=yes
Remediation:
Edit the /etc/systemd/journald.conf file and add the following line:
ForwardToSyslog=yes
Parameter:
[yes/no]
Technical Mechanism:
Edit the /etc/systemd/journald.conf file and add the following line:
ForwardToSyslog=yes
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 8.4 | Attack Vector: LOCAL |
| Exploit Score: 2.5 | Attack Complexity: LOW |
| Impact Score: 5.9 | Privileges Required: NONE |
| Severity: HIGH | User Interaction: NONE |
| Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| | Confidentiality: HIGH |
| | Integrity: HIGH |
| | Availability: HIGH |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72347 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:71981 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72926 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:68631 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84221 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72820 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73031 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72717 |
