Title: Ensure journald is not configured to receive logs from a remote client Description: Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: The same package, systemd-journal-remote , is used for both sending logs to remote hosts and receiving incoming logs. With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service . Rationale: If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary. Audit: Run the following command to verify systemd-journal-remote.socket is not enabled: # systemctl is-enabled systemd-journal-remote.socket Verify the output matches: masked Remediation: Run the following command to disable systemd-journal-remote.socket : # systemctl --now mask systemd-journal-remote.socket

[yes/no]

Remediation: Run the following command to disable systemd-journal-remote.socket : # systemctl --now mask systemd-journal-remote.socket