content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Rule systemd-journald/* ignores contents of /etc/systemd/journald.conf.d/

Open digdilem opened this issue 3 years ago • 1 comments

Description of problem:

The tests for Rule IDs:

  • xccdf_org.ssgproject.content_rule_journald_compress
  • xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
  • xccdf_org.ssgproject.content_rule_journald_storage

Only test the content of /etc/systemd/journald.conf and remediations only focus on that files.

However, the documentation for journald states " Using drop-ins for local configuration is recommended over modifications to the main configuration file." and any settings in these files take precedence.

This means that should a drop-in file exist that overrides any settings being tested for, the tests will report incorrectly based on the lower-precedence main configuration file.

SCAP Security Guide Version:

openscap.x86_64 1:1.3.6-4.el9.rocky.0.2 /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml Args: --profile cis_server_l1 --fetch-remote-resources

Operating System Version:

Rocky Linux 9

Steps to Reproduce:

  1. Create a drop-in file in /etc/systemd/journald.conf.dthat changes a value being tested for. For example, ie,Compress='yes'`
  2. Run tests.

Actual Results:

Test will fail if /etc/systemd/journald.conf contains the default or no setting, despite journalctl using the override.

Expected Results:

The test should also descend into that drop-in directory in the same way it does for /etc/sudoers.d/ and test any drop-in files.

Additionally, the remediations should create files in that drop-in directory rather than modify the main config file, as recommended by the journald documentation.

Thank you

digdilem avatar Nov 29 '22 14:11 digdilem

I have noticed the failing tests for these settings too but I noticed something else.

The Ansible remediation has different syntax compared to the SCAP scanner test.

For example: The Ansible remediation modifies the config file with line: ForwardToSyslog="yes"

And the test checks the file for line: ForwardToSyslog=yes (without quotation marks)

This breaks the remediation as the settings don't work with quotation marks. Also the remediation and test are conflicting and the test fails.

Maddss avatar Nov 23 '23 08:11 Maddss