{"description": "The journald system may store log files in volatile memory or locally on disk.\nIf the logs are only stored in volatile memory they will be lost upon reboot.", "rationale": "Log files contain valuable data and need to be persistent to aid in possible investigations.", "severity": "medium", "references": {"cis": ["6.2.1.1.5"]}, "control_references": {"cis": ["6.2.1.1.5"]}, "components": [], "identifiers": {}, "ocil_clause": "is commented out or not configured correctly", "ocil": "Storing logs with persistent storage ensures they are available after a reboot or system crash.\nRun the command below to verify that logs are being persistently stored to disk.\n<pre>\ngrep \"^\\sStorage\" /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf\n\n</pre>\nand it should return\n<pre>\nStorage=persistent\n</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "service_disabled[rsyslog]", "platforms": ["service_disabled[rsyslog]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["service_disabled_rsyslog"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure journald is configured to write log files to persistent disk", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/journald/journald_storage/rule.yml", "template": {"name": "systemd_dropin_configuration", "vars": {"master_cfg_file": "/etc/systemd/journald.conf", "dropin_dir": "/etc/systemd/journald.conf.d", "section": "Journal", "param": "Storage", "value": "persistent", "no_quotes": "true", "missing_config_file_fail": "false"}, "backends": {}}}