{"description": "Data from journald may be stored in volatile memory or persisted locally.\nUtilities exist to accept remote export of journald logs.", "rationale": "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "is commented out or not configured correctly", "ocil": "Storing logs remotely protects the integrity of the data from local attacks.\nRun the following command to verify that journald is forwarding logs to a remote host.\n<pre>\ngrep \"^\\sForwardToSyslog\" /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf\n\n</pre>\nand it should return\n<pre>\nForwardToSyslog=yes\n</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure journald is configured to send logs to rsyslog", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml", "template": {"name": "systemd_dropin_configuration", "vars": {"master_cfg_file": "/etc/systemd/journald.conf", "dropin_dir": "/etc/systemd/journald.conf.d", "section": "Journal", "param": "ForwardToSyslog", "value": "yes", "no_quotes": "true", "missing_config_file_fail": "false"}, "backends": {}}}