{"description": "The <tt>systemd-journal-upload</tt> service is part of the <tt>systemd-journal-remote</tt> package\nand enables centralized logging by uploading local systemd journal entries to a remote log\nserver via HTTPS. This service acts as a client that pushes journal data to a remote host\nrunning the <tt>systemd-journal-remote</tt> receiver service.\n\nThe <code>systemd-journal-upload</code> service can be enabled with the following command:\n<pre>$ sudo systemctl enable systemd-journal-upload.service</pre>", "rationale": "Centralized logging through <tt>systemd-journal-upload</tt> is essential for security monitoring,\nincident response, and compliance requirements. Storing log data on a remote host protects log\nintegrity from local attacks. If an attacker gains root access on the local system, they could\ntamper with or remove log data stored locally to hide their activities. Remote logging ensures\nthat audit trails remain intact even if the local system is compromised. Additionally,\ncentralized logs facilitate correlation of events across multiple systems, enabling better\ndetection of distributed attacks and security incidents.", "severity": "medium", "references": {"srg": ["SRG-OS-000479-GPOS-00224"], "cis": ["6.2.1.2.3"]}, "control_references": {"cis": ["6.2.1.2.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the systemd-journal-upload service is not running", "ocil": "\n\nRun the following command to determine the current status of the\n<code>systemd-journal-upload</code> service:\n<pre>$ sudo systemctl is-active systemd-journal-upload</pre>\nIf the service is running, it should return the following: <pre>active</pre>", "oval_external_content": null, "fixtext": "To enable the systemd-journal-upload service run the following command:\n\n$ sudo systemctl enable --now systemd-journal-upload", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 service systemd-journal-upload must be enabled.", "warnings": [{"general": "The <tt>systemd-journal-upload</tt> service will fail to start if the remote server URL is not configured.\nEdit <tt>/etc/systemd/journal-upload.conf</tt> to configure the remote server URL."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine and package[systemd-journal-remote]", "platforms": ["machine and package[systemd-journal-remote]"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "service_systemd-journal-upload_enabled.sh", "relative_path": "ubuntu2204/checks/sce/service_systemd-journal-upload_enabled.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["machine_and_package_systemd-journal-remote"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable systemd-journal-upload Service", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml", "template": {"name": "service_enabled", "vars": {"servicename": "systemd-journal-upload", "packagename": "systemd-journal-remote"}, "backends": {}}}