documentation_complete: true

title: Ensure journald is configured to compress large log files

description: |-
    The journald system can compress large log files to avoid fill the system disk.

rationale:
    Log files that are not properly compressed run the risk of growing so large
    that they fill up the log partition. Valuable logging information could be lost
    if the log partition becomes full.

severity: medium

identifiers:
    cce@rhel8: CCE-85930-6
    cce@rhel9: CCE-85931-4
    cce@rhel10: CCE-87639-1
    cce@sle12: CCE-92261-7
    cce@sle15: CCE-91377-2
    cce@slmicro5: CCE-94018-9

references:
    cis@sle12: 4.2.2.2
    cis@sle15: 4.2.2.2

ocil_clause: 'is commented out or not configured correctly'

ocil: |-
    Storing logs with compression can help avoid filling the system disk.
    Run the following command to verify that journald is compressing logs.
    <pre>
{{%- if product in ["fedora", "sle15"] or "rhel" in product or "ubuntu" in product %}}
    grep "^\sCompress" /etc/systemd/journald.conf {{{ journald_conf_dir_path }}}/*.conf
{{% else %}}
    grep "^\sCompress" /etc/systemd/journald.conf
{{% endif %}}
    </pre>
    and it should return
    <pre>
    Compress=yes
    </pre>

{{%- if product in ["fedora", "sle15"] or "rhel" in product or "ubuntu" in product %}}
template:
    name: systemd_dropin_configuration
    vars:
        master_cfg_file: /etc/systemd/journald.conf
        dropin_dir: {{{ journald_conf_dir_path }}}
        section: Journal
        param: Compress
        value: yes
        no_quotes: 'true'
        missing_config_file_fail: 'false'
{{% else %}}
template:
    name: shell_lineinfile
    vars:
        path: /etc/systemd/journald.conf
        parameter: Compress
        value: yes
        no_quotes: 'true'
{{% endif -%}}

{{% if 'ubuntu' in product %}}
platform: service_disabled[rsyslog]
{{% endif %}}