documentation_complete: true


title: Ensure journald is configured to write log files to persistent disk

description: |-
    The journald system may store log files in volatile memory or locally on disk.
    If the logs are only stored in volatile memory they will be lost upon reboot.

rationale:
    Log files contain valuable data and need to be persistent to aid in possible investigations.

severity: medium

identifiers:
    cce@rhel8: CCE-86045-2
    cce@rhel9: CCE-86046-0
    cce@rhel10: CCE-90077-9
    cce@sle12: CCE-92262-5
    cce@sle15: CCE-91378-0
    cce@slmicro5: CCE-94016-3

references:
    cis@sle12: 4.2.2.3
    cis@sle15: 4.2.2.3

ocil_clause: 'is commented out or not configured correctly'

ocil: |-
    Storing logs with persistent storage ensures they are available after a reboot or system crash.
    Run the command below to verify that logs are being persistently stored to disk.
    <pre>
{{%- if product in ["fedora", "sle15"] or "rhel" in product or "ubuntu" in product %}}
    grep "^\sStorage" /etc/systemd/journald.conf {{{ journald_conf_dir_path }}}/*.conf
{{% else %}}
    grep "^\sStorage" /etc/systemd/journald.conf
{{% endif %}}
    </pre>
    and it should return
    <pre>
    Storage=persistent
    </pre>

{{%- if product in ["fedora", "sle15"] or "rhel" in product or "ubuntu" in product %}}
template:
    name: systemd_dropin_configuration
    vars:
        master_cfg_file: /etc/systemd/journald.conf
        dropin_dir: {{{ journald_conf_dir_path }}}
        section: Journal
        param: Storage
        value: persistent
        no_quotes: 'true'
        missing_config_file_fail: 'false'
{{% else %}}
template:
    name: shell_lineinfile
    vars:
        path: /etc/systemd/journald.conf
        parameter: Storage
        value: persistent
        no_quotes: 'true'
{{% endif -%}}

{{% if 'ubuntu' in product %}}
platform: service_disabled[rsyslog]
{{% endif %}}