Skip to content

6.1.2.1.2 Ensure systemd-journal-upload authentication is configured

Audit#

Run the following script to verify systemd-journal-upload authentication is configured: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/env bash
{
a_output=() a_output2=() l_analyze_cmd="$(readlink -f /bin/systemd-analyze)"
l_systemd_config_file="systemd/journal-upload.conf"
a_parameters=("URL=^.+$" "ServerKeyFile=^.+$" "ServerCertificateFile=^.+$" "TrustedCertificateFile=^.+$")
f_config_file_parameter_chk()
{
l_used_parameter_setting=""
while IFS= read -r l_file; do
l_file="$(tr -d '# ' <<< "$l_file")"
l_used_parameter_setting="$(grep -PHs -- '^\h*'"$l_parameter_name"'\b' "$l_file" | tail -n 1)"
[ -n "$l_used_parameter_setting" ] && break
done < <($l_analyze_cmd cat-config "$l_systemd_config_file" | tac | grep -Pio '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
if [ -n "$l_used_parameter_setting" ]; then
while IFS=: read -r l_file_name l_file_parameter; do
while IFS="=" read -r l_file_parameter_name l_file_parameter_value; do
if grep -Pq -- "$l_parameter_value" <<< "$l_file_parameter_value"; then
a_output+=(" - Parameter: \"${l_file_parameter_name// /}\"" \"set to: \"${l_file_parameter_value// /}\"" \"in the file: \"$l_file_name\"")
fi
done <<< "$l_file_parameter"
done <<< "$l_used_parameter_setting"
else
a_output2+=(" - Parameter: \"$l_parameter_name\" is not set in an included file" \"*** Note: ***" "\"$l_parameter_name\" May be set in a file that's ignored by load procedure")
fi
}
for l_input_parameter in "${a_parameters[@]}"; do
while IFS="=" read -r l_parameter_name l_parameter_value; do # Assess and check parameters
l_parameter_name="${l_parameter_name// /}";
l_parameter_value="${l_parameter_value// /}"
l_value_out="${l_parameter_value//-/ through }";
l_value_out="${l_value_out//|/ or }"
l_value_out="$(tr -d '(){}' <<< "$l_value_out")"
f_config_file_parameter_chk
done <<< "$l_input_parameter"
done
if [ "${#a_output2[@]}" -le 0 ]; then
printf '%s\n' "" "- Audit Result:" " ** PASS **" "${a_output[@]}" ""
else
printf '%s\n' "" "- Audit Result:" " ** FAIL **" " - Reason(s) for audit failure:" "${a_output2[@]}"
[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "" "- Correctly set:" "${a_output[@]}" ""
fi
}

Review the output to ensure it matches your environments' certificate locations and the URL of the log server: Example output: 

- Audit Result:
** PASS **
  - Parameter: "URL"
    set to: "192.168.50.42"
    in the file: "/etc/systemd/journal-upload.conf.d/60-journald_upload.conf"
  - Parameter: "ServerKeyFile"
    set to: "/etc/ssl/private/journal-upload.pem"
    in the file: "/etc/systemd/journal-upload.conf.d/60-journald_upload.conf"
  - Parameter: "ServerCertificateFile"
    set to: "/etc/ssl/certs/journal-upload.pem"
    in the file: "/etc/systemd/journal-upload.conf.d/60-journald_upload.conf"
  - Parameter: "TrustedCertificateFile"
    set to: "/etc/ssl/ca/trusted.pem"
    in the file: "/etc/systemd/journal-upload.conf.d/60-journald_upload.conf"

Remediation#

Edit the /etc/systemd/journal-upload.conf file or a file in /etc/systemd/journal-upload.conf.d ending in .conf and ensure the following lines are set in the [Upload] section per your environment: Example settings: 

[Upload]
URL=192.168.50.42
ServerKeyFile=/etc/ssl/private/journal-upload.pem
ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
TrustedCertificateFile=/etc/ssl/ca/trusted.pem

Example script to create systemd drop-in configuration file: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
#!/usr/bin/env bash
{
a_settings=("URL=192.168.50.42" "ServerKeyFile=/etc/ssl/private/journal-upload.pem" \"ServerCertificateFile=/etc/ssl/certs/journal-upload.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
else
printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
fi
}

Run the following command to update the parameters in the service: 

# systemctl reload-or-restart systemd-journal-upload