6.1.2.3 Ensure journald Compress is configured

Audit

- IF - journald is the method for capturing logs Run the following script to verify Compress is set to yes:

#!/usr/bin/env bash
{
a_output=() a_output2=() l_analyze_cmd="$(readlink -f /bin/systemd-analyze)"
l_systemd_config_file="systemd/journald.conf"
a_parameters=("Compress=yes")
f_config_file_parameter_chk()
{
l_used_parameter_setting=""
while IFS= read -r l_file; do
l_file="$(tr -d '# ' <<< "$l_file")"
l_used_parameter_setting="$(grep -PHs -- '^\h*'"$l_parameter_name"'\b' "$l_file" | tail -n 1)"
[ -n "$l_used_parameter_setting" ] && break
done < <($l_analyze_cmd cat-config "$l_systemd_config_file" | tac | grep -Pio '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
if [ -n "$l_used_parameter_setting" ]; then
while IFS=: read -r l_file_name l_file_parameter; do
while IFS="=" read -r l_file_parameter_name l_file_parameter_value; do
if grep -Pq -- "$l_parameter_value" <<< "$l_file_parameter_value"; then
a_output+=(" - Parameter: \"${l_file_parameter_name// /}\"" \"correctly set to: \"${l_file_parameter_value// /}\"" \"in the file: \"$l_file_name\"")
else
a_output2+=(" - Parameter: \"${l_file_parameter_name// /}\"" \"incorrectly set to: \"${l_file_parameter_value// /}\"" \"in the file: \"$l_file_name\"" \"Should be set to: \"$l_value_out\"")
fi
done <<< "$l_file_parameter"
done <<< "$l_used_parameter_setting"
else
a_output2+=(" - Parameter: \"$l_parameter_name\" is not set in an included file" \"*** Note: \"$l_parameter_name\" May be set in a file that's ignored by load procedure ***")
fi
}
for l_input_parameter in "${a_parameters[@]}"; do
while IFS="=" read -r l_parameter_name l_parameter_value; do # Assess and check parameters
l_parameter_name="${l_parameter_name// /}";
l_parameter_value="${l_parameter_value// /}"
l_value_out="${l_parameter_value//-/ through }";
l_value_out="${l_value_out//|/ or }"
l_value_out="$(tr -d '(){}' <<< "$l_value_out")"
f_config_file_parameter_chk
done <<< "$l_input_parameter"
done
if [ "${#a_output2[@]}" -le 0 ]; then
printf '%s\n' "" "- Audit Result:" " ** PASS **" "${a_output[@]}" ""
else
printf '%s\n' "" "- Audit Result:" " ** FAIL **" " - Reason(s) for audit failure:" "${a_output2[@]}"
[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "" "- Correctly set:" "${a_output[@]}" ""
fi
}

Remediation

IF - rsyslog is the preferred method for capturing logs, this section and Recommendation should be skipped and the "Configure rsyslog" section followed. - IF - journald is the preferred method for capturing logs: Set the following parameter in the [Journal] section in /etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending in .conf:

Compress=yes

Example script to create systemd drop-in configuration file:

#!/usr/bin/env bash
{
a_settings=("Compress=yes")
[ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journald.conf.d/60-journald.conf
else
printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journald.conf.d/60-journald.conf
fi
}

Note: If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten Run to following command to update the parameters in the service:

# systemctl reload-or-restart systemd-journald

Default Value: Compress=yes