← Rules Catalog
mediumloggingunverified

Ensure systemd-journal-remote authentication is configured

journal-remote-authentication · RHEL ≥ 8 · 1 impl

Description

If systemd-journal-remote is used to receive logs over the network, it must be configured with TLS server key/certificate/trust-anchor so remote log sources are authenticated. Not applicable where journal-remote is not installed.

Rationale

Unauthenticated remote log ingestion allows spoofed or tampered log data to enter the journal, undermining the integrity of the audit trail.

Check → Remediate

Checkcommand
conf=/etc/systemd/journal-remote.conf
if ! rpm -q systemd-journal-remote >/dev/null 2>&1 && [ ! -f "$conf" ]; then
  echo "NOT APPLICABLE: systemd-journal-remote not installed"
  exit 0
fi
if grep -qE '^\s*ServerKeyFile\s*=' "$conf" 2>/dev/null \
   && grep -qE '^\s*ServerCertificateFile\s*=' "$conf" 2>/dev/null \
   && grep -qE '^\s*TrustedCertificateFile\s*=' "$conf" 2>/dev/null; then
  echo "OK: journal-remote TLS key/cert/trust-anchor configured"
  exit 0
fi
echo "FAIL: journal-remote TLS authentication (ServerKeyFile/ServerCertificateFile/TrustedCertificateFile) not fully configured"
exit 1
expected_exit:
0
Remediatemanual
note:
Set ServerKeyFile, ServerCertificateFile, and TrustedCertificateFile in /etc/systemd/journal-remote.conf and restart systemd-journal-remote.

Framework references

CIS

rhel8 6.2.1.2.2

NIST 800-53

AU-9SC-8
#journald#journal-remote#tls#authentication#cis