← Rules Catalog
mediumloggingverified rollback-safe

Restrict permissions on the journalctl command

journalctl-permissions · UBUNTU ≥ 22 · 1 impl

Description

The /usr/bin/journalctl command must have a mode of 0740 so that only root can execute it and read the systemd journal, which may contain sensitive operational information.

Rationale

The systemd journal can expose sensitive system and security detail. Restricting the journalctl binary to root-only execution prevents unprivileged users from reading it.

Check → Remediate

Checkfile_permission
path:
/usr/bin/journalctl
mode:
0740
Remediatefile_permissions
path:
/usr/bin/journalctl
mode:
0740

Framework references

STIG

V-270758 / UBTU-24-700030V-260512 / UBTU-22-232140

NIST 800-53

SI-11

Live verification

ubuntu22:checkubuntu24:checkubuntu26:check
#journald#permissions#logging