← Rules Catalog
mediumloggingverified

Ensure journald log file access is configured

journald-file-access · RHEL ≥ 8 · 1 impl

Description

The persistent journal directory /var/log/journal and its files must not be accessible beyond the systemd-journal group and root, so log contents are not exposed to unprivileged users.

Rationale

System journals contain sensitive operational and security data. Loose permissions let unprivileged users read log data that can aid reconnaissance or expose secrets accidentally logged.

Check → Remediate

Checkcommand
d=/var/log/journal
if [ ! -d "$d" ]; then echo "FAIL: $d does not exist (persistent journal not configured)"; exit 1; fi
bad=$(find "$d" -type f \( -perm /0027 \) 2>/dev/null | head -1)
if [ -n "$bad" ]; then echo "FAIL: over-permissive journal file: $bad"; exit 1; fi
echo "OK: journal files restricted to group/owner"
expected_exit:
0
Remediatemanual
note:
Ensure /var/log/journal files are mode 0640 or stricter and owned root:systemd-journal (systemd-tmpfiles restores the shipped permissions).

Framework references

CIS

rhel9 6.2.1.2rhel8 6.2.1.1.2rhel10 6.2.1.2

NIST 800-53

AU-9

Live verification

rhel9:check
#journald#logging#permissions