CIS-CAT-PRO audit finding 4.2.2.3

[bbaassssiiee]

Describe the Issue

Description:

The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large.

Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts.

Edit the /etc/systemd/journald.conf file and add the following line:

Compress=yes 

Expected Behavior
Explicitly defined. No quotes around yes, not commented.

Actual Behavior
The line is still commented and shouldn't be.

Control(s) Affected
What controls are being affected by the issue: CIS 4.2.2.3

Environment (please complete the following information):

• Ansible Version: [core 2.11.12]
• Host Python Version: [Python 3.6.8]
• Ansible Server Python Version: [Python 3.6.8]
• Using branch: [release 2.2.1]
• Additional Details:

Additional Notes
CIS-CAT_PRO is the official audit tool for CIS members.

Possible Solution
Enter a suggested fix here

- name: Insert correct line to /etc/systemd/journald.conf
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    create: true
    regexp: 'Compress='
    line: Compress=yes
    state: present
    insertafter: ^#Compress
    validate: /usr/bin/bash -n %s

[bbaassssiiee]

RHEL8-CIS/tasks/section_4/cis_4.2.2.x.yml

Line 106 in 77dc76d

- name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files"

[bbaassssiiee]

Contents of /etc/systemd/journald.conf after applying RHEL8-CIS on AlmaLinux 8.7:

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See journald.conf(5) for details.

[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K

[bbaassssiiee]

The line is commented and shouldn't:

#Compress=yes