ForwardToSyslog via drop-in-file

[cambid]

The problem from #9907 also occurs for Ubuntu 24.04.

The tests for Rule IDs:

xccdf_org.ssgproject.content_rule_journald_forward_to_syslog

Only test the content of /etc/systemd/journald.conf and remediations only focus on that files.

However, the documentation for journald states " Using drop-ins for local configuration is recommended over modifications to the main configuration file." and any settings in these files take precedence.

This means that should a drop-in file exist that overrides any settings being tested for, the tests will report incorrectly based on the lower-precedence main configuration file.
SCAP Security Guide Version: nightly build

Operating System Version: Ubuntu 24.04.

Steps to Reproduce:

1. Create a drop-in file in /etc/systemd/journald.conf.dthat changes a value being tested for. For example, ie,ForwardToSyslog=yes'`
2. Run tests.

Actual Results: Test will fail if /etc/systemd/journald.conf contains the default or no setting, despite journalctl using the override.
Expected Results: The test should also descend into that drop-in directory in the same way it does for /etc/sudoers.d/ or /etc/ssh/sshd_config.d, and test any drop-in files.

Additionally, the remediations should create files in that drop-in directory rather than modify the main config file, as recommended by the journald documentation.

Thank you

[mpurg]

Hi @cambid Thanks for pointing this out, I'll have a look.

[cambid]

@mpurg Any news or progress on this? Can I help with something?

[mpurg]

Hey @cambid , thanks for the ping. I proposed a fix in #14255