Rule systemd-journald/* ignores contents of /etc/systemd/journald.conf.d/ #9907
Description
Description of problem:
The tests for Rule IDs:
- xccdf_org.ssgproject.content_rule_journald_compress
- xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
- xccdf_org.ssgproject.content_rule_journald_storage
Only test the content of /etc/systemd/journald.conf and remediations only focus on that files.
However, the documentation for journald states " Using drop-ins for local configuration is recommended over modifications to the main configuration file." and any settings in these files take precedence.
This means that should a drop-in file exist that overrides any settings being tested for, the tests will report incorrectly based on the lower-precedence main configuration file.
SCAP Security Guide Version:
openscap.x86_64 1:1.3.6-4.el9.rocky.0.2
/usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml
Args: --profile cis_server_l1 --fetch-remote-resources
Operating System Version:
Rocky Linux 9
Steps to Reproduce:
- Create a drop-in file in
/etc/systemd/journald.conf.dthat changes a value being tested for. For example, ie,Compress='yes'` - Run tests.
Actual Results:
Test will fail if /etc/systemd/journald.conf contains the default or no setting, despite journalctl using the override.
Expected Results:
The test should also descend into that drop-in directory in the same way it does for /etc/sudoers.d/ and test any drop-in files.
Additionally, the remediations should create files in that drop-in directory rather than modify the main config file, as recommended by the journald documentation.
Thank you