Skip to content

Add service_systemd-journal-upload_enabled to RHEL 10 CIS #14069

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 4, 2025
Merged

Add service_systemd-journal-upload_enabled to RHEL 10 CIS #14069

merged 3 commits into from
Nov 4, 2025
+24 −7

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Oct 30, 2025

Add rule service_systemd-journal-upload_enabled to RHEL 10 CIS profile. Aligns the RHEL 10 CIS profile with CIS RHEL 10 Benchmark v1.0.1.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6109

@jan-cerny
Add service_systemd-journal-upload_enabled to RHEL 10 CIS
de49a89 
Add rule `service_systemd-journal-upload_enabled` to RHEL 10
CIS profile. Aligns the RHEL 10 CIS profile with CIS RHEL 10
Benchmark v1.0.1.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6109
@jan-cerny jan-cerny added this to the 0.1.79 milestone Oct 30, 2025
@jan-cerny jan-cerny added CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Oct 30, 2025
@Mab879
Copy link
Member

Mab879 commented Oct 30, 2025

While you didn't write this rule on this PR you might double check it before we merge this. Seems something seems wrong.

@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Oct 31, 2025

I have improved description and rationale

@Mab879
Copy link
Member

Mab879 commented Oct 31, 2025

The rule is also failing tests, is that something we expect? If you we should waive it.

@Mab879 Mab879 self-assigned this Oct 31, 2025
@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Oct 31, 2025

I have found that the service failed to start and in journal I can see this error:

Oct 31 10:33:21 localhost.localdomain systemd-journal-upload[4238]: Required --url=/-u option missing.

That happens because the service doesn't have the remote log host configured. That should be done as a part of the configuration for the preceding CIS requirement (6.2.2.1.2 Ensure systemd-journal-upload authentication is configured). But, that requirement is manual.

Is it OK to keep the rule service_systemd-journal-upload_enabled in the profile and waive the fail in contest or should we move the service_systemd-journal-upload_enabled to related_rules and therefore remove it from the profile?

@Mab879
Copy link
Member

Mab879 commented Oct 31, 2025

I assume there isn't a way for US to NA this until the URL is configured?

@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Nov 3, 2025

@Mab879

I think it's possible, the URL is configured in a configuration file, that means we can write a CPE OVAL check for that.

But, I think it isn't something we want, because the report showing that rule is evaluated as notapplicable will be misleading. The CIS says users should have the service enabled. If the rule fails, the users know that they're incompliant and can resolve it. If the rule resolves as notapplicable, the users can skip the requirement.

I lean towards this solution: add a warning to the rule and waive it in contest.

jan-cerny added a commit to jan-cerny/contest that referenced this pull request Nov 3, 2025
@jan-cerny
Waive rule service_systemd-journal-upload_enabled permanently
124e6f9 
The service systemd-journal-upload fails to start if a remote log destination
URL isn't configured in /etc/systemd/journal-upload.conf.

The rule will be added to RHEL by:
ComplianceAsCode/content#14069
See the discussion there.
@jan-cerny jan-cerny mentioned this pull request Nov 3, 2025
Merged
@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Nov 3, 2025

I have add a warning and I have created a PR that adds a waiver to contest: RHSecurityCompliance/contest#481

@openshift-ci
Copy link

openshift-ci bot commented Nov 3, 2025

@jan-cerny: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 819c918 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

matusmarhefka pushed a commit to RHSecurityCompliance/contest that referenced this pull request Nov 3, 2025
@jan-cerny @matusmarhefka
Waive rule service_systemd-journal-upload_enabled permanently
880f473 
The service systemd-journal-upload fails to start if a remote log destination
URL isn't configured in /etc/systemd/journal-upload.conf.

The rule will be added to RHEL by:
ComplianceAsCode/content#14069
See the discussion there.
@Mab879
Copy link
Member

Mab879 commented Nov 4, 2025

/packit retest-failed

@Mab879 Mab879 merged commit 98b7a95 into ComplianceAsCode:master Nov 4, 2025
139 of 140 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot bot mentioned this pull request Nov 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@Mab879 Mab879

Labels

CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879