Add journald_disable_forward_to_syslog to RHEL 10 CIS

jan-cerny · jan-cerny · commit d514d937c175 · 2025-10-31T11:23:01.000+01:00
Our control file maps this requirement to rule `journald_forward_to_syslog` which does the opposite than the requirement 6.2.2.2 asks. Instead, the control should list rule `journald_disable_forward_to_syslog`. This change aligns our content with RHEL 10 CIS Benchmark v1.0.1. Resolves: https://issues.redhat.com/browse/OPENSCAP-6110
diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -2393,10 +2393,9 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: This rule conflicts with 6.2.3.3. More investigation is needed to properly solve this.
-      related_rules:
-          - journald_forward_to_syslog
+      status: automated
+      rules:
+          - journald_disable_forward_to_syslog
 
     - id: 6.2.2.3
       title: Ensure journald Compress is configured (Automated)
diff --git a/linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml
@@ -17,10 +17,27 @@ platform: package[systemd]
 
 severity: medium
 
+ocil: |-
+    Run the following command to verify that journald is not forwarding logs to syslog.
+    <pre>
+{{%- if product == "sle15" or "rhel" in product %}}
+    grep "^\sForwardToSyslog" /etc/systemd/journald.conf {{{ journald_conf_dir_path }}}/*.conf
+{{% else %}}
+    grep "^\sForwardToSyslog" /etc/systemd/journald.conf
+{{% endif %}}
+    </pre>
+    and it should return
+    <pre>
+    ForwardToSyslog=no
+    </pre>
+
+ocil_clause: 'is commented out or not configured correctly'
+
 identifiers:
+    cce@rhel10: CCE-88340-5
     cce@sle15: CCE-92566-9
 
-{{%- if product in ["rhel8", "rhel9", "sle15"] %}}
+{{%- if product == "sle15" or "rhel" in product %}}
 template:
     name: systemd_dropin_configuration
     vars:
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -990,7 +990,6 @@ CCE-88335-5
 CCE-88337-1
 CCE-88338-9
 CCE-88339-7
-CCE-88340-5
 CCE-88341-3
 CCE-88342-1
 CCE-88346-2
diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
@@ -241,6 +241,7 @@ grub2_password
 has_nonlocal_mta
 inactivity_timeout_value=15_minutes
 journald_compress
+journald_disable_forward_to_syslog
 journald_storage
 kernel_module_atm_disabled
 kernel_module_can_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -161,6 +161,7 @@ grub2_password
 has_nonlocal_mta
 inactivity_timeout_value=15_minutes
 journald_compress
+journald_disable_forward_to_syslog
 journald_storage
 kernel_module_atm_disabled
 kernel_module_can_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -159,6 +159,7 @@ grub2_password
 has_nonlocal_mta
 inactivity_timeout_value=15_minutes
 journald_compress
+journald_disable_forward_to_syslog
 journald_storage
 kernel_module_atm_disabled
 kernel_module_can_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -241,6 +241,7 @@ grub2_password
 has_nonlocal_mta
 inactivity_timeout_value=15_minutes
 journald_compress
+journald_disable_forward_to_syslog
 journald_storage
 kernel_module_atm_disabled
 kernel_module_can_disabled
