Merge pull request #14242 from vojtapolasek/cis_only_one_logging_system

RHEL 10 CIS: Implement 6.2.1.4

Author: Mab879

components/rsyslog.yml

@@ -9,6 +9,7 @@ packages:
 - rsyslog-gnutls
 rules:
 - disable_logwatch_for_logserver
+- ensure_journald_and_rsyslog_not_active_together
 - ensure_logrotate_activated
 - ensure_rtc_utc_configuration
 - file_groupowner_var_log_syslog

components/systemd.yml

@@ -13,6 +13,7 @@ rules:
 - dir_groupowner_system_journal
 - disable_ctrlaltdel_burstaction
 - disable_ctrlaltdel_reboot
+- ensure_journald_and_rsyslog_not_active_together
 - file_groupowner_etc_crypttab
 - file_groupowner_journalctl
 - file_groupowner_system_journal

controls/cis_rhel10.yml

@@ -2377,10 +2377,9 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          It is necessary to create a new rule to check the status of journald and rsyslog.
-          It would also be necessary a new rule to disable or remove rsyslog.
+      status: automated
+      rules:
+          - ensure_journald_and_rsyslog_not_active_together
 
     - id: 6.2.2.1.1
       title: Ensure systemd-journal-remote is installed (Automated)

linux_os/guide/system/logging/ensure_journald_and_rsyslog_not_active_together/oval/shared.xml

@@ -0,0 +1,45 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Ensure journald and rsyslog are not active together", rule_title=rule_title) }}}
+    <criteria>
+        <criterion comment="both logging services are not active together"
+            test_ref="test_{{{ rule_id }}}_not_both_active"/>
+    </criteria>
+  </definition>
+
+  <linux:systemdunitproperty_object id="obj_{{{ rule_id }}}_logging_services" version="1"
+      comment="Active logging services">
+    <linux:unit operation="pattern match">^(rsyslog|systemd-journald).service$</linux:unit>
+    <linux:property>ActiveState</linux:property>
+    <filter action="include">ste_{{{ rule_id }}}_logging_services</filter>
+  </linux:systemdunitproperty_object>
+
+  <linux:systemdunitproperty_state id="ste_{{{ rule_id }}}_logging_services" version="1">
+    <linux:value>active</linux:value>
+  </linux:systemdunitproperty_state>
+
+  <!-- Count active logging services -->
+  <local_variable id="var_{{{ rule_id }}}_logging_service_active_count" datatype="int" version="1"
+                 comment="Number of currently active logging services">
+   <count>
+     <regex_capture pattern="^active$">
+       <object_component item_field="value" object_ref="obj_{{{ rule_id }}}_logging_services"/>
+     </regex_capture>
+   </count>
+  </local_variable>
+
+  <!-- Test that exactly one logging service is active -->
+  <ind:variable_test id="test_{{{ rule_id }}}_not_both_active" version="1" check="all"
+                     comment="Verify exactly one logging service is active">
+    <ind:object object_ref="obj_{{{ rule_id }}}_count"/>
+    <ind:state state_ref="ste_{{{ rule_id }}}_count"/>
+  </ind:variable_test>
+
+  <ind:variable_object id="obj_{{{ rule_id }}}_count" version="1">
+    <ind:var_ref>var_{{{ rule_id }}}_logging_service_active_count</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state id="ste_{{{ rule_id }}}_count" version="1">
+    <ind:value operation="equals" datatype="int">1</ind:value>
+  </ind:variable_state>
+</def-group>

linux_os/guide/system/logging/ensure_journald_and_rsyslog_not_active_together/rule.yml

@@ -0,0 +1,45 @@
+documentation_complete: true
+
+title: 'Ensure journald and rsyslog Are Not Active Together'
+
+description: |-
+    Ensure that exactly one logging system is active. Running both rsyslog and
+    systemd-journald simultaneously can lead to duplicate logging, resource
+    contention, and configuration conflicts. Running neither service means no
+    logging is occurring, which is also a violation.
+    <pre>
+    systemctl is-active rsyslog systemd-journald
+    </pre>
+    The command should return exactly one <tt>active</tt> service. Both services
+    should not be active at the same time, and at least one must be active.
+
+rationale: |-
+    Running multiple logging systems concurrently can cause conflicts, resource
+    contention, and inconsistent logging behavior. Systems should use either
+    rsyslog or systemd-journald, but not both simultaneously. This ensures
+    predictable logging behavior and prevents potential issues with log
+    duplication or loss.
+
+severity: medium
+
+identifiers:
+    cce@rhel10: CCE-90723-8
+
+platform: machine
+
+warnings:
+    - general: |-
+        This rule does not come with a remediation. The choice of logging
+        system (rsyslog vs systemd-journald) is an architectural decision
+        that should be made based on organizational requirements. Use
+        service_rsyslog_enabled/disabled or service_systemd-journald_enabled
+        rules to configure the desired logging system.
+
+ocil_clause: 'both rsyslog and systemd-journald services are active, or neither service is active'
+
+ocil: |-
+    To verify that exactly one logging system is active, run the following command:
+    <pre>systemctl is-active rsyslog systemd-journald | grep -c active</pre>
+    The output should be exactly 1. If the output is 0, no logging is active.
+    If the output is 2, both logging systems are active simultaneously. Both
+    cases are findings.

linux_os/guide/system/logging/ensure_journald_and_rsyslog_not_active_together/tests/both_active.fail.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+#
+# packages = rsyslog
+
+# Ensure both services are active
+systemctl start rsyslog
+systemctl start systemd-journald
+
+# Verify both are running
+systemctl is-active rsyslog systemd-journald

linux_os/guide/system/logging/ensure_journald_and_rsyslog_not_active_together/tests/none_active.fail.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+#
+# packages = rsyslog
+# remediation = none
+
+# Stop both logging services
+systemctl stop systemd-journald
+systemctl stop rsyslog
+systemctl mask systemd-journald
+systemctl mask rsyslog
+
+# Verify both are stopped
+! systemctl is-active rsyslog
+! systemctl is-active systemd-journald

linux_os/guide/system/logging/ensure_journald_and_rsyslog_not_active_together/tests/only_journald.pass.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+#
+# packages = rsyslog
+
+# Stop and mask rsyslog, ensure journald is active
+systemctl stop rsyslog
+systemctl mask rsyslog
+systemctl start systemd-journald
+
+# Verify only journald is running
+systemctl is-active systemd-journald

linux_os/guide/system/logging/ensure_journald_and_rsyslog_not_active_together/tests/only_rsyslog.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# packages = rsyslog
+
+systemctl start rsyslog
+systemctl stop systemd-journald.socket systemd-journald-dev-log.socket 2> /dev/null
+systemctl stop systemd-journald 2>/dev/null

shared/references/cce-redhat-avail.txt

@@ -2400,4 +2400,3 @@ CCE-90719-6
 CCE-90720-4
 CCE-90721-2
 CCE-90722-0
-CCE-90723-8