Disable systemd-journal-remote Socket
Description
Journald supports the ability to receive messages from remote hosts,
thus acting as a log server. Clients should not receive data from
other hosts.
NOTE:
The same package, systemd-journal-remote , is used for both sending
logs to remote hosts and receiving incoming logs.
With regards to receiving logs, there are two Systemd unit files;
systemd-journal-remote.socket and systemd-journal-remote.service.
Rationale
If a client is configured to also receive data, thus turning it into
a server, the client system is acting outside it’s operational boundary.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SOCKET_NAME="systemd-journal-remote.socket"
SYSTEMCTL_EXEC='/usr/bin/systemctl'
if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then
"$SYSTEMCTL_EXEC" stop "$SOCKET_NAME"
"$SYSTEMCTL_EXEC" mask "$SOCKET_NAME"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Disable systemd-journal-remote Socket - Collect systemd Socket Units Present
in the System
ansible.builtin.command:
cmd: systemctl -q list-unit-files --type socket
register: result_systemd_unit_files
changed_when: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- socket_systemd-journal-remote_disabled
- name: Disable systemd-journal-remote Socket - Ensure systemd-journal-remote.socket
is Masked
ansible.builtin.systemd:
name: systemd-journal-remote.socket
state: stopped
enabled: false
masked: true
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- result_systemd_unit_files.stdout_lines is search("systemd-journal-remote.socket")
tags:
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- socket_systemd-journal-remote_disabled
