Ubuntu 24.04 6.1.2.1.2 Ensure systemd-journal-upload authentication i…

…s configured
ComplianceAsCode · Jan 17, 2025 · 5bed8f1 · 5bed8f1
1 parent 9c82f04
commit 5bed8f1
Show file tree

Hide file tree

Showing 13 changed files with 128 additions and 6 deletions.
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -2288,8 +2288,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented. Analogous to ubuntu2204/4.2.1.1.2.
+    rules:
+      - systemd_journal_upload_server_tls
+      - systemd_journal_upload_url
+    status: automated
 
   - id: 6.1.2.1.3
     title: Ensure systemd-journal-upload is enabled and active (Automated)

diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/oval/shared.xml b/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/oval/shared.xml
@@ -20,7 +20,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_systemd_journal_upload_server_key_file" version="2">
-    <ind:filepath>/etc/systemd/journal-upload.conf</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/systemd/journal-upload.conf(\.d/[^/]+\.conf)?$</ind:filepath>
     <ind:pattern operation="pattern match">^\s*ServerKeyFile\s*=\s*(.*)\s*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
@@ -39,7 +39,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_systemd_journal_upload_server_certificate_file" version="2">
-    <ind:filepath>/etc/systemd/journal-upload.conf</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/systemd/journal-upload.conf(\.d/[^/]+\.conf)?$</ind:filepath>
     <ind:pattern operation="pattern match">^\s*ServerCertificateFile\s*=\s*(.*)\s*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
@@ -58,7 +58,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_systemd_journal_upload_server_trusted_certificate_file" version="2">
-    <ind:filepath>/etc/systemd/journal-upload.conf</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/systemd/journal-upload.conf(\.d/[^/]+\.conf)?$</ind:filepath>
     <ind:pattern operation="pattern match">^\s*TrustedCertificateFile\s*=\s*(.*)\s*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>

diff --git a/...journald/systemd_journal_upload_server_tls/tests/journald-conf-servercert-missing.fail.sh b/...journald/systemd_journal_upload_server_tls/tests/journald-conf-servercert-missing.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_server_key_file=/etc/ssl/private/journal-upload.pem,var_journal_upload_server_certificate_file=/etc/ssl/certs/journal-upload.pem,var_journal_upload_server_trusted_certificate_file=/etc/ssl/ca/trusted.pem
+
+a_settings=("URL=192.168.50.42" "ServerKeyFile=/etc/ssl/private/journal-upload.pem" \
+     "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi
diff --git a/...logging/journald/systemd_journal_upload_server_tls/tests/journald-conf-servercert.fail.sh b/...logging/journald/systemd_journal_upload_server_tls/tests/journald-conf-servercert.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_server_key_file=/etc/ssl/private/journal-upload.pem,var_journal_upload_server_certificate_file=/etc/ssl/certs/journal-upload.pem,var_journal_upload_server_trusted_certificate_file=/etc/ssl/ca/trusted.pem
+
+a_settings=("URL=192.168.50.42" "ServerKeyFile=/etc/ssl/private/journal-upload.pem" \
+    "ServerCertificateFile=/etc/ssl/certs/journal-upload1.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi
diff --git a/.../journald/systemd_journal_upload_server_tls/tests/journald-conf-serverkey-missing.fail sh b/.../journald/systemd_journal_upload_server_tls/tests/journald-conf-serverkey-missing.fail sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_server_key_file=/etc/ssl/private/journal-upload.pem,var_journal_upload_server_certificate_file=/etc/ssl/certs/journal-upload.pem,var_journal_upload_server_trusted_certificate_file=/etc/ssl/ca/trusted.pem
+
+a_settings=("URL=192.168.50.42"  \
+    "ServerCertificateFile=/etc/ssl/certs/journal-upload.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi
diff --git a/.../logging/journald/systemd_journal_upload_server_tls/tests/journald-conf-serverkey.fail sh b/.../logging/journald/systemd_journal_upload_server_tls/tests/journald-conf-serverkey.fail sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_server_key_file=/etc/ssl/private/journal-upload.pem,var_journal_upload_server_certificate_file=/etc/ssl/certs/journal-upload.pem,var_journal_upload_server_trusted_certificate_file=/etc/ssl/ca/trusted.pem
+
+a_settings=("URL=192.168.50.42" "ServerKeyFile=/etc/ssl/private/journal-upload1.pem" \
+    "ServerCertificateFile=/etc/ssl/certs/journal-upload.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi
diff --git a/...ournald/systemd_journal_upload_server_tls/tests/journald-conf-trustedcert-missing.fail.sh b/...ournald/systemd_journal_upload_server_tls/tests/journald-conf-trustedcert-missing.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_server_key_file=/etc/ssl/private/journal-upload.pem,var_journal_upload_server_certificate_file=/etc/ssl/certs/journal-upload.pem,var_journal_upload_server_trusted_certificate_file=/etc/ssl/ca/trusted.pem
+
+a_settings=("URL=192.168.50.42" "ServerKeyFile=/etc/ssl/private/journal-upload.pem" \
+    "ServerCertificateFile=/etc/ssl/certs/journal-upload.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi
diff --git a/...ogging/journald/systemd_journal_upload_server_tls/tests/journald-conf-trustedcert.fail.sh b/...ogging/journald/systemd_journal_upload_server_tls/tests/journald-conf-trustedcert.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_server_key_file=/etc/ssl/private/journal-upload.pem,var_journal_upload_server_certificate_file=/etc/ssl/certs/journal-upload.pem,var_journal_upload_server_trusted_certificate_file=/etc/ssl/ca/trusted.pem
+
+a_settings=("URL=192.168.50.42" "ServerKeyFile=/etc/ssl/private/journal-upload.pem" \
+    "ServerCertificateFile=/etc/ssl/certs/journal-upload.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted1.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi
diff --git a/...ide/system/logging/journald/systemd_journal_upload_server_tls/tests/journald-conf.pass.sh b/...ide/system/logging/journald/systemd_journal_upload_server_tls/tests/journald-conf.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_server_key_file=/etc/ssl/private/journal-upload.pem,var_journal_upload_server_certificate_file=/etc/ssl/certs/journal-upload.pem,var_journal_upload_server_trusted_certificate_file=/etc/ssl/ca/trusted.pem
+
+a_settings=("URL=192.168.50.42" "ServerKeyFile=/etc/ssl/private/journal-upload.pem" \
+    "ServerCertificateFile=/etc/ssl/certs/journal-upload.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi
diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_url/oval/shared.xml b/linux_os/guide/system/logging/journald/systemd_journal_upload_url/oval/shared.xml
@@ -13,7 +13,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_test_systemd_journal_upload_url" version="2">
-    <ind:filepath>/etc/systemd/journal-upload.conf</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/systemd/journal-upload.conf(\.d/[^/]+\.conf)?$</ind:filepath>
     <ind:pattern operation="pattern match">^\s*URL\s*=\s*(.*)\s*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>

diff --git a/...ystem/logging/journald/systemd_journal_upload_url/tests/journald-conf-url-missing.fail.sh b/...ystem/logging/journald/systemd_journal_upload_url/tests/journald-conf-url-missing.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_url=192.168.50.42
+
+a_settings=("ServerKeyFile=/etc/ssl/private/journal-upload.pem" \
+     "ServerCertificateFile=/etc/ssl/certs/journal-upload.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi
diff --git a/.../guide/system/logging/journald/systemd_journal_upload_url/tests/journald-conf-url.fail.sh b/.../guide/system/logging/journald/systemd_journal_upload_url/tests/journald-conf-url.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_url=192.168.50.42
+
+a_settings=("URL=192.168.50.41" "ServerKeyFile=/etc/ssl/private/journal-upload.pem" \
+    "ServerCertificateFile=/etc/ssl/certs/journal-upload.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi
diff --git a/.../guide/system/logging/journald/systemd_journal_upload_url/tests/journald-conf-url.pass.sh b/.../guide/system/logging/journald/systemd_journal_upload_url/tests/journald-conf-url.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = systemd-journal-remote
+# variables = var_journal_upload_url=192.168.50.42
+
+a_settings=("URL=192.168.50.42" "ServerKeyFile=/etc/ssl/private/journal-upload.pem" \
+    "ServerCertificateFile=/etc/ssl/certs/journal-upload.pem" "TrustedCertificateFile=/etc/ssl/ca/trusted.pem")
+[ ! -d /etc/systemd/journal-upload.conf.d/ ] && mkdir /etc/systemd/journal-upload.conf.d/
+if grep -Psq -- '^\h*\[Upload\]' /etc/systemd/journal-upload.conf.d/60-journald_upload.conf; then
+    printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+else
+    printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journal-upload.conf.d/60-journald_upload.conf
+fi