diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml
index 7ffcab8056fe..07a0a84d6bd4 100644
--- a/linux_os/guide/system/logging/journald/journald_compress/rule.yml
+++ b/linux_os/guide/system/logging/journald/journald_compress/rule.yml
@@ -37,21 +37,27 @@ ocil: |-
Storing logs with compression can help avoid filling the system disk.
Run the following command to verify that journald is compressing logs.
+{{%- if product in ["fedora", "rhel8", "rhel9", "sle15"] %}}
+ grep "^\sCompress" /etc/systemd/journald.conf {{{ journald_conf_dir_path }}}/*.conf
+{{% else %}}
grep "^\sCompress" /etc/systemd/journald.conf
+{{% endif %}}
and it should return
Compress=yes
-{{%- if product == "sle15" %}}
+
+{{%- if product in ["fedora", "rhel8", "rhel9", "sle15"] %}}
template:
name: systemd_dropin_configuration
vars:
component: journald
master_cfg_file: /etc/systemd/journald.conf
- dropin_dir: /etc/systemd/journal.d/
+ dropin_dir: {{{ journald_conf_dir_path }}}
param: Compress
value: yes
+ no_quotes: 'true'
{{% else %}}
template:
name: shell_lineinfile
diff --git a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
index 5119d15bda74..14a38b516fc1 100644
--- a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
+++ b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
@@ -37,22 +37,27 @@ ocil: |-
Storing logs remotely protects the integrity of the data from local attacks.
Run the following command to verify that journald is forwarding logs to a remote host.
+{{%- if product in ["rhel8", "rhel9", "sle15"] %}}
+ grep "^\sForwardToSyslog" /etc/systemd/journald.conf {{{ journald_conf_dir_path }}}/*.conf
+{{% else %}}
grep "^\sForwardToSyslog" /etc/systemd/journald.conf
+{{% endif %}}
and it should return
ForwardToSyslog=yes
-{{%- if product == "sle15" %}}
+{{%- if product in ["rhel8", "rhel9", "sle15"] %}}
template:
name: systemd_dropin_configuration
vars:
component: journald
master_cfg_file: /etc/systemd/journald.conf
- dropin_dir: /etc/systemd/journal.d/
+ dropin_dir: {{{ journald_conf_dir_path }}}
param: ForwardToSyslog
value: yes
+ no_quotes: 'true'
{{% else %}}
template:
name: shell_lineinfile
diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml
index 833346cc8057..29059889ddc1 100644
--- a/linux_os/guide/system/logging/journald/journald_storage/rule.yml
+++ b/linux_os/guide/system/logging/journald/journald_storage/rule.yml
@@ -36,22 +36,27 @@ ocil: |-
Storing logs with persistent storage ensures they are available after a reboot or system crash.
Run the command below to verify that logs are being persistently stored to disk.
+{{%- if product in ["fedora", "rhel8", "rhel9", "sle15"] %}}
+ grep "^\sStorage" /etc/systemd/journald.conf {{{ journald_conf_dir_path }}}/*.conf
+{{% else %}}
grep "^\sStorage" /etc/systemd/journald.conf
+{{% endif %}}
and it should return
Storage=persistent
-{{%- if product == "sle15" %}}
+{{%- if product in ["fedora", "rhel8", "rhel9", "sle15"] %}}
template:
name: systemd_dropin_configuration
vars:
component: journald
master_cfg_file: /etc/systemd/journald.conf
- dropin_dir: /etc/systemd/journal.d/
+ dropin_dir: {{{ journald_conf_dir_path }}}
param: Storage
value: persistent
+ no_quotes: 'true'
{{% else %}}
template:
name: shell_lineinfile
diff --git a/products/sle15/product.yml b/products/sle15/product.yml
index 1c49645b12c0..2abf550cedde 100644
--- a/products/sle15/product.yml
+++ b/products/sle15/product.yml
@@ -48,3 +48,4 @@ reference_uris:
dconf_gdm_dir: "gdm.d"
sysctl_remediate_drop_in_file: "true"
+journald_conf_dir_path: "/etc/systemd/journal.d"
diff --git a/shared/templates/systemd_dropin_configuration/ansible.template b/shared/templates/systemd_dropin_configuration/ansible.template
index bbf0c5fa72dc..e3b409094669 100644
--- a/shared/templates/systemd_dropin_configuration/ansible.template
+++ b/shared/templates/systemd_dropin_configuration/ansible.template
@@ -30,7 +30,7 @@
- name: Deduplicate values from {{{ COMPONENT }}} {{{ PARAM }}} dropin configuration
ansible.builtin.lineinfile:
- path: "{{ item }}"
+ path: "{{ item.path }}"
create: false
regexp: ^\s*{{{ PARAM }}}=
state: absent
diff --git a/shared/templates/systemd_dropin_configuration/bash.template b/shared/templates/systemd_dropin_configuration/bash.template
index c1cc5fe15432..f80ee7fa5a74 100644
--- a/shared/templates/systemd_dropin_configuration/bash.template
+++ b/shared/templates/systemd_dropin_configuration/bash.template
@@ -6,7 +6,7 @@
function remove_{{{ COMPONENT }}}_{{{ PARAM }}}_configuration {
local COMPONENT_PARAM_CONFIG
- COMPONENT_PARAM_CONFIG=$(ls {{{ DROPIN_DIR }}}/*.conf)
+ COMPONENT_PARAM_CONFIG=($(ls {{{ DROPIN_DIR }}}/*.conf))
COMPONENT_PARAM_CONFIG+=("{{{ MASTER_CFG_FILE }}}")
for f in "${COMPONENT_PARAM_CONFIG[@]}"
@@ -23,6 +23,9 @@ function {{{ COMPONENT }}}_{{{ PARAM }}}_add_configuration {
mkdir -p "{{{ DROPIN_DIR }}}"
COMPONENT_PARAM_REMEDY_CFG="{{{ DROPIN_DIR }}}/oscap-remedy.conf"
+ if [ ! -f "${COMPONENT_PARAM_REMEDY_CFG}" ] ; then
+ touch "${COMPONENT_PARAM_REMEDY_CFG}"
+ fi
cp "${COMPONENT_PARAM_REMEDY_CFG}" "${COMPONENT_PARAM_REMEDY_CFG}.bak"
# Insert before the line matching the regex '^#\s*Compress'.
line_number="$(LC_ALL=C grep -n "^#\s*{{{ PARAM }}}" "${COMPONENT_PARAM_REMEDY_CFG}.bak" | LC_ALL=C sed 's/:.*//g')"
diff --git a/shared/templates/systemd_dropin_configuration/tests/correct_dir.pass.sh b/shared/templates/systemd_dropin_configuration/tests/correct_dir.pass.sh
new file mode 100644
index 000000000000..7b4d2ff0302a
--- /dev/null
+++ b/shared/templates/systemd_dropin_configuration/tests/correct_dir.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+PARAM="{{{ PARAM }}}"
+VALUE="{{{ VALUE }}}"
+DROPIN_DIR="{{{ DROPIN_DIR }}}"
+[ -d $DROPIN_DIR ] || mkdir -p $DROPIN_DIR
+echo "$PARAM=$VALUE" >> "$DROPIN_DIR/ssg.conf"
diff --git a/shared/templates/systemd_dropin_configuration/tests/correct_master.pass.sh b/shared/templates/systemd_dropin_configuration/tests/correct_master.pass.sh
new file mode 100644
index 000000000000..3c4db5f7cb6d
--- /dev/null
+++ b/shared/templates/systemd_dropin_configuration/tests/correct_master.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+PARAM="{{{ PARAM }}}"
+VALUE="{{{ VALUE }}}"
+MASTER_CFG_FILE="{{{ MASTER_CFG_FILE }}}"
+echo "$PARAM=$VALUE" >> "$MASTER_CFG_FILE"
diff --git a/shared/templates/systemd_dropin_configuration/tests/multiple_vals.fail.sh b/shared/templates/systemd_dropin_configuration/tests/multiple_vals.fail.sh
new file mode 100644
index 000000000000..d5043b1d3600
--- /dev/null
+++ b/shared/templates/systemd_dropin_configuration/tests/multiple_vals.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+PARAM="{{{ PARAM }}}"
+VALUE="{{{ VALUE }}}"
+DROPIN_DIR="{{{ DROPIN_DIR }}}"
+MASTER_CFG_FILE="{{{ MASTER_CFG_FILE }}}"
+[ -d $DROPIN_DIR ] || mkdir -p $DROPIN_DIR
+echo "$PARAM=$VALUE" >> "$DROPIN_DIR/ssg.conf"
+echo "$PARAM=badval" >> "$DROPIN_DIR/gss.conf"
+echo "$PARAM=foobarzoo" >> "$MASTER_CFG_FILE"
diff --git a/shared/templates/systemd_dropin_configuration/tests/wrong_dir.fail.sh b/shared/templates/systemd_dropin_configuration/tests/wrong_dir.fail.sh
new file mode 100644
index 000000000000..2a4a89dce358
--- /dev/null
+++ b/shared/templates/systemd_dropin_configuration/tests/wrong_dir.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+PARAM="{{{ PARAM }}}"
+DROPIN_DIR="{{{ DROPIN_DIR }}}"
+[ -d $DROPIN_DIR ] || mkdir -p $DROPIN_DIR
+echo "$PARAM=badval" >> "$DROPIN_DIR/ssg.conf"
diff --git a/shared/templates/systemd_dropin_configuration/tests/wrong_master.fail.sh b/shared/templates/systemd_dropin_configuration/tests/wrong_master.fail.sh
new file mode 100644
index 000000000000..c4c6a28878bc
--- /dev/null
+++ b/shared/templates/systemd_dropin_configuration/tests/wrong_master.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+PARAM="{{{ PARAM }}}"
+VALUE="{{{ VALUE }}}"
+MASTER_CFG_FILE="{{{ MASTER_CFG_FILE }}}"
+echo "$PARAM=badval" >> "$MASTER_CFG_FILE"
diff --git a/ssg/constants.py b/ssg/constants.py
index ed6fc95f8fd2..2cf0843cb518 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -477,6 +477,7 @@
DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
DEFAULT_PRODUCT = 'example'
DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
+DEFAULT_JOURNALD_CONF_DIR_PATH='/etc/systemd/journald.conf.d'
DEFAULT_AUDISP_CONF_PATH = '/etc/audit'
DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false'
diff --git a/ssg/products.py b/ssg/products.py
index 848747f6d34a..693daf0961ed 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -12,6 +12,7 @@
DEFAULT_AIDE_BIN_PATH,
DEFAULT_SSH_DISTRIBUTED_CONFIG,
DEFAULT_CHRONY_CONF_PATH,
+ DEFAULT_JOURNALD_CONF_DIR_PATH,
DEFAULT_AUDISP_CONF_PATH,
DEFAULT_FAILLOCK_PATH,
DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE,
@@ -75,6 +76,9 @@ def _get_implied_properties(existing_properties):
if "sysctl_remediate_drop_in_file" not in existing_properties:
result["sysctl_remediate_drop_in_file"] = DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE
+ if "journald_conf_dir_path" not in existing_properties:
+ result["journald_conf_dir_path"] = DEFAULT_JOURNALD_CONF_DIR_PATH
+
return result