From f0928d1526eb4e29a596749ac72e2b6d431f9502 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Thu, 5 Dec 2024 11:59:01 +0100
Subject: [PATCH 1/2] Add new rule journald_disable_forward_to_syslog

- satisfies Ubuntu 24.04 CIS control 6.1.2.2
- based on journal_forward_to_syslog
---
 components/systemd.yml                        |  1 +
 .../rule.yml                                  | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml

diff --git a/components/systemd.yml b/components/systemd.yml
index 45470a5000a..fef59d38de7 100644
--- a/components/systemd.yml
+++ b/components/systemd.yml
@@ -23,6 +23,7 @@ rules:
 - file_permissions_system_journal
 - journald_compress
 - journald_forward_to_syslog
+- journald_disable_forward_to_syslog
 - journald_storage
 - package_systemd-journal-remote_installed
 - package_timesyncd_installed
diff --git a/linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml
new file mode 100644
index 00000000000..6b1f74424af
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: Ensure journald ForwardToSyslog is disabled
+
+description: |-
+    Data from journald should be kept in the confines of the service and not forwarded to other services.
+
+rationale:
+    If journald is the method for capturing logs, all logs of the system should be
+    handled by journald and not forwarded to other logging mechanisms.
+
+platform: package[systemd]
+
+severity: medium
+
+{{%- if product in ["rhel8", "rhel9", "sle15"] %}}
+template:
+    name: systemd_dropin_configuration
+    vars:
+        master_cfg_file: /etc/systemd/journald.conf
+        dropin_dir: {{{ journald_conf_dir_path }}}
+        section: Journal
+        param: ForwardToSyslog
+        value: no
+        no_quotes: 'true'
+{{% else %}}
+template:
+    name: shell_lineinfile
+    vars:
+        path: /etc/systemd/journald.conf
+        parameter: ForwardToSyslog
+        value: no
+        no_quotes: 'true'
+{{% endif -%}}

From ea22547eeee6aace928e543919295374794425c6 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Thu, 5 Dec 2024 13:31:55 +0100
Subject: [PATCH 2/2] Add rule to ubuntu2404 CIS control 6.1.2.2

---
 controls/cis_ubuntu2404.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index a2f073cd94c..15482a64514 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2278,8 +2278,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented. Analogous to ubuntu2204/4.2.1.5.
+    rules:
+      - journald_disable_forward_to_syslog
+    status: automated
 
   - id: 6.1.2.3
     title: Ensure journald Compress is configured (Automated)