ComplianceAsCode · Mab879 · Nov 4, 2025 · Oct 30, 2025 · Oct 31, 2025 · Nov 3, 2025
@@ -2428,8 +2428,9 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: New templated rule is necessary.
+      status: automated
+      rules:
+          - service_systemd-journal-upload_enabled
 
     - id: 6.2.2.1.4
       title: Ensure systemd-journal-remote service is not in use (Automated)

diff --git a/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml b/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml
@@ -3,17 +3,25 @@ documentation_complete: true
 title: 'Enable systemd-journal-upload Service'
 
 description: |-
-    {{{ full_name }}} must offload rsyslog messages for networked systems in real time and
-    offload standalone systems at least weekly.
+    The <tt>systemd-journal-upload</tt> service is part of the <tt>systemd-journal-remote</tt> package
+    and enables centralized logging by uploading local systemd journal entries to a remote log
+    server via HTTPS. This service acts as a client that pushes journal data to a remote host
+    running the <tt>systemd-journal-remote</tt> receiver service.
     {{{ describe_service_enable(service="systemd-journal-upload") }}}
 
 rationale: |-
-    {{{ full_name }}} must offload rsyslog messages for networked systems in real time and
-    offload standalone systems at least weekly.
+    Centralized logging through <tt>systemd-journal-upload</tt> is essential for security monitoring,
+    incident response, and compliance requirements. Storing log data on a remote host protects log
+    integrity from local attacks. If an attacker gains root access on the local system, they could
+    tamper with or remove log data stored locally to hide their activities. Remote logging ensures
+    that audit trails remain intact even if the local system is compromised. Additionally,
+    centralized logs facilitate correlation of events across multiple systems, enabling better
+    detection of distributed attacks and security incidents.
 
 severity: medium
 
 identifiers:
+    cce@rhel10: CCE-86711-9
     cce@sle15: CCE-92604-8
     cce@slmicro5: CCE-94084-1
     cce@slmicro6: CCE-94735-8
@@ -38,3 +46,8 @@ template:
     vars:
         servicename: systemd-journal-upload
         packagename: systemd-journal-remote
+
+warnings:
+    - general: |-
+        The <tt>systemd-journal-upload</tt> service will fail to start if the remote server URL is not configured.
+        Edit <tt>/etc/systemd/journal-upload.conf</tt> to configure the remote server URL.
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -76,7 +76,6 @@ CCE-86707-7
 CCE-86708-5
 CCE-86709-3
 CCE-86710-1
-CCE-86711-9
 CCE-86712-7
 CCE-86713-5
 CCE-86726-7

@@ -335,6 +335,7 @@ service_cups_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
+service_systemd-journal-upload_enabled
 service_systemd-journald_enabled
 set_password_hashing_algorithm_libuserconf
 set_password_hashing_algorithm_logindefs

@@ -239,6 +239,7 @@ service_cups_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
+service_systemd-journal-upload_enabled
 service_systemd-journald_enabled
 set_password_hashing_algorithm_libuserconf
 set_password_hashing_algorithm_logindefs

@@ -230,6 +230,7 @@ service_crond_enabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
+service_systemd-journal-upload_enabled
 service_systemd-journald_enabled
 set_password_hashing_algorithm_libuserconf
 set_password_hashing_algorithm_logindefs

@@ -332,6 +332,7 @@ service_crond_enabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
+service_systemd-journal-upload_enabled
 service_systemd-journald_enabled
 set_password_hashing_algorithm_libuserconf
 set_password_hashing_algorithm_logindefs