CIS (Center for Internet Security) Benchmark flags Tanzu Platform for different audit items (section 4). 

The following items may be flagged as unexpected:

• 4.2.1.3,CIS Level 1 - Ensure journald is configured to compress large log files
• 4.2.1.4,CIS Level 1 - Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5,CIS Level 1 - Ensure journald is not configured to send logs to rsyslog
• 4.2.2.3,CIS Level 1 - Ensure journald is configured to send logs to rsyslog
• 4.1.1.2,CIS Level 2 - Ensure auditd service is enabled and active(enabled)

The following explains why Tanzu Platform does not pass these audit items and why that is expected.

4.2.1.3,CIS Level 1 - Ensure journald is configured to compress large log files
TCV Comment:
We need manual evidence to ensure journald is configured to compress large files.
 
The default behavior of journald is to compress large files (Compress=yes) unless overridden. The full journald configuration for jammy stemcell 1.844 (emitted using systemd-analyze cat-config systemd/journald.conf) can be seen below – this configuration does not override the Compress default, thus we can infer that the runtime configuration journald is Compress=yes. 

1. /etc/systemd/journald.conf
2.  This file is part of systemd.
   #
3.  systemd is free software; you can redistribute it and/or modify it under the
4.  terms of the GNU Lesser General Public License as published by the Free
5.  Software Foundation; either version 2.1 of the License, or (at your option)
6.  any later version.
   #
7. Entries in this file show the compile time defaults. Local configuration
8. should be created by either modifying this file, or by creating "drop-ins" in
9. the journald.conf.d/ subdirectory. The latter is generally recommended.
10. Defaults can be restored by simply deleting this file and all drop-ins.
    #
11. Use 'systemd-analyze cat-config systemd/journald.conf' to display the full config.
    #
12. See journald.conf(5) for details.[Journal]
    #Storage=auto
    #Compress=yes
    #Seal=yes
    #SplitMode=uid
    #SyncIntervalSec=5m
    #RateLimitIntervalSec=30s
    #RateLimitBurst=10000
    #SystemMaxUse=
    #SystemKeepFree=
    #SystemMaxFileSize=
    #SystemMaxFiles=100
    #RuntimeMaxUse=
    #RuntimeKeepFree=
    #RuntimeMaxFileSize=
    #RuntimeMaxFiles=100
    #MaxRetentionSec=
    #MaxFileSec=1month
    #ForwardToSyslog=yes
    #ForwardToKMsg=no
    #ForwardToConsole=no
    #ForwardToWall=yes
    #TTYPath=/dev/console
    #MaxLevelStore=debug
    #MaxLevelSyslog=debug
    #MaxLevelKMsg=notice
    #MaxLevelConsole=info
    #MaxLevelWall=emerg
    #LineMax=48K
    #ReadKMsg=yes
    #Audit=no

1. /etc/systemd/journald.conf.d/00-override.conf
   [Journal]
   Storage=volatile 

4.2.1.4,CIS Level 1 - Ensure journald is configured to write logfiles to persistent disk

TCV Comments:

We need manual evidence to ensure whether journald is configured  using  persistent disk instead of volatile memory. 

The journald process is NOT configured to use persistent disk, however, journald logs flow into rsyslog, where they are logged to persistent disk (in /var/log logfiles). This prevents duplicative persistent logs and sidesteps possible issues related to stemcell management of /var/log (where journald writes to by default). For example, one can see that systemd-cat-d logs appear in /var/log/syslog: 

systemd-cat <<< "some log message"
tail -10 /var/log/syslog
...
2026-01-29T22:28:55.673821+00:00 5adbc328-1f4b-4666-89b0-6f6129736555 cat[7429]: some log message
...

4.2.1.5,CIS Level 1 - Ensure journald is not configured to send logs to rsyslog

Exception:

Exception notes provide the information that journald is not in use but rysylog is used for logging.  In case where rsyslog is the method for capturing logs, all logs should be sent to rsyslog for further processing. 

Evidence Requirement:

_Please provide evidence on journald is configured to send logs to rsyslog or syslog, for example, a screenshot of the outcome that runs the following command :

1. grep ^\s*ForwardToSyslog /etc/systemd/journald.conf_

The default behavior of journald is to forward to syslog (ForwardToSyslog=yes) unless overridden. We rely on this default for the forwarding behavior (please see above answer for 4.2.1.4)

4.2.2.3,CIS Level 1 - Ensure journald is configured to send logs to rsyslog

Exception: A great deal of important security-related information is sent via rsyslog. Rules in /etc/rsyslog.conf and /etc/rsyslog.d/*.conf should be set to ensure appropriate logging as appropriate for your environment.

_TCV Comments:
Scan results indicate that rsyslog is installed, enabled and default file permissions for rsyslog is configured. We need to evidence for this recommendation how /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files specify rules for logging_ 

Evidence Requirements:

_Please provide screenshot of the journald configuration file ( /etc/systemd/journald.conf) which displays 'Forwardtosyslog=yes' configuration. 

Run,  # grep ^\s*ForwardToSyslog /etc/systemd/journald.conf_ 

Please see above answer for 4.2.1.5

4.1.1.2,CIS Level 2 - Ensure auditd service is enabled and active(enabled)

TCV Comments:

_There is another scan result with the same recommendation id ( 4.1.1.2- Ensure auditd service is enabled and active(active)) which passes. Please see exception column. 
It seems that auditd service is not enabled but is activated, can you explain these two separate configurations for auditd service ( enabled and activated) ?_

On the Jammy stemcell, auditd is started manually by the bosh-agent as part of the bootstrap process that occurs at boot time. This allows us to defer auditd startup until the agent has ensured any necessary configuration (e.g. mounting of /var/log) has completed prior to daemon startup. The relevant code can be found in the OSS components: relevant bootstrap method in bosh-agent / invoked logging start script in bosh-linux-stemcell-builder