Disable Portreserve (portreserve)

An XCCDF Rule

Description

The portreserve service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. The portreserve service can be disabled with the following command:

$ sudo systemctl mask --now portreserve.service

Rationale

The portreserve service provides helpful functionality by preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed.

ID: xccdf_org.ssgproject.content_rule_service_portreserve_disabled
Severity: Low
References: 11 12 14 15 3 8 9

APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2

CM-6(a) CM-7(a) CM-7(b)

PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4
Updated: 5 days ago


[customizations.services]
masked = ["portreserve"]

include disable_portreserve

class disable_portreserve {
  service {'portreserve':
    enable => false,
    ensure => 'stopped',  }
}


service disable portreserve

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_portreserve_disabled

- name: Disable Portreserve (portreserve) - Collect systemd Services Present in the
    System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_portreserve_disabled

- name: Disable Portreserve (portreserve) - Ensure portreserve.service is Masked
  ansible.builtin.systemd:
    name: portreserve.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("portreserve.service", multiline=True)
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_portreserve_disabled

- name: Unit Socket Exists - portreserve.socket
  ansible.builtin.command: systemctl -q list-unit-files portreserve.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_portreserve_disabled

- name: Disable Portreserve (portreserve) - Disable Socket portreserve
  ansible.builtin.systemd:
    name: portreserve.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("portreserve.socket", multiline=True)
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_portreserve_disabled

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: portreserve.service
        enabled: false
        mask: true
      - name: portreserve.socket
        enabled: false
        mask: true

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'portreserve.service'
"$SYSTEMCTL_EXEC" disable 'portreserve.service'"$SYSTEMCTL_EXEC" mask 'portreserve.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files portreserve.socket; then
    "$SYSTEMCTL_EXEC" stop 'portreserve.socket'
    "$SYSTEMCTL_EXEC" mask 'portreserve.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'portreserve.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Portreserve (portreserve)

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Puppet

Remediation - script:kickstart

Remediation - Ansible

Remediation - Kubernetes Patch

Remediation - Shell Script