Skip to content

Disable Portreserve (portreserve)

An XCCDF Rule

Description

The portreserve service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. The portreserve service can be disabled with the following command:

$ sudo systemctl mask --now portreserve.service

Rationale

The portreserve service provides helpful functionality by preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed.

ID
xccdf_org.ssgproject.content_rule_service_portreserve_disabled
Severity
Low
Updated



Remediation - OS Build Blueprint


[customizations.services]
disabled = ["portreserve"]

Remediation - Puppet

include disable_portreserve

class disable_portreserve {
  service {'portreserve':
    enable => false,
    ensure => 'stopped',

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'portreserve.service'
"$SYSTEMCTL_EXEC" disable 'portreserve.service'

Remediation - Kubernetes Patch

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0

Remediation - Ansible

- name: Block Disable service portreserve
  block:

  - name: Disable service portreserve
    block: