Disable Quota Netlink (quota_nld)

An XCCDF Rule

Description

The quota_nld service provides notifications to users of disk space quota violations. It listens to the kernel via a netlink socket for disk quota violations and notifies the appropriate user of the violation using D-Bus or by sending a message to the terminal that the user has last accessed. The quota_nld service can be disabled with the following command:

$ sudo systemctl mask --now quota_nld.service

Rationale

If disk quotas are enforced on the local system, then the quota_nld service likely provides useful functionality and should remain enabled. However, if disk quotas are not used or user notification of disk quota violation is not desired then there is no need to run this service.

ID: xccdf_org.ssgproject.content_rule_service_quota_nld_disabled
Severity: Low
References: 11 14 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2

CM-6(a) CM-7(a) CM-7(b)

PR.IP-1 PR.PT-3
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_quota_nld_disabled

- name: Disable Quota Netlink (quota_nld) - Collect systemd Services Present in the
    System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_quota_nld_disabled

- name: Disable Quota Netlink (quota_nld) - Ensure quota_nld.service is Masked
  ansible.builtin.systemd:
    name: quota_nld.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("quota_nld.service", multiline=True)
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_quota_nld_disabled

- name: Unit Socket Exists - quota_nld.socket
  ansible.builtin.command: systemctl -q list-unit-files quota_nld.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_quota_nld_disabled

- name: Disable Quota Netlink (quota_nld) - Disable Socket quota_nld
  ansible.builtin.systemd:
    name: quota_nld.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("quota_nld.socket", multiline=True)
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_quota_nld_disabled


[customizations.services]
masked = ["quota_nld"]

include disable_quota_nld

class disable_quota_nld {
  service {'quota_nld':
    enable => false,
    ensure => 'stopped',  }
}


service disable quota_nld

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: quota_nld.service
        enabled: false
        mask: true
      - name: quota_nld.socket
        enabled: false
        mask: true

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'quota_nld.service'
"$SYSTEMCTL_EXEC" disable 'quota_nld.service'"$SYSTEMCTL_EXEC" mask 'quota_nld.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files quota_nld.socket; then
    "$SYSTEMCTL_EXEC" stop 'quota_nld.socket'
    "$SYSTEMCTL_EXEC" mask 'quota_nld.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'quota_nld.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Quota Netlink (quota_nld)

Description

Rationale

Remediation - Ansible

Remediation - OS Build Blueprint

Remediation - Puppet

Remediation - script:kickstart

Remediation - Kubernetes Patch

Remediation - Shell Script