Disable Cyrus SASL Authentication Daemon (saslauthd)
An XCCDF Rule
Description
The saslauthd
service handles plaintext authentication requests on
behalf of the SASL library. The service isolates all code requiring superuser
privileges for SASL authentication into a single process, and can also be used
to provide proxy authentication services to clients that do not understand SASL
based authentication.
The saslauthd
service can be disabled with the following command:
$ sudo systemctl mask --now saslauthd.service
Rationale
The saslauthd
service provides essential functionality for
performing authentication in some directory environments, such as those which
use Kerberos and LDAP. For others, however, in which only local files may be
consulted, it is not necessary and should be disabled.
- ID
- xccdf_org.ssgproject.content_rule_service_saslauthd_disabled
- Severity
- Low
- References
- Updated
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["saslauthd"]
Remediation - Puppet
include disable_saslauthd
class disable_saslauthd {
service {'saslauthd':
enable => false,
ensure => 'stopped',
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'saslauthd.service'
"$SYSTEMCTL_EXEC" disable 'saslauthd.service'
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - Ansible
- name: Block Disable service saslauthd
block:
- name: Disable service saslauthd
block: