Skip to content

Disable Cyrus SASL Authentication Daemon (saslauthd)

An XCCDF Rule

Description

The saslauthd service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into a single process, and can also be used to provide proxy authentication services to clients that do not understand SASL based authentication. The saslauthd service can be disabled with the following command:

$ sudo systemctl mask --now saslauthd.service

Rationale

The saslauthd service provides essential functionality for performing authentication in some directory environments, such as those which use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled.

ID
xccdf_org.ssgproject.content_rule_service_saslauthd_disabled
Severity
Low
Updated



Remediation - OS Build Blueprint


[customizations.services]
disabled = ["saslauthd"]

Remediation - Puppet

include disable_saslauthd

class disable_saslauthd {
  service {'saslauthd':
    enable => false,
    ensure => 'stopped',

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'saslauthd.service'
"$SYSTEMCTL_EXEC" disable 'saslauthd.service'

Remediation - Kubernetes Patch

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0

Remediation - Ansible

- name: Block Disable service saslauthd
  block:

  - name: Disable service saslauthd
    block: