Disable LDAP Server (slapd)

An XCCDF Rule

Description

The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.

Rationale

If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface.

ID: xccdf_org.ssgproject.content_rule_service_slapd_disabled
Severity: Medium
Updated: 8 months ago


[customizations.services]
disabled = ["slapd"]

- name: Block Disable service slapd
  block:

  - name: Disable service slapd
    block:
    - name: Disable service slapd
      systemd:
        name: slapd.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service slapd' failure, service
        was already disabled
      meta: noop
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_slapd_disabled

- name: Unit Socket Exists - slapd.socket
  command: systemctl -q list-unit-files slapd.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_slapd_disabled

- name: Disable socket slapd
  systemd:
    name: slapd.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("slapd.socket",multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_slapd_disabled

include disable_slapd

class disable_slapd {
  service {'slapd':
    enable => false,
    ensure => 'stopped',  }
}

Disable LDAP Server (slapd)

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Puppet