Skip to content

Disable Odd Job Daemon (oddjobd)

An XCCDF Rule

Description

The oddjobd service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with oddjobd through the system message bus. The oddjobd service can be disabled with the following command:

$ sudo systemctl mask --now oddjobd.service

Rationale

The oddjobd service may provide necessary functionality in some environments, and can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.

ID
xccdf_org.ssgproject.content_rule_service_oddjobd_disabled
Severity
Medium
References
Updated



Remediation - OS Build Blueprint


[customizations.services]
disabled = ["oddjobd"]

Remediation - Puppet

include disable_oddjobd

class disable_oddjobd {
  service {'oddjobd':
    enable => false,
    ensure => 'stopped',

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'oddjobd.service'
"$SYSTEMCTL_EXEC" disable 'oddjobd.service'

Remediation - Kubernetes Patch

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0

Remediation - Ansible

- name: Block Disable service oddjobd
  block:

  - name: Disable service oddjobd
    block: