Disable Network File System Lock Service (nfslock)

An XCCDF Rule

Description

The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local system is not configured to mount NFS filesystems then this service should be disabled. The nfslock service can be disabled with the following command:

$ sudo systemctl mask --now nfslock.service

ID: xccdf_org.ssgproject.content_rule_service_nfslock_disabled
Severity: Unknown
Updated: about 1 month ago

Remediation Templates

include disable_nfslock
class disable_nfslock {
  service {'nfslock':
    enable => false,
    ensure => 'stopped',
  }
}

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - disable_strategy
  - low_complexity  - low_disruption
  - no_reboot_needed
  - service_nfslock_disabled
  - unknown_severity
- name: Disable Network File System Lock Service (nfslock) - Collect systemd Services
    Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfslock_disabled
  - unknown_severity

- name: Disable Network File System Lock Service (nfslock) - Ensure nfslock.service
    is Masked
  ansible.builtin.systemd:
    name: nfslock.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("nfslock.service", multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfslock_disabled
  - unknown_severity

- name: Unit Socket Exists - nfslock.socket
  ansible.builtin.command: systemctl -q list-unit-files nfslock.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfslock_disabled
  - unknown_severity

- name: Disable Network File System Lock Service (nfslock) - Disable Socket nfslock
  ansible.builtin.systemd:
    name: nfslock.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("nfslock.socket", multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfslock_disabled
  - unknown_severity

service disable nfslock

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: nfslock.service
        enabled: false
        mask: true
      - name: nfslock.socket
        enabled: false
        mask: true

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'nfslock.service'
"$SYSTEMCTL_EXEC" disable 'nfslock.service'
"$SYSTEMCTL_EXEC" mask 'nfslock.service'# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files nfslock.socket; then
    "$SYSTEMCTL_EXEC" stop 'nfslock.socket'
    "$SYSTEMCTL_EXEC" mask 'nfslock.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

[customizations.services]
masked = ["nfslock"]

Disable Network File System Lock Service (nfslock)

Description

Remediation Templates

A Puppet Snippet

An Ansible Snippet

script:kickstart

A Kubernetes Patch

A Shell Script

OS Build Blueprint