Disable Network File System Lock Service (nfslock)

An XCCDF Rule

Description

The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local system is not configured to mount NFS filesystems then this service should be disabled. The nfslock service can be disabled with the following command:

$ sudo systemctl mask --now nfslock.service

ID: xccdf_org.ssgproject.content_rule_service_nfslock_disabled
Severity: Unknown
Updated: about 1 year ago

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: nfslock.service
        enabled: false
        mask: true
      - name: nfslock.socket
        enabled: false
        mask: true


[customizations.services]
disabled = ["nfslock"]

- name: Block Disable service nfslock
  block:

  - name: Disable service nfslock
    block:
    - name: Disable service nfslock
      systemd:
        name: nfslock.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service nfslock' failure, service
        was already disabled
      meta: noop
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfslock_disabled
  - unknown_severity

- name: Unit Socket Exists - nfslock.socket
  command: systemctl -q list-unit-files nfslock.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfslock_disabled
  - unknown_severity

- name: Disable socket nfslock
  systemd:
    name: nfslock.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("nfslock.socket",multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfslock_disabled
  - unknown_severity

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'nfslock.service'
"$SYSTEMCTL_EXEC" disable 'nfslock.service'"$SYSTEMCTL_EXEC" mask 'nfslock.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files nfslock.socket; then
    "$SYSTEMCTL_EXEC" stop 'nfslock.socket'
    "$SYSTEMCTL_EXEC" mask 'nfslock.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

include disable_nfslock

class disable_nfslock {
  service {'nfslock':
    enable => false,
    ensure => 'stopped',  }
}

Disable Network File System Lock Service (nfslock)

Description

Remediation - Kubernetes Patch

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Shell Script

Remediation - Puppet