Disable Network File Systems (netfs)

An XCCDF Rule

Description

The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:

$ sudo systemctl mask --now netfs.service

ID: xccdf_org.ssgproject.content_rule_service_netfs_disabled
Severity: Unknown
Updated: about 1 month ago

Remediation Templates

include disable_netfs
class disable_netfs {
  service {'netfs':
    enable => false,
    ensure => 'stopped',
  }
}

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - disable_strategy
  - low_complexity  - low_disruption
  - no_reboot_needed
  - service_netfs_disabled
  - unknown_severity
- name: Disable Network File Systems (netfs) - Collect systemd Services Present in
    the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_netfs_disabled
  - unknown_severity

- name: Disable Network File Systems (netfs) - Ensure netfs.service is Masked
  ansible.builtin.systemd:
    name: netfs.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("netfs.service", multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_netfs_disabled
  - unknown_severity

- name: Unit Socket Exists - netfs.socket
  ansible.builtin.command: systemctl -q list-unit-files netfs.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_netfs_disabled
  - unknown_severity

- name: Disable Network File Systems (netfs) - Disable Socket netfs
  ansible.builtin.systemd:
    name: netfs.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("netfs.socket", multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_netfs_disabled
  - unknown_severity

[customizations.services]
masked = ["netfs"]

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'netfs.service'
"$SYSTEMCTL_EXEC" disable 'netfs.service'
"$SYSTEMCTL_EXEC" mask 'netfs.service'# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files netfs.socket; then
    "$SYSTEMCTL_EXEC" stop 'netfs.socket'
    "$SYSTEMCTL_EXEC" mask 'netfs.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'netfs.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Network File Systems (netfs)

Description

Remediation Templates

A Puppet Snippet

An Ansible Snippet

OS Build Blueprint

A Shell Script