Skip to content

Disable rexec Service

An XCCDF Rule

Description

The rexec service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rexec. The rexec socket can be disabled with the following command:

$ sudo systemctl mask --now rexec.socket

Rationale

The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

ID
xccdf_org.ssgproject.content_rule_service_rexec_disabled
Severity
High
References
Updated



Remediation - OS Build Blueprint


[customizations.services]
disabled = ["rexec"]

Remediation - Ansible

- name: Block Disable service rexec
  block:

  - name: Disable service rexec
    block:


Remediation - Puppet

include disable_rexec

class disable_rexec {
  service {'rexec':
    enable => false,
    ensure => 'stopped',

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rexec.service'
"$SYSTEMCTL_EXEC" disable 'rexec.service'