Disable Network Router Discovery Daemon (rdisc)
An XCCDF Rule
Description
The rdisc
service implements the client side of the ICMP
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on
the local subnet. If a router is discovered then the local routing table is
updated with a corresponding default route. By default this daemon is disabled.
The rdisc
service can be disabled with the following command:
$ sudo systemctl mask --now rdisc.service
Rationale
General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.
- ID
- xccdf_org.ssgproject.content_rule_service_rdisc_disabled
- Severity
- Medium
- References
-
A.10.1.1
A.11.1.4
A.11.1.5
A.11.2.1
A.11.2.6
A.12.1.1
A.12.1.2
A.12.5.1
A.12.6.2
A.13.1.1
A.13.1.2
A.13.1.3
A.13.2.1
A.13.2.2
A.13.2.3
A.13.2.4
A.14.1.2
A.14.1.3
A.14.2.2
A.14.2.3
A.14.2.4
A.6.1.2
A.6.2.1
A.6.2.2
A.7.1.1
A.7.1.2
A.7.3.1
A.8.2.2
A.8.2.3
A.9.1.1
A.9.1.2
A.9.2.3
A.9.4.1
A.9.4.4
A.9.4.5
- Updated
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["rdisc"]
Remediation - Ansible
- name: Block Disable service rdisc
block:
- name: Disable service rdisc
block:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rdisc.service'
"$SYSTEMCTL_EXEC" disable 'rdisc.service'
Remediation - Puppet
include disable_rdisc
class disable_rdisc {
service {'rdisc':
enable => false,
ensure => 'stopped',