Disable System Statistics Reset Service (sysstat)

An XCCDF Rule

Description

The sysstat service resets various I/O and CPU performance statistics to zero in order to begin counting from a fresh state at boot time. The sysstat service can be disabled with the following command:

$ sudo systemctl mask --now sysstat.service

Rationale

By default the sysstat service runs a program at boot to reset performance statistics. This data can be retrieved using programs such as sar and sadc. While the sysstat service may provide useful insight into system operation, through the lens of providing only essential system services, this service should be disabled.

ID: xccdf_org.ssgproject.content_rule_service_sysstat_disabled
Severity: Low
References: 11 14 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2

CM-6(a) CM-7(a) CM-7(b)

PR.IP-1 PR.PT-3

CCE-80273-6
Updated: about 1 year ago

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: sysstat.service
        enabled: false
        mask: true
      - name: sysstat.socket
        enabled: false
        mask: true


[customizations.services]
disabled = ["sysstat"]

include disable_sysstat

class disable_sysstat {
  service {'sysstat':
    enable => false,
    ensure => 'stopped',  }
}

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'sysstat.service'
"$SYSTEMCTL_EXEC" disable 'sysstat.service'"$SYSTEMCTL_EXEC" mask 'sysstat.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files sysstat.socket; then
    "$SYSTEMCTL_EXEC" stop 'sysstat.socket'
    "$SYSTEMCTL_EXEC" mask 'sysstat.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'sysstat.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Block Disable service sysstat
  block:

  - name: Disable service sysstat
    block:
    - name: Disable service sysstat
      systemd:
        name: sysstat.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service sysstat' failure, service
        was already disabled
      meta: noop
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80273-6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_sysstat_disabled

- name: Unit Socket Exists - sysstat.socket
  command: systemctl -q list-unit-files sysstat.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80273-6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_sysstat_disabled

- name: Disable socket sysstat
  systemd:
    name: sysstat.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("sysstat.socket",multiline=True)
  tags:
  - CCE-80273-6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_sysstat_disabled

Disable System Statistics Reset Service (sysstat)

Description

Rationale

Remediation - Kubernetes Patch

Remediation - OS Build Blueprint

Remediation - Puppet

Remediation - Shell Script

Remediation - Ansible