Disable RPC ID Mapping Service (rpcidmapd)

An XCCDF Rule

Description

The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:

$ sudo systemctl mask --now rpcidmapd.service

ID: xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled
Severity: Unknown
References: CCE-80231-4
Updated: over 1 year ago

Remediation Templates

- name: Block Disable service rpcidmapd
  block:
  - name: Disable service rpcidmapd
    block:

    - name: Disable service rpcidmapd      systemd:
        name: rpcidmapd.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service rpcidmapd' failure, service
        was already disabled
      meta: noop
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80231-4
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcidmapd_disabled
  - unknown_severity

- name: Unit Socket Exists - rpcidmapd.socket
  command: systemctl -q list-unit-files rpcidmapd.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80231-4
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcidmapd_disabled
  - unknown_severity

- name: Disable socket rpcidmapd
  systemd:
    name: rpcidmapd.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("rpcidmapd.socket",multiline=True)
  tags:
  - CCE-80231-4
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcidmapd_disabled
  - unknown_severity

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rpcidmapd.service'
"$SYSTEMCTL_EXEC" disable 'rpcidmapd.service'
"$SYSTEMCTL_EXEC" mask 'rpcidmapd.service'# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files rpcidmapd.socket; then
    "$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket'
    "$SYSTEMCTL_EXEC" mask 'rpcidmapd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: rpcidmapd.service
        enabled: false
        mask: true
      - name: rpcidmapd.socket
        enabled: false
        mask: true

[customizations.services]
disabled = ["rpcidmapd"]

include disable_rpcidmapd
class disable_rpcidmapd {
  service {'rpcidmapd':
    enable => false,
    ensure => 'stopped',
  }
}

Disable RPC ID Mapping Service (rpcidmapd)

Description

Remediation Templates

An Ansible Snippet

A Shell Script

A Kubernetes Patch

OS Build Blueprint

A Puppet Snippet