Disable Advanced Configuration and Power Interface (acpid)

An XCCDF Rule

Description

The Advanced Configuration and Power Interface Daemon (acpid) dispatches ACPI events (such as power/reset button depressed) to userspace programs. The acpid service can be disabled with the following command:

$ sudo systemctl mask --now acpid.service

Rationale

ACPI support is highly desirable for systems in some network roles, such as laptops or desktops. For other systems, such as servers, it may permit accidental or trivially achievable denial of service situations and disabling it is appropriate.

ID: xccdf_org.ssgproject.content_rule_service_acpid_disabled
Severity: Medium
References: 11 14 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2

CM-6(a) CM-7(a) CM-7(b)

PR.IP-1 PR.PT-3

CCE-82407-8
Updated: 5 days ago

include disable_acpid

class disable_acpid {
  service {'acpid':
    enable => false,
    ensure => 'stopped',  }
}

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82407-8
  - NIST-800-53-CM-6(a)  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_acpid_disabled

- name: Disable Advanced Configuration and Power Interface (acpid) - Collect systemd
    Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-82407-8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_acpid_disabled

- name: Disable Advanced Configuration and Power Interface (acpid) - Ensure acpid.service
    is Masked
  ansible.builtin.systemd:
    name: acpid.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("acpid.service", multiline=True)
  tags:
  - CCE-82407-8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_acpid_disabled

- name: Unit Socket Exists - acpid.socket
  ansible.builtin.command: systemctl -q list-unit-files acpid.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-82407-8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_acpid_disabled

- name: Disable Advanced Configuration and Power Interface (acpid) - Disable Socket
    acpid
  ansible.builtin.systemd:
    name: acpid.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("acpid.socket", multiline=True)
  tags:
  - CCE-82407-8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_acpid_disabled


service disable acpid


[customizations.services]
masked = ["acpid"]

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: acpid.service
        enabled: false
        mask: true
      - name: acpid.socket
        enabled: false
        mask: true

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'acpid.service'
"$SYSTEMCTL_EXEC" disable 'acpid.service'"$SYSTEMCTL_EXEC" mask 'acpid.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files acpid.socket; then
    "$SYSTEMCTL_EXEC" stop 'acpid.socket'
    "$SYSTEMCTL_EXEC" mask 'acpid.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'acpid.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Advanced Configuration and Power Interface (acpid)

Description

Rationale

Remediation - Puppet

Remediation - Ansible

Remediation - script:kickstart

Remediation - OS Build Blueprint

Remediation - Kubernetes Patch

Remediation - Shell Script