Disable Red Hat Subscription Manager Daemon (rhsmcertd)

An XCCDF Rule

Description

The Red Hat Subscription Manager (rhsmcertd) periodically checks for changes in the entitlement certificates for a registered system and updates it accordingly. The rhsmcertd service can be disabled with the following command:

$ sudo systemctl mask --now rhsmcertd.service

Rationale

The rhsmcertd service can provide administrators with some additional control over which of their systems are entitled to particular subscriptions. However, for systems that are managed locally or which are not expected to require remote changes to their subscription status, it is unnecessary and can be disabled.

ID: xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled
Severity: Low
References: 11 14 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2

CM-6(a) CM-7(a) CM-7(b)

PR.IP-1 PR.PT-3

CCE-82387-2
Updated: about 1 year ago

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: rhsmcertd.service
        enabled: false
        mask: true
      - name: rhsmcertd.socket
        enabled: false
        mask: true


[customizations.services]
disabled = ["rhsmcertd"]

include disable_rhsmcertd

class disable_rhsmcertd {
  service {'rhsmcertd':
    enable => false,
    ensure => 'stopped',  }
}

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rhsmcertd.service'
"$SYSTEMCTL_EXEC" disable 'rhsmcertd.service'"$SYSTEMCTL_EXEC" mask 'rhsmcertd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files rhsmcertd.socket; then
    "$SYSTEMCTL_EXEC" stop 'rhsmcertd.socket'
    "$SYSTEMCTL_EXEC" mask 'rhsmcertd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rhsmcertd.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Block Disable service rhsmcertd
  block:

  - name: Disable service rhsmcertd
    block:
    - name: Disable service rhsmcertd
      systemd:
        name: rhsmcertd.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service rhsmcertd' failure, service
        was already disabled
      meta: noop
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82387-2
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rhsmcertd_disabled

- name: Unit Socket Exists - rhsmcertd.socket
  command: systemctl -q list-unit-files rhsmcertd.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82387-2
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rhsmcertd_disabled

- name: Disable socket rhsmcertd
  systemd:
    name: rhsmcertd.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("rhsmcertd.socket",multiline=True)
  tags:
  - CCE-82387-2
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rhsmcertd_disabled

Disable Red Hat Subscription Manager Daemon (rhsmcertd)

Description

Rationale

Remediation - Kubernetes Patch

Remediation - OS Build Blueprint

Remediation - Puppet

Remediation - Shell Script

Remediation - Ansible