Disable Red Hat Subscription Manager Daemon (rhsmcertd)

An XCCDF Rule

Description

The Red Hat Subscription Manager (rhsmcertd) periodically checks for changes in the entitlement certificates for a registered system and updates it accordingly. The rhsmcertd service can be disabled with the following command:

$ sudo systemctl mask --now rhsmcertd.service

Rationale

The rhsmcertd service can provide administrators with some additional control over which of their systems are entitled to particular subscriptions. However, for systems that are managed locally or which are not expected to require remote changes to their subscription status, it is unnecessary and can be disabled.

ID: xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled
Severity: Low
References: 11 14 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2

CM-6(a) CM-7(a) CM-7(b)

PR.IP-1 PR.PT-3

CCE-82387-2
Updated: about 1 month ago

Remediation Templates

include disable_rhsmcertd
class disable_rhsmcertd {
  service {'rhsmcertd':
    enable => false,
    ensure => 'stopped',
  }
}

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82387-2
  - NIST-800-53-CM-6(a)  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rhsmcertd_disabled
- name: Disable Red Hat Subscription Manager Daemon (rhsmcertd) - Collect systemd
    Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-82387-2
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rhsmcertd_disabled

- name: Disable Red Hat Subscription Manager Daemon (rhsmcertd) - Ensure rhsmcertd.service
    is Masked
  ansible.builtin.systemd:
    name: rhsmcertd.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("rhsmcertd.service", multiline=True)
  tags:
  - CCE-82387-2
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rhsmcertd_disabled

- name: Unit Socket Exists - rhsmcertd.socket
  ansible.builtin.command: systemctl -q list-unit-files rhsmcertd.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-82387-2
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rhsmcertd_disabled

- name: Disable Red Hat Subscription Manager Daemon (rhsmcertd) - Disable Socket rhsmcertd
  ansible.builtin.systemd:
    name: rhsmcertd.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("rhsmcertd.socket", multiline=True)
  tags:
  - CCE-82387-2
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rhsmcertd_disabled

[customizations.services]
masked = ["rhsmcertd"]

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: rhsmcertd.service
        enabled: false
        mask: true
      - name: rhsmcertd.socket
        enabled: false
        mask: true

service disable rhsmcertd

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rhsmcertd.service'
"$SYSTEMCTL_EXEC" disable 'rhsmcertd.service'
"$SYSTEMCTL_EXEC" mask 'rhsmcertd.service'# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files rhsmcertd.socket; then
    "$SYSTEMCTL_EXEC" stop 'rhsmcertd.socket'
    "$SYSTEMCTL_EXEC" mask 'rhsmcertd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rhsmcertd.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Red Hat Subscription Manager Daemon (rhsmcertd)

Description

Rationale

Remediation Templates

A Puppet Snippet

An Ansible Snippet

OS Build Blueprint

A Kubernetes Patch

script:kickstart

A Shell Script