Disable Red Hat Subscription Manager Daemon (rhsmcertd)
An XCCDF Rule
Description
The Red Hat Subscription Manager (rhsmcertd) periodically checks for
changes in the entitlement certificates for a registered system and updates it
accordingly.
The rhsmcertd service can be disabled with the following command:
$ sudo systemctl mask --now rhsmcertd.service
Rationale
The rhsmcertd service can provide administrators with some
additional control over which of their systems are entitled to particular
subscriptions. However, for systems that are managed locally or which are not
expected to require remote changes to their subscription status, it is
unnecessary and can be disabled.
- ID
- xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled
- Severity
- Low
- References
- Updated
Remediation - Puppet
include disable_rhsmcertd
class disable_rhsmcertd {
service {'rhsmcertd':
enable => false,
ensure => 'stopped',
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-82387-2
- NIST-800-53-CM-6(a)
Remediation - OS Build Blueprint
[customizations.services]
masked = ["rhsmcertd"]
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - script:kickstart
service disable rhsmcertd
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rhsmcertd.service'
"$SYSTEMCTL_EXEC" disable 'rhsmcertd.service'