Disable Cyrus SASL Authentication Daemon (saslauthd)
An XCCDF Rule
Description
The saslauthd
service handles plaintext authentication requests on
behalf of the SASL library. The service isolates all code requiring superuser
privileges for SASL authentication into a single process, and can also be used
to provide proxy authentication services to clients that do not understand SASL
based authentication.
The saslauthd
service can be disabled with the following command:
$ sudo systemctl mask --now saslauthd.service
Rationale
The saslauthd
service provides essential functionality for
performing authentication in some directory environments, such as those which
use Kerberos and LDAP. For others, however, in which only local files may be
consulted, it is not necessary and should be disabled.
- ID
- xccdf_org.ssgproject.content_rule_service_saslauthd_disabled
- Severity
- Low
- References
- Updated
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["saslauthd"]
Remediation - Ansible
- name: Block Disable service saslauthd
block:
- name: Disable service saslauthd
block:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'saslauthd.service'
"$SYSTEMCTL_EXEC" disable 'saslauthd.service'
Remediation - Puppet
include disable_saslauthd
class disable_saslauthd {
service {'saslauthd':
enable => false,
ensure => 'stopped',