Disable LDAP Server (slapd)

An XCCDF Rule

Description

The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.

Rationale

If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface.

ID: xccdf_org.ssgproject.content_rule_service_slapd_disabled
Severity: Medium
References: CCE-87262-2
Updated: over 1 year ago

Remediation Templates

include disable_slapd
class disable_slapd {
  service {'slapd':
    enable => false,
    ensure => 'stopped',
  }
}

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-87262-2
  - disable_strategy  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_slapd_disabled
- name: Disable LDAP Server (slapd) - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-87262-2
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_slapd_disabled

- name: Disable LDAP Server (slapd) - Ensure slapd.service is Masked
  ansible.builtin.systemd:
    name: slapd.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("slapd.service", multiline=True)
  tags:
  - CCE-87262-2
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_slapd_disabled

- name: Unit Socket Exists - slapd.socket
  ansible.builtin.command: systemctl -q list-unit-files slapd.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-87262-2
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_slapd_disabled

- name: Disable LDAP Server (slapd) - Disable Socket slapd
  ansible.builtin.systemd:
    name: slapd.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("slapd.socket", multiline=True)
  tags:
  - CCE-87262-2
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_slapd_disabled

[customizations.services]
masked = ["slapd"]

service disable slapd

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: slapd.service
        enabled: false
        mask: true
      - name: slapd.socket
        enabled: false
        mask: true

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'slapd.service'
"$SYSTEMCTL_EXEC" disable 'slapd.service'
"$SYSTEMCTL_EXEC" mask 'slapd.service'# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files slapd.socket; then
    "$SYSTEMCTL_EXEC" stop 'slapd.socket'
    "$SYSTEMCTL_EXEC" mask 'slapd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'slapd.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable LDAP Server (slapd)

Description

Rationale

Remediation Templates

A Puppet Snippet

An Ansible Snippet

OS Build Blueprint

script:kickstart

A Kubernetes Patch

A Shell Script