Disable RPC ID Mapping Service (rpcidmapd)

An XCCDF Rule

Description

The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:

$ sudo systemctl mask --now rpcidmapd.service

ID: xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled
Severity: Unknown
Updated: 5 days ago

include disable_rpcidmapd

class disable_rpcidmapd {
  service {'rpcidmapd':
    enable => false,
    ensure => 'stopped',  }
}

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - disable_strategy
  - low_complexity  - low_disruption
  - no_reboot_needed
  - service_rpcidmapd_disabled
  - unknown_severity

- name: Disable RPC ID Mapping Service (rpcidmapd) - Collect systemd Services Present
    in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcidmapd_disabled
  - unknown_severity

- name: Disable RPC ID Mapping Service (rpcidmapd) - Ensure rpcidmapd.service is Masked
  ansible.builtin.systemd:
    name: rpcidmapd.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("rpcidmapd.service", multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcidmapd_disabled
  - unknown_severity

- name: Unit Socket Exists - rpcidmapd.socket
  ansible.builtin.command: systemctl -q list-unit-files rpcidmapd.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcidmapd_disabled
  - unknown_severity

- name: Disable RPC ID Mapping Service (rpcidmapd) - Disable Socket rpcidmapd
  ansible.builtin.systemd:
    name: rpcidmapd.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("rpcidmapd.socket", multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcidmapd_disabled
  - unknown_severity


service disable rpcidmapd

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rpcidmapd.service'
"$SYSTEMCTL_EXEC" disable 'rpcidmapd.service'"$SYSTEMCTL_EXEC" mask 'rpcidmapd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files rpcidmapd.socket; then
    "$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket'
    "$SYSTEMCTL_EXEC" mask 'rpcidmapd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi


[customizations.services]
masked = ["rpcidmapd"]

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: rpcidmapd.service
        enabled: false
        mask: true
      - name: rpcidmapd.socket
        enabled: false
        mask: true

Disable RPC ID Mapping Service (rpcidmapd)

Description

Remediation - Puppet

Remediation - Ansible

Remediation - script:kickstart

Remediation - Shell Script

Remediation - OS Build Blueprint

Remediation - Kubernetes Patch