Disable rlogin Service

An XCCDF Rule

Description

The rlogin service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rlogin. The rlogin socket can be disabled with the following command:

$ sudo systemctl mask --now rlogin.socket

Rationale

The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

ID: xccdf_org.ssgproject.content_rule_service_rlogin_disabled
Severity: High
References: 1 11 12 14 15 16 3 5 8 9

APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10

3.1.13 3.4.7

CCI-001436

164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii)

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3

CM-6(a) CM-7(a) CM-7(b) IA-5(1)(c)

PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-3 PR.PT-4

CCE-80885-7
Updated: about 1 year ago

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: rlogin.service
        enabled: false
        mask: true
      - name: rlogin.socket
        enabled: false
        mask: true


[customizations.services]
disabled = ["rlogin"]

- name: Block Disable service rlogin
  block:

  - name: Disable service rlogin
    block:
    - name: Disable service rlogin
      systemd:
        name: rlogin.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service rlogin' failure, service
        was already disabled
      meta: noop
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80885-7
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rlogin_disabled

- name: Unit Socket Exists - rlogin.socket
  command: systemctl -q list-unit-files rlogin.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80885-7
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rlogin_disabled

- name: Disable socket rlogin
  systemd:
    name: rlogin.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("rlogin.socket",multiline=True)
  tags:
  - CCE-80885-7
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rlogin_disabled

include disable_rlogin

class disable_rlogin {
  service {'rlogin':
    enable => false,
    ensure => 'stopped',  }
}

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rlogin.service'
"$SYSTEMCTL_EXEC" disable 'rlogin.service'"$SYSTEMCTL_EXEC" mask 'rlogin.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files rlogin.socket; then
    "$SYSTEMCTL_EXEC" stop 'rlogin.socket'
    "$SYSTEMCTL_EXEC" mask 'rlogin.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rlogin.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable rlogin Service

Description

Rationale

Remediation - Kubernetes Patch

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Puppet

Remediation - Shell Script