Disable Quagga Service

An XCCDF Rule

Description

The zebra service can be disabled with the following command:

$ sudo systemctl mask --now zebra.service

Rationale

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If routing daemons are used when not required, system network information may be unnecessarily transmitted across the network.

ID: xccdf_org.ssgproject.content_rule_service_zebra_disabled
Severity: Medium
References: 12 15 8

APO13.01 DSS05.02

CCI-000366

164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii)

SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.13.1.1 A.13.2.1 A.14.1.3

CM-6(a) CM-7(a) CM-7(b)

PR.PT-4

SRG-OS-000480-GPOS-00227

CCE-80889-9
Updated: 5 days ago

include disable_zebra

class disable_zebra {
  service {'zebra':
    enable => false,
    ensure => 'stopped',  }
}


[customizations.services]
masked = ["zebra"]

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: zebra.service
        enabled: false
        mask: true
      - name: zebra.socket
        enabled: false
        mask: true


service disable zebra

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80889-9
  - NIST-800-53-CM-6(a)  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_zebra_disabled

- name: Disable Quagga Service - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-80889-9
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_zebra_disabled

- name: Disable Quagga Service - Ensure zebra.service is Masked
  ansible.builtin.systemd:
    name: zebra.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("zebra.service", multiline=True)
  tags:
  - CCE-80889-9
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_zebra_disabled

- name: Unit Socket Exists - zebra.socket
  ansible.builtin.command: systemctl -q list-unit-files zebra.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-80889-9
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_zebra_disabled

- name: Disable Quagga Service - Disable Socket zebra
  ansible.builtin.systemd:
    name: zebra.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("zebra.socket", multiline=True)
  tags:
  - CCE-80889-9
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_zebra_disabled

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'zebra.service'
"$SYSTEMCTL_EXEC" disable 'zebra.service'"$SYSTEMCTL_EXEC" mask 'zebra.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files zebra.socket; then
    "$SYSTEMCTL_EXEC" stop 'zebra.socket'
    "$SYSTEMCTL_EXEC" mask 'zebra.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'zebra.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Quagga Service

Description

Rationale

Remediation - Puppet

Remediation - OS Build Blueprint

Remediation - Kubernetes Patch

Remediation - script:kickstart

Remediation - Ansible

Remediation - Shell Script