Disable Odd Job Daemon (oddjobd)
An XCCDF Rule
Description
The oddjobd
service exists to provide an interface and
access control mechanism through which
specified privileged tasks can run tasks for unprivileged client
applications. Communication with oddjobd
through the system message bus.
The oddjobd
service can be disabled with the following command:
$ sudo systemctl mask --now oddjobd.service
Rationale
The oddjobd
service may provide necessary functionality in
some environments, and can be disabled if it is not needed. Execution of
tasks by privileged programs, on behalf of unprivileged ones, has traditionally
been a source of privilege escalation security issues.
- ID
- xccdf_org.ssgproject.content_rule_service_oddjobd_disabled
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["oddjobd"]
Remediation - Ansible
- name: Block Disable service oddjobd
block:
- name: Disable service oddjobd
block:
Remediation - Puppet
include disable_oddjobd
class disable_oddjobd {
service {'oddjobd':
enable => false,
ensure => 'stopped',
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'oddjobd.service'
"$SYSTEMCTL_EXEC" disable 'oddjobd.service'