Disable Portreserve (portreserve)
An XCCDF Rule
Description
Theportreserve
service is a TCP port reservation utility that can
be used to prevent portmap from binding to well known TCP ports that are
required for other services.
The portreserve
service can be disabled with the following command:
$ sudo systemctl mask --now portreserve.service
Rationale
The portreserve
service provides helpful functionality by
preventing conflicting usage of ports in the reserved port range, but it can be
disabled if not needed.
- ID
- xccdf_org.ssgproject.content_rule_service_portreserve_disabled
- Severity
- Low
- References
- Updated
Remediation Templates
A Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
OS Build Blueprint
[customizations.services]
disabled = ["portreserve"]
An Ansible Snippet
- name: Block Disable service portreserve
block:
- name: Disable service portreserve
block:
- name: Disable service portreserve
A Puppet Snippet
include disable_portreserve
class disable_portreserve {
service {'portreserve':
enable => false,
ensure => 'stopped',
}
}
A Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'portreserve.service'
"$SYSTEMCTL_EXEC" disable 'portreserve.service'
"$SYSTEMCTL_EXEC" mask 'portreserve.service'