Disable Secure RPC Server Service (rpcsvcgssd)

An XCCDF Rule

Description

The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcsvcgssd service can be disabled with the following command:

$ sudo systemctl mask --now rpcsvcgssd.service

Rationale

Unnecessary services should be disabled to decrease the attack surface of the system.

ID: xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled
Severity: Unknown
Updated: over 1 year ago

Remediation Templates

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: rpcsvcgssd.service
        enabled: false
        mask: true
      - name: rpcsvcgssd.socket
        enabled: false
        mask: true

[customizations.services]
disabled = ["rpcsvcgssd"]

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service'
"$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service'
"$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.service'# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files rpcsvcgssd.socket; then
    "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.socket'
    "$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rpcsvcgssd.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Block Disable service rpcsvcgssd
  block:
  - name: Disable service rpcsvcgssd
    block:

    - name: Disable service rpcsvcgssd      systemd:
        name: rpcsvcgssd.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service rpcsvcgssd' failure, service
        was already disabled
      meta: noop
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcsvcgssd_disabled
  - unknown_severity

- name: Unit Socket Exists - rpcsvcgssd.socket
  command: systemctl -q list-unit-files rpcsvcgssd.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcsvcgssd_disabled
  - unknown_severity

- name: Disable socket rpcsvcgssd
  systemd:
    name: rpcsvcgssd.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("rpcsvcgssd.socket",multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rpcsvcgssd_disabled
  - unknown_severity

include disable_rpcsvcgssd
class disable_rpcsvcgssd {
  service {'rpcsvcgssd':
    enable => false,
    ensure => 'stopped',
  }
}

Disable Secure RPC Server Service (rpcsvcgssd)

Description

Rationale

Remediation Templates

A Kubernetes Patch

OS Build Blueprint

A Shell Script

An Ansible Snippet

A Puppet Snippet