Disable rexec Service
An XCCDF Rule
Description
The rexec
service, which is available with the rsh-server
package
and runs as a service through xinetd or separately as a systemd socket, should be disabled.
If using xinetd, set disable
to yes
in /etc/xinetd.d/rexec
.
The rexec
socket can be disabled with the following command:
$ sudo systemctl mask --now rexec.socket
Rationale
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
- ID
- xccdf_org.ssgproject.content_rule_service_rexec_disabled
- Severity
- High
- References
- Updated
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["rexec"]
Remediation - Ansible
- name: Block Disable service rexec
block:
- name: Disable service rexec
block:
Remediation - Puppet
include disable_rexec
class disable_rexec {
service {'rexec':
enable => false,
ensure => 'stopped',
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rexec.service'
"$SYSTEMCTL_EXEC" disable 'rexec.service'