Disable Network Router Discovery Daemon (rdisc)
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
The rdisc
service implements the client side of the ICMP
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on
the local subnet. If a router is discovered then the local routing table is
updated with a corresponding default route. By default this daemon is disabled.
The rdisc
service can be disabled with the following command:
$ sudo systemctl disable rdisc.service
Rationale
General-purpose systems typically have their network and routing
information configured statically by a system administrator. Workstations or
some special-purpose systems often use DHCP (instead of IRDP) to retrieve
dynamic network configuration information.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rdisc.service'
"$SYSTEMCTL_EXEC" disable 'rdisc.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rdisc.socket\>' && "$SYSTEMCTL_EXEC" disable 'rdisc.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rdisc.service'
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Disable service rdisc
service:
name: "{{item}}"
enabled: "no"
state: "stopped"
register: service_result
failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)"
with_items:
- rdisc
tags:
- service_rdisc_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(8)
- NIST-800-53-AC-4
- NIST-800-53-CM-7
- name: Disable socket of service rdisc if applicable
service:
name: "{{item}}"
enabled: "no"
state: "stopped"
register: socket_result
failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)"
with_items:
- rdisc.socket
tags:
- service_rdisc_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(8)
- NIST-800-53-AC-4
- NIST-800-53-CM-7