Disable rpcbind Service

문서 > Datadog 보안 > OOTB Rules > Disable rpcbind Service

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. If the system does not require RPC (such as for NFS servers) then this service should be disabled. The rpcbind service can be disabled with the following command:

$ sudo systemctl mask --now rpcbind.service

Rationale

If the system does not require rpc based services, it is recommended that rpcbind be disabled to reduce the attack surface.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
  "$SYSTEMCTL_EXEC" stop 'rpcbind.service'
fi
"$SYSTEMCTL_EXEC" disable 'rpcbind.service'
"$SYSTEMCTL_EXEC" mask 'rpcbind.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files rpcbind.socket; then
    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
      "$SYSTEMCTL_EXEC" stop 'rpcbind.socket'
    fi
    "$SYSTEMCTL_EXEC" mask 'rpcbind.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rpcbind.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rpcbind_disabled

- name: Disable rpcbind Service - Disable service rpcbind
  block:

  - name: Disable rpcbind Service - Collect systemd Services Present in the System
    ansible.builtin.command: systemctl -q list-unit-files --type service
    register: service_exists
    changed_when: false
    failed_when: service_exists.rc not in [0, 1]
    check_mode: false

  - name: Disable rpcbind Service - Ensure rpcbind.service is Masked
    ansible.builtin.systemd:
      name: rpcbind.service
      state: stopped
      enabled: false
      masked: true
    when: service_exists.stdout_lines is search("rpcbind.service", multiline=True)

  - name: Unit Socket Exists - rpcbind.socket
    ansible.builtin.command: systemctl -q list-unit-files rpcbind.socket
    register: socket_file_exists
    changed_when: false
    failed_when: socket_file_exists.rc not in [0, 1]
    check_mode: false

  - name: Disable rpcbind Service - Disable Socket rpcbind
    ansible.builtin.systemd:
      name: rpcbind.socket
      enabled: false
      state: stopped
      masked: true
    when: socket_file_exists.stdout_lines is search("rpcbind.socket", multiline=True)
  tags:
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_rpcbind_disabled
  - special_service_block
  when: '"linux-base" in ansible_facts.packages'