Disable Network Router Discovery Daemon (rdisc)

Docs > Datadog Security > OOTB Rules > Disable Network Router Discovery Daemon (rdisc)

Classification:

compliance

Framework:

Control:

Description

The rdisc service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled.

The rdisc service can be disabled with the following command:

$ sudo systemctl disable rdisc.service

Rationale

General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

SYSTEMCTL\_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL\_EXEC" stop 'rdisc.service'
"$SYSTEMCTL\_EXEC" disable 'rdisc.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL\_EXEC" list-unit-files | grep -q '^rdisc.socket\>' && "$SYSTEMCTL\_EXEC" disable 'rdisc.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL\_EXEC" reset-failed 'rdisc.service'

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Disable service rdisc
 service:
 name: "{{item}}"
 enabled: "no"
 state: "stopped"
 register: service\_result
 failed\_when: "service\_result is failed and ('Could not find the requested service' not in service\_result.msg)"
 with\_items:
 - rdisc
 tags:
 - service\_rdisc\_disabled
 - unknown\_severity
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - NIST-800-53-AC-17(8)
 - NIST-800-53-AC-4
 - NIST-800-53-CM-7


- name: Disable socket of service rdisc if applicable
 service:
 name: "{{item}}"
 enabled: "no"
 state: "stopped"
 register: socket\_result
 failed\_when: "socket\_result is failed and ('Could not find the requested service' not in socket\_result.msg)"
 with\_items:
 - rdisc.socket
 tags:
 - service\_rdisc\_disabled
 - unknown\_severity
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - NIST-800-53-AC-17(8)
 - NIST-800-53-AC-4
 - NIST-800-53-CM-7