Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

cis-2-3-2.yml 1.8KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455
  1. # 2.3.2 Ensure rsh client is not installed
  2. #
  3. # Description
  4. # ===========
  5. # The rsh package contains the client commands for the rsh services.
  6. #
  7. # Rationale
  8. # =========
  9. # These legacy clients contain numerous security exposures and have been
  10. # replaced with the more secure SSH package. Even if the server is removed,
  11. # it is best to ensure the clients are also removed to prevent users from
  12. # inadvertently attempting to use these commands and therefore exposing
  13. # their credentials. Note that removing the rsh package removes the
  14. # clients for rsh , rcp and rlogin .
  15. #
  16. # Audit
  17. # =====
  18. # Run the following commands and verify rsh is not installed:
  19. #
  20. # dpkg -s rsh-client
  21. # dpkg -s rsh-redone-client
  22. #
  23. # Remediation
  24. # ===========
  25. # Run the following command to uninstall rsh :
  26. #
  27. # apt-get remove rsh-client rsh-redone-client
  28. #
  29. # Impact
  30. # ======
  31. # Many insecure service clients are used as troubleshooting tools and in
  32. # testing environments. Uninstalling them can inhibit capability to test
  33. # and troubleshoot. If they are required it is advisable to remove the
  34. # clients after use to prevent accidental or intentional misuse.
  35. #
  36. # NOTE
  37. # ====
  38. # It is not possible to remove rsh-client by means of SaltStack because
  39. # of the way SaltStack checks that package was really removed. 'rsh-client'
  40. # is "provided" by openssh-client package, and SaltStack thinks that
  41. # it is the same as 'rsh-client is installed'. So each time we try to
  42. # remove 'rsh-client' on a system where 'openssh-client' is installed
  43. # (that's almost every system), we got state failure.
  44. # This was fixed in upstream SaltStack in 2018, not sure where we start using
  45. # this version. Until that moment 'rsh-client' should remain unmanaged.
  46. #
  47. parameters:
  48. linux:
  49. system:
  50. package:
  51. # rsh-client:
  52. # version: removed
  53. rsh-redone-client:
  54. version: removed