|
- # 2.3.2 Ensure rsh client is not installed
- #
- # Description
- # ===========
- # The rsh package contains the client commands for the rsh services.
- #
- # Rationale
- # =========
- # These legacy clients contain numerous security exposures and have been
- # replaced with the more secure SSH package. Even if the server is removed,
- # it is best to ensure the clients are also removed to prevent users from
- # inadvertently attempting to use these commands and therefore exposing
- # their credentials. Note that removing the rsh package removes the
- # clients for rsh , rcp and rlogin .
- #
- # Audit
- # =====
- # Run the following commands and verify rsh is not installed:
- #
- # dpkg -s rsh-client
- # dpkg -s rsh-redone-client
- #
- # Remediation
- # ===========
- # Run the following command to uninstall rsh :
- #
- # apt-get remove rsh-client rsh-redone-client
- #
- # Impact
- # ======
- # Many insecure service clients are used as troubleshooting tools and in
- # testing environments. Uninstalling them can inhibit capability to test
- # and troubleshoot. If they are required it is advisable to remove the
- # clients after use to prevent accidental or intentional misuse.
- #
- # NOTE
- # ====
- # It is not possible to remove rsh-client by means of SaltStack because
- # of the way SaltStack checks that package was really removed. 'rsh-client'
- # is "provided" by openssh-client package, and SaltStack thinks that
- # it is the same as 'rsh-client is installed'. So each time we try to
- # remove 'rsh-client' on a system where 'openssh-client' is installed
- # (that's almost every system), we got state failure.
- # This was fixed in upstream SaltStack in 2018, not sure where we start using
- # this version. Until that moment 'rsh-client' should remain unmanaged.
- #
- parameters:
- linux:
- system:
- package:
- # rsh-client:
- # version: removed
- rsh-redone-client:
- version: removed
|
