Puppet Class: cis_security_hardening::rules::rpcbind

Defined in:
manifests/rules/rpcbind.pp

Summary

Ensure rpcbind is not installed or the rpcbind services are masked

Overview

The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service.

Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening.

Rationale: A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system.

Note: many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS) are dependent on the rpcbind package. If the rpcbind is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system.

Examples:

class { 'cis_security_hardening::rules::rpcbind':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule

  • uninstall (Boolean) (defaults to: true)

    Switch to select if package shoul be uninstalled or service should be masked



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
 
# File 'manifests/rules/rpcbind.pp', line 37

class cis_security_hardening::rules::rpcbind (
  Boolean $enforce = false,
  Boolean $uninstall = true,
) {
  if $enforce {
    if $uninstall {
      case $facts['os']['name'].downcase() {
        'ubuntu': {
          ensure_packages(['rpcbind'], {
              ensure => purged,
          })
        }
        'sles': {
          ensure_resource('service', 'rpcbind', {
              ensure => stopped,
              enable => false,
          })
          ensure_resource('service', 'rpcbind.socket', {
              ensure => stopped,
              enable => false,
          })
          ensure_packages(['rpcbind'], {
              ensure => absent,
          })
        }
        'rocky', 'almalinux': {
          ensure_packages(['rpcbind'], {
              ensure => absent,
          })

          ensure_resource('service', ['rpcbind.socket'], {
              ensure => 'stopped',
              enable => false,
          })
        }
        default: {
          ensure_resource('service', ['rpcbind.socket', 'rpcbind'], {
              ensure => 'stopped',
              enable => false,
          })
          ensure_packages(['rpcbind'], {
              ensure => absent,
          })
        }
      }
    } else {
      ensure_resource('service', ['rpcbind.socket', 'rpcbind'], {
          ensure => 'stopped',
          enable => false,
      })

      exec { 'mask rpcbind service':
        command => 'systemctl --now mask rpcbind',
        path    => ['/usr/bin', '/bin'],
        unless  => 'test "$(systemctl is-enabled rpcbind)" = "masked"',
      }

      exec { 'mask rpcbind.socket service':
        command => 'systemctl --now mask rpcbind.socket',
        path    => ['/usr/bin', '/bin'],
        unless  => 'test "$(systemctl is-enabled rpcbind.socket)" = "masked"',
      }
    }
  }
}