Puppet Class: security_baseline::rules::redhat::sec_rsh

Defined in:
manifests/rules/redhat/sec_rsh.pp

Summary

Ensure rsh server is not enabled (Scored)

Overview

The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text.

Rationale: These legacy services contain numerous security exposures and have been replaced with the more secure SSH package.

Examples:

class security_baseline::rules::redhat::sec_rsh {
    enforce => true,
    message => 'Test',
    log_level => 'info'
}

Parameters:

  • enforce (Boolean) (defaults to: true)

    Enforce the rule or just test and log

  • message (String) (defaults to: '')

    Message to print into the log

  • log_level (String) (defaults to: '')

    The log_level for the above message



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'manifests/rules/redhat/sec_rsh.pp', line 27

class security_baseline::rules::redhat::sec_rsh (
  Boolean $enforce = true,
  String $message = '',
  String $log_level = ''
) {
  if($enforce) {
    if($facts['operatingsystemmajrelease'] > '6') {
      $srvs = ['rsh.socket', 'rlogin.socket', 'rexec.socket']
    } else {
      $srvs = ['rsh', 'rlogin', 'rexec']
    }
    ensure_resource('service', $srvs, {
      ensure => 'stopped',
      enable => false,
    })

  } else {

    if($facts['security_baseline']['xinetd_services']['srv_rsh']) {
      echo { 'rsh-service':
        message  => $message,
        loglevel => $log_level,
        withpath => false,
      }
    }
  }
}