diff --git a/defaults/main.yml b/defaults/main.yml index 311db9ac..240506e7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -157,6 +157,7 @@ security_disable_autofs: yes # V-38437 security_disable_avahi: yes # V-31618 security_disable_bluetooth: yes # V-38691 security_disable_qpidd: yes # V-38648 +security_disable_rdisc: yes # V-38650 security_disable_rsh: yes # V-38594 security_disable_ypbind: yes # V-38604 security_disable_xinetd: yes # V-38582 diff --git a/doc/source/developer-notes/V-38650.rst b/doc/source/developer-notes/V-38650.rst index b9671ca8..36983381 100644 --- a/doc/source/developer-notes/V-38650.rst +++ b/doc/source/developer-notes/V-38650.rst @@ -1,4 +1,8 @@ -**Special case** - Ubuntu doesn't provide packages containing the ``rdisc`` service at this time. -Therefore, no action is taken for this STIG. + +In CentOS, the ``rdisc`` service will be stopped and disabled if it is present +on the system. To opt-out of this change, set the following Ansible variable: + +.. code-block:: yaml + + security_disable_rdisc: no diff --git a/releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml b/releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml new file mode 100644 index 00000000..0c579b57 --- /dev/null +++ b/releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + An Ansible was added to disable the ``rdisc`` service on CentOS systems if + the service is installed on the system. + + Deployers can opt-out of this change by setting ``security_disable_rdisc`` + to ``no``. diff --git a/tasks/services.yml b/tasks/services.yml index 8dcedc38..9ca602aa 100644 --- a/tasks/services.yml +++ b/tasks/services.yml @@ -237,6 +237,19 @@ - cat3 - V-38627 +- name: V-38650 - rdisc must be disabled + service: + name: rdisc + state: stopped + enabled: no + when: + - security_disable_rdisc | bool + - "'rdisc' in services_installed.stdout" + tags: + - services + - cat3 + - V-38650 + - name: V-38671 - Remove sendmail with apt apt: name: sendmail