| # 2.3.2 Ensure rsh client is not installed |
| # |
| # Description |
| # =========== |
| # The rsh package contains the client commands for the rsh services. |
| # |
| # Rationale |
| # ========= |
| # These legacy clients contain numerous security exposures and have been |
| # replaced with the more secure SSH package. Even if the server is removed, |
| # it is best to ensure the clients are also removed to prevent users from |
| # inadvertently attempting to use these commands and therefore exposing |
| # their credentials. Note that removing the rsh package removes the |
| # clients for rsh , rcp and rlogin . |
| # |
| # Audit |
| # ===== |
| # Run the following commands and verify rsh is not installed: |
| # |
| # dpkg -s rsh-client |
| # dpkg -s rsh-redone-client |
| # |
| # Remediation |
| # =========== |
| # Run the following command to uninstall rsh : |
| # |
| # apt-get remove rsh-client rsh-redone-client |
| # |
| # Impact |
| # ====== |
| # Many insecure service clients are used as troubleshooting tools and in |
| # testing environments. Uninstalling them can inhibit capability to test |
| # and troubleshoot. If they are required it is advisable to remove the |
| # clients after use to prevent accidental or intentional misuse. |
| # |
| # NOTE |
| # ==== |
| # It is not possible to remove rsh-client by means of SaltStack because |
| # of the way SaltStack checks that package was really removed. 'rsh-client' |
| # is "provided" by openssh-client package, and SaltStack thinks that |
| # it is the same as 'rsh-client is installed'. So each time we try to |
| # remove 'rsh-client' on a system where 'openssh-client' is installed |
| # (that's almost every system), we got state failure. |
| # This was fixed in upstream SaltStack in 2018, not sure where we start using |
| # this version. Until that moment 'rsh-client' should remain unmanaged. |
| # |
| parameters: |
| linux: |
| system: |
| package: |
| # rsh-client: |
| # version: removed |
| rsh-redone-client: |
| version: removed |
| |